Protect your data, get rid of vulnerabilities and prepare against threats: take the Cyber Resilience Act compliance checklist to verify if your company, product or software are CRA ready!
Identify any requirements that may be missing to take swift action and be ready on time.
Manufacturers of products not classified as Critical Products or Important Products Class II can self-assess their compliance with the CRA’s requirements.
You can check Annex III of the Regulation for a list of Important Products and Annex IV for a list of Critical Products.
Additionally, manufacturers of Important Products Class I who either conform fully to an harmonised standard or conform to common specifications or has a European cybersecurity certification, can also self-assess their compliance with the CRA’s requirements.
⚠️ Manufacturers of Important Products Class I who have not applied or have applied only in part to harmonised standards, common specifications or European cybersecurity certification schemes must undergo a third party assessment (see “Important and Critical Products tab”).
In any case, manufacturers of non-Important Products may choose to undergo the same assessment process as Important Products, wherein compliance with the CRA is assessed by a notified body. In this case, they will need to select between two main modules, B or H, that are further described in the Important and Critical products tab and for which requirements differ from those described below.
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | Manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including in relation to the health and safety of users. | article 13(2) | self-written - to be reviewed by notified body for critical and important products | |
| 2 | The cybersecurity risk assessment shall be documented and updated as appropriate during a support period to be determined in accordance with paragraph 8 of this Article. That cybersecurity risk assessment shall comprise at least an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the conditions of use, of the product with digital elements, such as the operational environment or the assets to be protected, taking into account the length of time the product is expected to be in use. The cybersecurity risk assessment shall indicate whether and, if so in what manner, the security requirements set out in Part I, point (2), of Annex I are applicable to the relevant product with digital elements and how those requirements are implemented as informed by the cybersecurity risk assessment. It shall also indicate how the manufacturer is to apply Part I, point (1), of Annex I and the vulnerability handling requirements set out in Part II of Annex I. | Article 13(3) | self-written - to be reviewed by notified body for critical and important products | |
| 3 | When placing a product with digital elements on the market, the manufacturer shall include the cybersecurity risk assessment in the technical documentation. For products with digital elements which are also subject to other Union legal acts, the cybersecurity risk assessment may be part of the risk assessment required by those Union legal acts. Where certain essential cybersecurity requirements are not applicable to the product with digital elements, the manufacturer shall include a clear justification to that effect in that technical documentation. | Article 13(4) | self-written - to be reviewed by notified body for critical and important products | |
| 4 | The manufacturers shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the products with digital elements, including vulnerabilities of which they become aware and any relevant information provided by third parties, and shall, where applicable, update the cybersecurity risk assessment of the products | Article 13(7) | self-written - to be reviewed by notified body for critical and important products |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 2 | On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall: | Annex I, Part 1 §2 | - | |
| 3 | (a) be made available on the market without known exploitable vulnerabilities; | Annex I, Part 1 §2a | Self-assessment | |
| 4 | (b) be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state; | Annex I, Part 1 §2b | Self-assessment | |
| 5 | (c) ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt- out mechanism, through the notification of available updates to users, and the option to temporarily postpone them; | Annex 1, Part 1 §2c | Self-assessment | |
| 6 | (d) ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access; | Annex I, Part 1 §2d | Self-assessment | |
| 7 | (e) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means; | Annex I, Part 1 §2e | Self-assessment | |
| 8 | (f) protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions; | Annex I, Part 1 §2f | Self-assessment | |
| 9 | (g) process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation); | Annex I, Part 1 §2g | Self-assessment | |
| 10 | (h) protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks; | Annex I, Part 1 §2h | Self-assessment | |
| 11 | (i) minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks; | Annex I, Part 1 §2i | Self-assessment | |
| 12 | (j) be designed, developed and produced to limit attack surfaces, including external interfaces; | Annex I, Part 1 §2j | Self-assessment | |
| 13 | (k) be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques; | Annex I, Part 1 §2k | Self-assessment | |
| 14 | (l) provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user; | Annex I, Part 1 §2l | Self-assessment | |
| 15 | (m) provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner. | Annex I, Part 1 §2m | Self-assessment | |
| 18 | (2) in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates; | Annex I, Part 2 §1 | Self-assessment | |
| 17 | (1) identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products; | Annex I, Part 2 §2 | Self-assessment | |
| 19 | (3) apply effective and regular tests and reviews of the security of the product with digital elements; | Annex I, Part 2 §3 | Self-assessment | |
| 20 | (4) once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch; | Annex I, Part 2 §4 | Self-assessment | |
| 21 | (5) put in place and enforce a policy on coordinated vulnerability disclosure; | Annex I, Part 2 §5 | Self-assessment | |
| 22 | (6) take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements; | Annex I, Part 2 §6 | Self-assessment | |
| 23 | (7) provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner; | Annex I, Part 2 §7 | Self-assessment | |
| 24 | (8) ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken. | Annex I, Part 2 §8 | Self-assessment | |
| 1 | Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks. | Annex I, Part 1 §1 | Self-assessment | |
| 16 | Manufacturers of products with digital elements shall: | Annex I - Part II | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | At minimum, the product with digital elements shall be accompanied by: | Annex II | - | |
| 2 | 1. the name, registered trade name or registered trademark of the manufacturer, and the postal address, the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted; | Annex II, §1 | self-written | |
| 3 | 2. the single point of contact where information about vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found; | Annex II, §2 | self-written | |
| 4 | 3. name and type and any additional information enabling the unique identification of the product with digital elements; | Annex II, §3 | self-written | |
| 5 | 4. the intended purpose of the product with digital elements, including the security environment provided by the manufacturer, as well as the product’s essential functionalities and information about the security properties; | Annex II, §4 | self-written | |
| 6 | 5. any known or foreseeable circumstance, related to the use of the product with digital elements in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to significant cybersecurity risks; | Annex II, §5 | self-written | |
| 7 | 6. where applicable, the internet address at which the EU declaration of conformity can be accessed; | Annex II, §6 | self-written | |
| 8 | 7. the type of technical security support offered by the manufacturer and the end-date of the support period during which users can expect vulnerabilities to be handled and to receive security updates; | Annex VI, §7 | self-written | |
| 9 | 8. detailed instructions or an internet address referring to such detailed instructions and information on: | Annex II, §8 | self-written | |
| 10 | (a) the necessary measures during initial commissioning and throughout the lifetime of the product with digital elements to ensure its secure use; | Annex II, §8 (a) | self-written | |
| 11 | (b) how changes to the product with digital elements can affect the security of data; | Annex II, §8 (b) | self-written | |
| 12 | (c) how security-relevant updates can be installed; | Annex II, §8 (c) | self-written | |
| 13 | (d) the secure decommissioning of the product with digital elements, including information on how user data can be securely removed; | Annex II, §8 (d) | self-written | |
| 14 | (e) how the default setting enabling the automatic installation of security updates, as required by Part I, point (2)(c), of Annex I, can be turned off; | Annex II, §8 (e) | self-written | |
| 15 | (f) where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential cybersecurity requirements set out in Annex I and the documentation requirements set out in Annex VII. | Annex II, §8 (f) | self-written | |
| 16 | 9. If the manufacturer decides to make available the software bill of materials to the user, information on where the software bill of materials can be accessed. | Annex II, §9 | Not mandatory | |
| 17 | The user information and instructions as set out in Annex II (detailed above), shall be included in the Technical Documentation. | Annex VII, §1 (d) | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | The EU declaration of conformity referred to in Article 28, shall contain all of the following information: | Annex V | The EU Declaration of conformity is self-written | |
| 2 | (1) Name and type and any additional information enabling the unique identification of the product with digital elements | Annex V, §1 | - | |
| 3 | (2) Name and address of the manufacturer or its authorised representative | Annex V, §2 | - | |
| 4 | (3) A statement that the EU declaration of conformity is issued under the sole responsibility of the provider | Annex V, §3 | - | |
| 5 | (4) Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate) | Annex V, §4 | - | |
| 6 | (5) A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation | Annex V, §5 | - | |
| 8 | (7) Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued | Annex V, §7 | if applicable | |
| 10 | SIMPLIFIED EU DECLARATION OF CONFORMITY | Annex VI | Only for SMEs and micro-enterprises | |
| 7 | (6) References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared | Annex V, §6 | if applicable | |
| 9 | (8) Additional information: | Annex V, §8 | - | |
| 11 | The simplified EU declaration of conformity referred to in shall be provided as follows: Hereby, ... [name of manufacturer] declares that the product with digital elements type ... [designation of type of product with digital element] is in compliance with Regulation (EU) 2024/…+ . The full text of the EU declaration of conformity is available at the following internet address: … | Annex VI | self-written | |
| 12 | The manufacturer shall draw up a written EU declaration of conformity for each product with digital elements in accordance with Article 28 and keep it together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The EU declaration of conformity shall identify the product with digital elements for which it has been drawn up. A copy of the EU declaration of conformity shall be made available to the relevant authorities upon request. | Annex VIII, Part I, §4.2 | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | The technical documentation shall contain at least the following information, as applicable to the relevant product with digital elements: | Annex VII | - | |
| 2 | 1. a general description of the product with digital elements, including: | Annex VII, §1 | self-written | |
| 3 | (a) its intended purpose; | Annex VII, §1 (a) | self-written | |
| 4 | (b) versions of software affecting compliance with essential cybersecurity requirements; | Annex VII, §1 (b) | self-written | |
| 5 | (c) where the product with digital elements is a hardware product, photographs or illustrations showing external features, marking and internal layout; | Annex VII, §1 (c) | self-written | |
| 6 | (d) user information and instructions as set out in Annex II; | Annex VII, §1 (d) | self-written | |
| 7 | 2. a description of the design, development and production of the product with digital elements and vulnerability handling processes, including: | Annex VII, §2 | self-written | |
| 8 | (a) necessary information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing; | Annex VII, §2 (a) | self-written | |
| 9 | (b) necessary information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates; | Annex VII, §2 (b) | self-written | |
| 10 | (c) necessary information and specifications of the production and monitoring processes of the product with digital elements and the validation of those processes; | Annex VII, §2 (c) | self-written | |
| 11 | 3. an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained pursuant to Article 13, including how the essential cybersecurity requirements set out in Part I of Annex I are applicable; | Annex VII, §3 | self-written | |
| 12 | 4. relevant information that was taken into account to determine the support period pursuant to Article 13(8) of the product with digital elements; | Annex VII, §4 | self-written | |
| 13 | 5. a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential cybersecurity requirements set out in Parts I and II of Annex I, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied; | Annex VII, §5 | self-written | |
| 14 | 6. reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential cybersecurity requirements as set out in Parts I and II of Annex I; | Annex VII, §6 | if applicable | |
| 16 | 8. where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for that authority to be able to check compliance with the essential cybersecurity requirements set out in Annex I. | Annex VII, §8 | if applicable | |
| 15 | 7. a copy of the EU declaration of conformity; | Annex VII, §7 | self-written |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | A manufacturer shall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16. | Article 14(1) and 14(7) | Mandatory Reporting | |
| 2 | For the purposes of the notification referred to in paragraph 1, the manufacturer shall submit: | Article 14 (2) | Mandatory Reporting | |
| 3 | (a) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; | Article 14 (2) (a) | Mandatory Reporting | |
| 4 | (b) unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be; | Article 14 (2) (b) | Mandatory Reporting | |
| 5 | (c) unless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following: | Article 14 (2) (c) | Mandatory Reporting | |
| 6 | (i) a description of the vulnerability, including its severity and impact; | Article 14 (2) (c) (i) | Mandatory Reporting | |
| 7 | (ii) where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability; | Article 14 (2) (c) (ii) | Mandatory Reporting | |
| 8 | (iii) details about the security update or other corrective measures that have been made available to remedy the vulnerability. | Article 14 (2) (c) (iII) | Mandatory Reporting | |
| 9 | A manufacturer shall notify any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platform | Article 14 (3) | Single platform is not yet established (Dec 2024) | |
| 10 | For the purposes of the notification referred to in paragraph 3, the manufacturer shall submit: | Article 14 (4) | Mandatory Reporting | |
| 11 | (a) an early warning notification of a severe incident having an impact on the security of the product with digital elements, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts, which shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; | Article 14 (4) (a) | Mandatory Reporting | |
| 12 | (b) unless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the incident, which shall provide general information, where available, about the nature of the incident, an initial assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be; | Article 14 (4) (b) | Mandatory Reporting | |
| 13 | (c) unless the relevant information has already been provided, a final report, within one month after the submission of the incident notification under point (b), including at least the following: | Article 14 (4) (c) | Mandatory Reporting | |
| 14 | (i) a detailed description of the incident, including its severity and impact; | Article 14 (4) (c) (i) | Mandatory Reporting | |
| 15 | (ii) the type of threat or root cause that is likely to have triggered the incident; | Article 14 (4) (c) (ii) | Mandatory Reporting | |
| 16 | (iii) applied and ongoing mitigation measures. | Article 14 (4) (c) (iii) | Mandatory Reporting | |
| 17 | After becoming aware of an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements, the manufacturer shall inform the impacted users of the product with digital elements, and where appropriate all users, of that vulnerability or incident and, where necessary, of any risk mitigation and corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident, where appropriate in a structured, machine-readable format that is easily automatically processable. Where the manufacturer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRTs designated as coordinators may provide such information to the users when considered to be proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident. | Article 14 (8) | Mandatory Reporting | |
| 18 | Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA. | Article 15 (1) | Voluntary Reporting | |
| 19 | Manufacturers as well as other natural or legal persons may notify any incident having an impact on the security of the product with digital elements as well as near misses that could have resulted in such an incident on a voluntary basis to a CSIRT designated as coordinator or ENISA. | Article 15 (2) | Voluntary Reporting |
Manufacturers of Important Products Class I (if their products do not fully conform to harmonized standards or common specification or have not been certified with a European Cybersecurity Certification), Important Products Class II and Critical Products must undergo an external assessment process conducted by a notified body responsible for verifying the compliance of the products with the requirements of the CRA.
⚠️ As of November 2024, no notified body has been announced.
You can check the Annex III of the regulation for a list of Important Products.
Additionally, manufacturers of Critical Products could be required in the future to obtain a European cybersecurity certificate at assurance level at least ‘substantial’ instead of undergoing the CRA’s dedicated assessment modules (see below); this is according to article 27(9). However, as of November 2024, the Commission has not yet adopted delegated acts that are required to determine which products are concerned and what certification scheme must be followed. In the absence of such delegated acts, manufacturers of Critical Products can follow the same certification procedures as Important Products.
⚠️ Once delegated acts are published and we know more about these certifications schemes, this web page will be updated.
You can check the Annex IV of the regulation for a list of Critical Products.
What are the paths to third party assessment ?
Manufacturers of Important and Critical Products can freely choose among two paths for the assessment of their products: module B (or module B + module C) and module H.
Hence, while module B focuses on the hardware itself, module H looks at the manufacturer’s processes (i.e: the quality system) as the basis for compliance with the CRA.
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | Manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including in relation to the health and safety of users. | article 13(2) | self-written - to be reviewed by notified body for critical and important products | |
| 2 | The cybersecurity risk assessment shall be documented and updated as appropriate during a support period to be determined in accordance with paragraph 8 of this Article. That cybersecurity risk assessment shall comprise at least an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the conditions of use, of the product with digital elements, such as the operational environment or the assets to be protected, taking into account the length of time the product is expected to be in use. The cybersecurity risk assessment shall indicate whether and, if so in what manner, the security requirements set out in Part I, point (2), of Annex I are applicable to the relevant product with digital elements and how those requirements are implemented as informed by the cybersecurity risk assessment. It shall also indicate how the manufacturer is to apply Part I, point (1), of Annex I and the vulnerability handling requirements set out in Part II of Annex I. | Article 13(3) | self-written - to be reviewed by notified body for critical and important products | |
| 3 | When placing a product with digital elements on the market, the manufacturer shall include the cybersecurity risk assessment in the technical documentation. For products with digital elements which are also subject to other Union legal acts, the cybersecurity risk assessment may be part of the risk assessment required by those Union legal acts. Where certain essential cybersecurity requirements are not applicable to the product with digital elements, the manufacturer shall include a clear justification to that effect in that technical documentation. | Article 13(4) | self-written - to be reviewed by notified body for critical and important products | |
| 4 | The manufacturers shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the products with digital elements, including vulnerabilities of which they become aware and any relevant information provided by third parties, and shall, where applicable, update the cybersecurity risk assessment of the products | Article 13(7) | self-written - to be reviewed by notified body for critical and important products |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 2 | On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall: | Annex I, Part 1 §2 | - | |
| 3 | (a) be made available on the market without known exploitable vulnerabilities; | Annex I, Part 1 §2a | Assessed by notified body | |
| 4 | (b) be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state; | Annex I, Part 1 §2b | Assessed by notified body | |
| 5 | (c) ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt- out mechanism, through the notification of available updates to users, and the option to temporarily postpone them; | Annex 1, Part 1 §2c | Assessed by notified body | |
| 6 | (d) ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access; | Annex I, Part 1 §2d | Assessed by notified body | |
| 7 | (e) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means; | Annex I, Part 1 §2e | Assessed by notified body | |
| 8 | (f) protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions; | Annex I, Part 1 §2f | Assessed by notified body | |
| 9 | (g) process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation); | Annex I, Part 1 §2g | Assessed by notified body | |
| 10 | (h) protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks; | Annex I, Part 1 §2h | Assessed by notified body | |
| 11 | (i) minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks; | Annex I, Part 1 §2i | Assessed by notified body | |
| 12 | (j) be designed, developed and produced to limit attack surfaces, including external interfaces; | Annex I, Part 1 §2j | Assessed by notified body | |
| 13 | (k) be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques; | Annex I, Part 1 §2k | Assessed by notified body | |
| 14 | (l) provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user; | Annex I, Part 1 §2l | Assessed by notified body | |
| 15 | (m) provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner. | Annex I, Part 1 §2m | Assessed by notified body | |
| 18 | (2) in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates; | Annex I, Part 2 §1 | Assessed by notified body | |
| 17 | (1) identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products; | Annex I, Part 2 §2 | Assessed by notified body | |
| 19 | (3) apply effective and regular tests and reviews of the security of the product with digital elements; | Annex I, Part 2 §3 | Assessed by notified body | |
| 20 | (4) once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch; | Annex I, Part 2 §4 | Assessed by notified body | |
| 21 | (5) put in place and enforce a policy on coordinated vulnerability disclosure; | Annex I, Part 2 §5 | Assessed by notified body | |
| 22 | (6) take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements; | Annex I, Part 2 §6 | Assessed by notified body | |
| 23 | (7) provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner; | Annex I, Part 2 §7 | Assessed by notified body | |
| 24 | (8) ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken. | Annex I, Part 2 §8 | Assessed by notified body | |
| 1 | Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks. | Annex I, Part 1 §1 | Assessed by notified body | |
| 16 | Manufacturers of products with digital elements shall: | Annex I - Part II |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | At minimum, the product with digital elements shall be accompanied by: | Annex II | '- | |
| 2 | 1. the name, registered trade name or registered trademark of the manufacturer, and the postal address, the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted; | Annex II, §1 | Assessed by notified body, as part of the Technical Documentation | |
| 3 | 2. the single point of contact where information about vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found; | Annex II, §2 | Assessed by notified body, as part of the Technical Documentation | |
| 4 | 3. name and type and any additional information enabling the unique identification of the product with digital elements; | Annex II, §3 | Assessed by notified body, as part of the Technical Documentation | |
| 5 | 4. the intended purpose of the product with digital elements, including the security environment provided by the manufacturer, as well as the product’s essential functionalities and information about the security properties; | Annex II, §4 | Assessed by notified body, as part of the Technical Documentation | |
| 6 | 5. any known or foreseeable circumstance, related to the use of the product with digital elements in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to significant cybersecurity risks; | Annex II, §5 | Assessed by notified body, as part of the Technical Documentation | |
| 7 | 6. where applicable, the internet address at which the EU declaration of conformity can be accessed; | Annex II, §6 | Assessed by notified body, as part of the Technical Documentation | |
| 8 | 7. the type of technical security support offered by the manufacturer and the end-date of the support period during which users can expect vulnerabilities to be handled and to receive security updates; | Annex VI, §7 | Assessed by notified body, as part of the Technical Documentation | |
| 9 | 8. detailed instructions or an internet address referring to such detailed instructions and information on: | Annex II, §8 | Assessed by notified body, as part of the Technical Documentation | |
| 10 | (a) the necessary measures during initial commissioning and throughout the lifetime of the product with digital elements to ensure its secure use; | Annex II, §8 (a) | Assessed by notified body, as part of the Technical Documentation | |
| 11 | (b) how changes to the product with digital elements can affect the security of data; | Annex II, §8 (b) | Assessed by notified body, as part of the Technical Documentation | |
| 12 | (c) how security-relevant updates can be installed; | Annex II, §8 (c) | Assessed by notified body, as part of the Technical Documentation | |
| 13 | (d) the secure decommissioning of the product with digital elements, including information on how user data can be securely removed; | Annex II, §8 (d) | Assessed by notified body, as part of the Technical Documentation | |
| 14 | (e) how the default setting enabling the automatic installation of security updates, as required by Part I, point (2)(c), of Annex I, can be turned off; | Annex II, §8 (e) | Assessed by notified body, as part of the Technical Documentation | |
| 15 | (f) where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential cybersecurity requirements set out in Annex I and the documentation requirements set out in Annex VII. | Annex II, §8 (f) | Assessed by notified body, as part of the Technical Documentation | |
| 16 | 9. If the manufacturer decides to make available the software bill of materials to the user, information on where the software bill of materials can be accessed. | Annex II, §9 | Not mandatory | |
| 49 | The user information and instructions as set out in Annex II (detailed above), shall be included in the Technical Documentation. | Annex VII, §1 (d) | '- |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | The EU declaration of conformity referred to in Article 28, shall contain all of the following information: | Annex V | The EU Declaration of conformity is self-written | |
| 2 | (1) Name and type and any additional information enabling the unique identification of the product with digital elements | Annex V, §1 | - | |
| 3 | (2) Name and address of the manufacturer or its authorised representative | Annex V, §2 | - | |
| 4 | (3) A statement that the EU declaration of conformity is issued under the sole responsibility of the provider | Annex V, §3 | - | |
| 5 | (4) Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate) | Annex V, §4 | - | |
| 6 | (5) A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation | Annex V, §5 | - | |
| 8 | (7) Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued | Annex V, §7 | mandatory | |
| 10 | SIMPLIFIED EU DECLARATION OF CONFORMITY | Annex VI | Only for SMEs and micro-enterprises | |
| 7 | (6) References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared | Annex V, §6 | if applicable | |
| 9 | (8) Additional information: | Annex V, §8 | - | |
| 11 | The simplified EU declaration of conformity referred to in shall be provided as follows: Hereby, ... [name of manufacturer] declares that the product with digital elements type ... [designation of type of product with digital element] is in compliance with Regulation (EU) 2024/…+ . The full text of the EU declaration of conformity is available at the following internet address: … | Annex VI | self-written | |
| 12 | The manufacturer shall draw up a written EU declaration of conformity for each product with digital elements and keep it together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The EU declaration of conformity shall identify the product with digital elements for which it has been drawn up. A copy of the EU declaration of conformity shall be made available to the relevant authorities upon request. | Annex VIII, Part II, §10 and Part III, §3.2 | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | The technical documentation shall contain at least the following information, as applicable to the relevant product with digital elements: | Annex VII | '- | |
| 2 | 1. a general description of the product with digital elements, including: | Annex VII, §1 | Assessed by notified body | |
| 3 | (a) its intended purpose; | Annex VII, §1 (a) | Assessed by notified body | |
| 4 | (b) versions of software affecting compliance with essential cybersecurity requirements; | Annex VII, §1 (b) | Assessed by notified body | |
| 5 | (c) where the product with digital elements is a hardware product, photographs or illustrations showing external features, marking and internal layout; | Annex VII, §1 (c) | Assessed by notified body | |
| 6 | (d) user information and instructions as set out in Annex II; | Annex VII, §1 (d) | Assessed by notified body | |
| 7 | 2. a description of the design, development and production of the product with digital elements and vulnerability handling processes, including: | Annex VII, §2 | Assessed by notified body | |
| 8 | (a) necessary information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing; | Annex VII, §2 (a) | Assessed by notified body | |
| 9 | (b) necessary information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates; | Annex VII, §2 (b) | Assessed by notified body | |
| 10 | (c) necessary information and specifications of the production and monitoring processes of the product with digital elements and the validation of those processes; | Annex VII, §2 (c) | self-Assessed by notified body | |
| 11 | 3. an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained pursuant to Article 13, including how the essential cybersecurity requirements set out in Part I of Annex I are applicable; | Annex VII, §3 | Assessed by notified body | |
| 12 | 4. relevant information that was taken into account to determine the support period pursuant to Article 13(8) of the product with digital elements; | Annex VII, §4 | Assessed by notified body | |
| 13 | 5. a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential cybersecurity requirements set out in Parts I and II of Annex I, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied; | Annex VII, §5 | Assessed by notified body | |
| 14 | 6. reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential cybersecurity requirements as set out in Parts I and II of Annex I; | Annex VII, §6 | Assessed by notified body | |
| 16 | 8. where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for that authority to be able to check compliance with the essential cybersecurity requirements set out in Annex I. | Annex VII, §8 | Assessed by notified body | |
| 15 | 7. a copy of the EU declaration of conformity; | Annex VII, §7 | Assessed by notified body |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | A manufacturer shall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16. | Article 14(1) and 14(7) | Mandatory Reporting | |
| 2 | For the purposes of the notification referred to in paragraph 1, the manufacturer shall submit: | Article 14 (2) | Mandatory Reporting | |
| 3 | (a) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; | Article 14 (2) (a) | Mandatory Reporting | |
| 4 | (b) unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be; | Article 14 (2) (b) | Mandatory Reporting | |
| 5 | (c) unless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following: | Article 14 (2) (c) | Mandatory Reporting | |
| 6 | (i) a description of the vulnerability, including its severity and impact; | Article 14 (2) (c) (i) | Mandatory Reporting | |
| 7 | (ii) where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability; | Article 14 (2) (c) (ii) | Mandatory Reporting | |
| 8 | (iii) details about the security update or other corrective measures that have been made available to remedy the vulnerability. | Article 14 (2) (c) (iII) | Mandatory Reporting | |
| 9 | A manufacturer shall notify any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platform | Article 14 (3) | Single platform is not yet established (Dec 2024) | |
| 10 | For the purposes of the notification referred to in paragraph 3, the manufacturer shall submit: | Article 14 (4) | Mandatory Reporting | |
| 11 | (a) an early warning notification of a severe incident having an impact on the security of the product with digital elements, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts, which shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; | Article 14 (4) (a) | Mandatory Reporting | |
| 12 | (b) unless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the incident, which shall provide general information, where available, about the nature of the incident, an initial assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be; | Article 14 (4) (b) | Mandatory Reporting | |
| 13 | (c) unless the relevant information has already been provided, a final report, within one month after the submission of the incident notification under point (b), including at least the following: | Article 14 (4) (c) | Mandatory Reporting | |
| 14 | (i) a detailed description of the incident, including its severity and impact; | Article 14 (4) (c) (i) | Mandatory Reporting | |
| 15 | (ii) the type of threat or root cause that is likely to have triggered the incident; | Article 14 (4) (c) (ii) | Mandatory Reporting | |
| 16 | (iii) applied and ongoing mitigation measures. | Article 14 (4) (c) (iii) | Mandatory Reporting | |
| 17 | After becoming aware of an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements, the manufacturer shall inform the impacted users of the product with digital elements, and where appropriate all users, of that vulnerability or incident and, where necessary, of any risk mitigation and corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident, where appropriate in a structured, machine-readable format that is easily automatically processable. Where the manufacturer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRTs designated as coordinators may provide such information to the users when considered to be proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident. | Article 14 (8) | Mandatory Reporting | |
| 18 | Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA. | Article 15 (1) | Voluntary Reporting | |
| 19 | Manufacturers as well as other natural or legal persons may notify any incident having an impact on the security of the product with digital elements as well as near misses that could have resulted in such an incident on a voluntary basis to a CSIRT designated as coordinator or ENISA. | Article 15 (2) | Voluntary Reporting |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 3 | The manufacturer shall lodge an application for assessment of its quality system with the notified body of its choice, for the products with digital elements concerned. The application shall include: | Annex VIII, Part II, §3 | - | |
| 4 | the name and address of the manufacturer and, if the application is lodged by the authorised representative, the name and address of that authorised representative; | Annex VIII, Part II, §3.1 | - | |
| 5 | a written declaration that the same application has not been lodged with any other notified body; | Annex VIII, Part II, §3.2 | - | |
| 6 | the technical documentation, which shall make it possible to assess the conformity of the product with digital elements with the applicable essential cybersecurity requirements as set out in Part I of Annex I and the manufacturer’s vulnerability handling processes set out in Part II of Annex I and shall include an adequate analysis and assessment of the risks. The technical documentation shall specify the applicable requirements and cover, as far as relevant for the assessment, the design, manufacture and operation of the product with digital elements. The technical documentation shall contain, wherever applicable, at least the elements set out in Annex VII; | Annex VIII, Part II, §3.3 | - | |
| 7 | the supporting evidence for the adequacy of the technical design and development solutions and vulnerability handling processes. This supporting evidence shall mention any documents that have been used, in particular where the relevant harmonised standards or technical specifications have not been applied in full. The supporting evidence shall include, where necessary, the results of tests carried out by the appropriate laboratory of the manufacturer, or by another testing laboratory on its behalf and under its responsibility. | Annex VIII, Part II, §3.4 | - | |
| 8 | The manufacturer shall inform the notified body that holds the technical documentation relating to the EU-type examination certificate of all modifications to the approved type and the vulnerability handling processes that may affect the conformity with the essential cybersecurity requirements set out in Annex I, or the conditions for validity of the certificate. Such modifications shall require additional approval in the form of an addition to the original EU-type examination certificate. | Annex VIII, Part II, §7 | - | |
| 9 | The manufacturer shall keep a copy of the EU-type examination certificate, its annexes and additions together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. | Annex VIII, Part II, §10 | - | |
| 1 | EU-type examination is the part of a conformity assessment procedure in which a notified body examines the technical design and development of a product with digital elements and the vulnerability handling processes put in place by the manufacturer, and attests that a product with digital elements meets the essential cybersecurity requirements set out in Part I of Annex I and that the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I. | Annex VIII, Part II, §1 | - | |
| 2 | EU-type examination shall be carried out by assessing the adequacy of the technical design and development of the product with digital elements through the examination of the technical documentation and supporting evidence referred to in point 3, and the examination of specimens of one or more critical parts of the product (combination of production type and design type). | Annex VIII, Part II, §2 | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | Manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including in relation to the health and safety of users. | article 13(2) | self-written - to be reviewed by notified body for critical and important products | |
| 2 | The cybersecurity risk assessment shall be documented and updated as appropriate during a support period to be determined in accordance with paragraph 8 of this Article. That cybersecurity risk assessment shall comprise at least an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the conditions of use, of the product with digital elements, such as the operational environment or the assets to be protected, taking into account the length of time the product is expected to be in use. The cybersecurity risk assessment shall indicate whether and, if so in what manner, the security requirements set out in Part I, point (2), of Annex I are applicable to the relevant product with digital elements and how those requirements are implemented as informed by the cybersecurity risk assessment. It shall also indicate how the manufacturer is to apply Part I, point (1), of Annex I and the vulnerability handling requirements set out in Part II of Annex I. | Article 13(3) | self-written - to be reviewed by notified body for critical and important products | |
| 3 | When placing a product with digital elements on the market, the manufacturer shall include the cybersecurity risk assessment in the technical documentation. For products with digital elements which are also subject to other Union legal acts, the cybersecurity risk assessment may be part of the risk assessment required by those Union legal acts. Where certain essential cybersecurity requirements are not applicable to the product with digital elements, the manufacturer shall include a clear justification to that effect in that technical documentation. | Article 13(4) | self-written - to be reviewed by notified body for critical and important products | |
| 4 | The manufacturers shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the products with digital elements, including vulnerabilities of which they become aware and any relevant information provided by third parties, and shall, where applicable, update the cybersecurity risk assessment of the products | Article 13(7) | self-written - to be reviewed by notified body for critical and important products |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 2 | On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall: | Annex I, Part 1 §2 | - | |
| 3 | (a) be made available on the market without known exploitable vulnerabilities; | Annex I, Part 1 §2a | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 4 | (b) be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state; | Annex I, Part 1 §2b | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 5 | (c) ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt- out mechanism, through the notification of available updates to users, and the option to temporarily postpone them; | Annex 1, Part 1 §2c | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 6 | (d) ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access; | Annex I, Part 1 §2d | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 7 | (e) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means; | Annex I, Part 1 §2e | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 8 | (f) protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions; | Annex I, Part 1 §2f | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 9 | (g) process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation); | Annex I, Part 1 §2g | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 10 | (h) protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks; | Annex I, Part 1 §2h | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 11 | (i) minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks; | Annex I, Part 1 §2i | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 12 | (j) be designed, developed and produced to limit attack surfaces, including external interfaces; | Annex I, Part 1 §2j | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 13 | (k) be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques; | Annex I, Part 1 §2k | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 14 | (l) provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user; | Annex I, Part 1 §2l | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 15 | (m) provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner. | Annex I, Part 1 §2m | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 18 | (2) in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates; | Annex I, Part 2 §1 | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 17 | (1) identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products; | Annex I, Part 2 §2 | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 19 | (3) apply effective and regular tests and reviews of the security of the product with digital elements; | Annex I, Part 2 §3 | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 20 | (4) once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch; | Annex I, Part 2 §4 | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 21 | (5) put in place and enforce a policy on coordinated vulnerability disclosure; | Annex I, Part 2 §5 | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 22 | (6) take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements; | Annex I, Part 2 §6 | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 23 | (7) provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner; | Annex I, Part 2 §7 | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 24 | (8) ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken. | Annex I, Part 2 §8 | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 1 | Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks. | Annex I, Part 1 §1 | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 16 | Manufacturers of products with digital elements shall: | Annex I - Part II | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | At minimum, the product with digital elements shall be accompanied by: | Annex II | - | |
| 2 | 1. the name, registered trade name or registered trademark of the manufacturer, and the postal address, the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted; | Annex II, §1 | Self-written, based on a previously received EU-type certificate for the same type of product (module B) | |
| 3 | 2. the single point of contact where information about vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found; | Annex II, §2 | Self-written, based on a previously received EU-type certificate for the same type of product (module B) | |
| 4 | 3. name and type and any additional information enabling the unique identification of the product with digital elements; | Annex II, §3 | Self-written, based on a previously received EU-type certificate for the same type of product (module B) | |
| 5 | 4. the intended purpose of the product with digital elements, including the security environment provided by the manufacturer, as well as the product’s essential functionalities and information about the security properties; | Annex II, §4 | Self-written, based on a previously received EU-type certificate for the same type of product (module B) | |
| 6 | 5. any known or foreseeable circumstance, related to the use of the product with digital elements in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to significant cybersecurity risks; | Annex II, §5 | Self-written, based on a previously received EU-type certificate for the same type of product (module B) | |
| 7 | 6. where applicable, the internet address at which the EU declaration of conformity can be accessed; | Annex II, §6 | Self-written, based on a previously received EU-type certificate for the same type of product (module B) | |
| 8 | 7. the type of technical security support offered by the manufacturer and the end-date of the support period during which users can expect vulnerabilities to be handled and to receive security updates; | Annex VI, §7 | Self-written, based on a previously received EU-type certificate for the same type of product (module B) | |
| 9 | 8. detailed instructions or an internet address referring to such detailed instructions and information on: | Annex II, §8 | Self-written, based on a previously received EU-type certificate for the same type of product (module B) | |
| 10 | (a) the necessary measures during initial commissioning and throughout the lifetime of the product with digital elements to ensure its secure use; | Annex II, §8 (a) | Self-written, based on a previously received EU-type certificate for the same type of product (module B) | |
| 11 | (b) how changes to the product with digital elements can affect the security of data; | Annex II, §8 (b) | Self-written, based on a previously received EU-type certificate for the same type of product (module B) | |
| 12 | (c) how security-relevant updates can be installed; | Annex II, §8 (c) | Self-written, based on a previously received EU-type certificate for the same type of product (module B) | |
| 13 | (d) the secure decommissioning of the product with digital elements, including information on how user data can be securely removed; | Annex II, §8 (d) | Self-written, based on a previously received EU-type certificate for the same type of product (module B) | |
| 14 | (e) how the default setting enabling the automatic installation of security updates, as required by Part I, point (2)(c), of Annex I, can be turned off; | Annex II, §8 (e) | Self-written, based on a previously received EU-type certificate for the same type of product (module B) | |
| 15 | (f) where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential cybersecurity requirements set out in Annex I and the documentation requirements set out in Annex VII. | Annex II, §8 (f) | Self-written, based on a previously received EU-type certificate for the same type of product (module B) | |
| 16 | 9. If the manufacturer decides to make available the software bill of materials to the user, information on where the software bill of materials can be accessed. | Annex II, §9 | Not mandatory | |
| 17 | The user information and instructions as set out in Annex II (detailed above), shall be included in the Technical Documentation. | Annex VII, §1 (d) | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | The EU declaration of conformity referred to in Article 28, shall contain all of the following information: | Annex V | The EU Declaration of conformity is self-written | |
| 2 | (1) Name and type and any additional information enabling the unique identification of the product with digital elements | Annex V, §1 | - | |
| 3 | (2) Name and address of the manufacturer or its authorised representative | Annex V, §2 | - | |
| 4 | (3) A statement that the EU declaration of conformity is issued under the sole responsibility of the provider | Annex V, §3 | - | |
| 5 | (4) Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate) | Annex V, §4 | - | |
| 6 | (5) A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation | Annex V, §5 | - | |
| 8 | (7) Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued | Annex V, §7 | mandatory | |
| 10 | SIMPLIFIED EU DECLARATION OF CONFORMITY | Annex VI | Only for SMEs and micro-enterprises | |
| 7 | (6) References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared | Annex V, §6 | if applicable | |
| 9 | (8) Additional information: | Annex V, §8 | - | |
| 11 | The simplified EU declaration of conformity referred to in shall be provided as follows: Hereby, ... [name of manufacturer] declares that the product with digital elements type ... [designation of type of product with digital element] is in compliance with Regulation (EU) 2024/…+ . The full text of the EU declaration of conformity is available at the following internet address: … | Annex VI | self-written | |
| 12 | The manufacturer shall draw up a written EU declaration of conformity for each product with digital elements and keep it together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The EU declaration of conformity shall identify the product with digital elements for which it has been drawn up. A copy of the EU declaration of conformity shall be made available to the relevant authorities upon request. | Annex VIII, Part II, §10 and Part III, §3.2 | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | The technical documentation shall contain at least the following information, as applicable to the relevant product with digital elements: | Annex VII | - | |
| 2 | 1. a general description of the product with digital elements, including: | Annex VII, §1 | Self-written, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 3 | (a) its intended purpose; | Annex VII, §1 (a) | Self-written, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 4 | (b) versions of software affecting compliance with essential cybersecurity requirements; | Annex VII, §1 (b) | Self-written, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 5 | (c) where the product with digital elements is a hardware product, photographs or illustrations showing external features, marking and internal layout; | Annex VII, §1 (c) | Self-written, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 6 | (d) user information and instructions as set out in Annex II; | Annex VII, §1 (d) | Self-written, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 7 | 2. a description of the design, development and production of the product with digital elements and vulnerability handling processes, including: | Annex VII, §2 | Self-written, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 8 | (a) necessary information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing; | Annex VII, §2 (a) | Self-written, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 9 | (b) necessary information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates; | Annex VII, §2 (b) | Self-written, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 10 | (c) necessary information and specifications of the production and monitoring processes of the product with digital elements and the validation of those processes; | Annex VII, §2 (c) | Self-written, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 11 | 3. an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained pursuant to Article 13, including how the essential cybersecurity requirements set out in Part I of Annex I are applicable; | Annex VII, §3 | Self-written, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 12 | 4. relevant information that was taken into account to determine the support period pursuant to Article 13(8) of the product with digital elements; | Annex VII, §4 | Self-written, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 13 | 5. a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential cybersecurity requirements set out in Parts I and II of Annex I, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied; | Annex VII, §5 | Self-written, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 14 | 6. reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential cybersecurity requirements as set out in Parts I and II of Annex I; | Annex VII, §6 | Self-written, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 16 | 8. where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for that authority to be able to check compliance with the essential cybersecurity requirements set out in Annex I. | Annex VII, §8 | Self-written, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 15 | 7. a copy of the EU declaration of conformity; | Annex VII, §7 | Self-written, based on a previously received EU-type examination certificate for the same type of product (module B) |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | A manufacturer shall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16. | Article 14(1) and 14(7) | Mandatory Reporting | |
| 2 | For the purposes of the notification referred to in paragraph 1, the manufacturer shall submit: | Article 14 (2) | Mandatory Reporting | |
| 3 | (a) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; | Article 14 (2) (a) | Mandatory Reporting | |
| 4 | (b) unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be; | Article 14 (2) (b) | Mandatory Reporting | |
| 5 | (c) unless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following: | Article 14 (2) (c) | Mandatory Reporting | |
| 6 | (i) a description of the vulnerability, including its severity and impact; | Article 14 (2) (c) (i) | Mandatory Reporting | |
| 7 | (ii) where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability; | Article 14 (2) (c) (ii) | Mandatory Reporting | |
| 8 | (iii) details about the security update or other corrective measures that have been made available to remedy the vulnerability. | Article 14 (2) (c) (iII) | Mandatory Reporting | |
| 9 | A manufacturer shall notify any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platform | Article 14 (3) | Single platform is not yet established (Dec 2024) | |
| 10 | For the purposes of the notification referred to in paragraph 3, the manufacturer shall submit: | Article 14 (4) | Mandatory Reporting | |
| 11 | (a) an early warning notification of a severe incident having an impact on the security of the product with digital elements, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts, which shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; | Article 14 (4) (a) | Mandatory Reporting | |
| 12 | (b) unless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the incident, which shall provide general information, where available, about the nature of the incident, an initial assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be; | Article 14 (4) (b) | Mandatory Reporting | |
| 13 | (c) unless the relevant information has already been provided, a final report, within one month after the submission of the incident notification under point (b), including at least the following: | Article 14 (4) (c) | Mandatory Reporting | |
| 14 | (i) a detailed description of the incident, including its severity and impact; | Article 14 (4) (c) (i) | Mandatory Reporting | |
| 15 | (ii) the type of threat or root cause that is likely to have triggered the incident; | Article 14 (4) (c) (ii) | Mandatory Reporting | |
| 16 | (iii) applied and ongoing mitigation measures. | Article 14 (4) (c) (iii) | Mandatory Reporting | |
| 17 | After becoming aware of an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements, the manufacturer shall inform the impacted users of the product with digital elements, and where appropriate all users, of that vulnerability or incident and, where necessary, of any risk mitigation and corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident, where appropriate in a structured, machine-readable format that is easily automatically processable. Where the manufacturer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRTs designated as coordinators may provide such information to the users when considered to be proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident. | Article 14 (8) | Mandatory Reporting | |
| 18 | Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA. | Article 15 (1) | Voluntary Reporting | |
| 19 | Manufacturers as well as other natural or legal persons may notify any incident having an impact on the security of the product with digital elements as well as near misses that could have resulted in such an incident on a voluntary basis to a CSIRT designated as coordinator or ENISA. | Article 15 (2) | Voluntary Reporting |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | Manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including in relation to the health and safety of users. | article 13(2) | self-written - to be reviewed by notified body for critical and important products | |
| 2 | The cybersecurity risk assessment shall be documented and updated as appropriate during a support period to be determined in accordance with paragraph 8 of this Article. That cybersecurity risk assessment shall comprise at least an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the conditions of use, of the product with digital elements, such as the operational environment or the assets to be protected, taking into account the length of time the product is expected to be in use. The cybersecurity risk assessment shall indicate whether and, if so in what manner, the security requirements set out in Part I, point (2), of Annex I are applicable to the relevant product with digital elements and how those requirements are implemented as informed by the cybersecurity risk assessment. It shall also indicate how the manufacturer is to apply Part I, point (1), of Annex I and the vulnerability handling requirements set out in Part II of Annex I. | Article 13(3) | self-written - to be reviewed by notified body for critical and important products | |
| 3 | When placing a product with digital elements on the market, the manufacturer shall include the cybersecurity risk assessment in the technical documentation. For products with digital elements which are also subject to other Union legal acts, the cybersecurity risk assessment may be part of the risk assessment required by those Union legal acts. Where certain essential cybersecurity requirements are not applicable to the product with digital elements, the manufacturer shall include a clear justification to that effect in that technical documentation. | Article 13(4) | self-written - to be reviewed by notified body for critical and important products | |
| 4 | The manufacturers shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the products with digital elements, including vulnerabilities of which they become aware and any relevant information provided by third parties, and shall, where applicable, update the cybersecurity risk assessment of the products | Article 13(7) | self-written - to be reviewed by notified body for critical and important products |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 2 | On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall: | Annex I, Part 1 §2 | - | |
| 3 | (a) be made available on the market without known exploitable vulnerabilities; | Annex I, Part 1 §2a | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 4 | (b) be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state; | Annex I, Part 1 §2b | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 5 | (c) ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt- out mechanism, through the notification of available updates to users, and the option to temporarily postpone them; | Annex 1, Part 1 §2c | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 6 | (d) ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access; | Annex I, Part 1 §2d | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 7 | (e) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means; | Annex I, Part 1 §2e | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 8 | (f) protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions; | Annex I, Part 1 §2f | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 9 | (g) process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation); | Annex I, Part 1 §2g | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 10 | (h) protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks; | Annex I, Part 1 §2h | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 11 | (i) minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks; | Annex I, Part 1 §2i | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 12 | (j) be designed, developed and produced to limit attack surfaces, including external interfaces; | Annex I, Part 1 §2j | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 13 | (k) be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques; | Annex I, Part 1 §2k | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 14 | (l) provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user; | Annex I, Part 1 §2l | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 15 | (m) provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner. | Annex I, Part 1 §2m | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 18 | (2) in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates; | Annex I, Part 2 §1 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 17 | (1) identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products; | Annex I, Part 2 §2 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 19 | (3) apply effective and regular tests and reviews of the security of the product with digital elements; | Annex I, Part 2 §3 | Self-Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.assessment | |
| 20 | (4) once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch; | Annex I, Part 2 §4 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 21 | (5) put in place and enforce a policy on coordinated vulnerability disclosure; | Annex I, Part 2 §5 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 22 | (6) take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements; | Annex I, Part 2 §6 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 23 | (7) provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner; | Annex I, Part 2 §7 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 24 | (8) ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken. | Annex I, Part 2 §8 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 1 | Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks. | Annex I, Part 1 §1 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 16 | Manufacturers of products with digital elements shall: | Annex I - Part II | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | At minimum, the product with digital elements shall be accompanied by: | Annex II | '- | |
| 2 | 1. the name, registered trade name or registered trademark of the manufacturer, and the postal address, the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted; | Annex II, §1 | Assessed by notified body, as part of the Technical Documentation | |
| 3 | 2. the single point of contact where information about vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found; | Annex II, §2 | Assessed by notified body, as part of the Technical Documentation | |
| 4 | 3. name and type and any additional information enabling the unique identification of the product with digital elements; | Annex II, §3 | Assessed by notified body, as part of the Technical Documentation | |
| 5 | 4. the intended purpose of the product with digital elements, including the security environment provided by the manufacturer, as well as the product’s essential functionalities and information about the security properties; | Annex II, §4 | Assessed by notified body, as part of the Technical Documentation | |
| 6 | 5. any known or foreseeable circumstance, related to the use of the product with digital elements in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to significant cybersecurity risks; | Annex II, §5 | Assessed by notified body, as part of the Technical Documentation | |
| 7 | 6. where applicable, the internet address at which the EU declaration of conformity can be accessed; | Annex II, §6 | Assessed by notified body, as part of the Technical Documentation | |
| 8 | 7. the type of technical security support offered by the manufacturer and the end-date of the support period during which users can expect vulnerabilities to be handled and to receive security updates; | Annex VI, §7 | Assessed by notified body, as part of the Technical Documentation | |
| 9 | 8. detailed instructions or an internet address referring to such detailed instructions and information on: | Annex II, §8 | Assessed by notified body, as part of the Technical Documentation | |
| 10 | (a) the necessary measures during initial commissioning and throughout the lifetime of the product with digital elements to ensure its secure use; | Annex II, §8 (a) | Assessed by notified body, as part of the Technical Documentation | |
| 11 | (b) how changes to the product with digital elements can affect the security of data; | Annex II, §8 (b) | Assessed by notified body, as part of the Technical Documentation | |
| 12 | (c) how security-relevant updates can be installed; | Annex II, §8 (c) | Assessed by notified body, as part of the Technical Documentation | |
| 13 | (d) the secure decommissioning of the product with digital elements, including information on how user data can be securely removed; | Annex II, §8 (d) | Assessed by notified body, as part of the Technical Documentation | |
| 14 | (e) how the default setting enabling the automatic installation of security updates, as required by Part I, point (2)(c), of Annex I, can be turned off; | Annex II, §8 (e) | Assessed by notified body, as part of the Technical Documentation | |
| 15 | (f) where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential cybersecurity requirements set out in Annex I and the documentation requirements set out in Annex VII. | Annex II, §8 (f) | Assessed by notified body, as part of the Technical Documentation | |
| 16 | 9. If the manufacturer decides to make available the software bill of materials to the user, information on where the software bill of materials can be accessed. | Annex II, §9 | Not mandatory | |
| 49 | The user information and instructions as set out in Annex II (detailed above), shall be included in the Technical Documentation. | Annex VII, §1 (d) | '- |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | The EU declaration of conformity referred to in Article 28, shall contain all of the following information: | Annex V | The EU Declaration of conformity is self-written | |
| 2 | (1) Name and type and any additional information enabling the unique identification of the product with digital elements | Annex V, §1 | - | |
| 3 | (2) Name and address of the manufacturer or its authorised representative | Annex V, §2 | - | |
| 4 | (3) A statement that the EU declaration of conformity is issued under the sole responsibility of the provider | Annex V, §3 | - | |
| 5 | (4) Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate) | Annex V, §4 | - | |
| 6 | (5) A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation | Annex V, §5 | - | |
| 8 | (7) Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued | Annex V, §7 | mandatory | |
| 10 | SIMPLIFIED EU DECLARATION OF CONFORMITY | Annex VI | Only for SMEs and micro-enterprises | |
| 7 | (6) References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared | Annex V, §6 | if applicable | |
| 9 | (8) Additional information: | Annex V, §8 | - | |
| 11 | The simplified EU declaration of conformity referred to in shall be provided as follows: Hereby, ... [name of manufacturer] declares that the product with digital elements type ... [designation of type of product with digital element] is in compliance with Regulation (EU) 2024/…+ . The full text of the EU declaration of conformity is available at the following internet address: … | Annex VI | self-written | |
| 12 | The manufacturer shall draw up a written EU declaration of conformity for each product with digital elements and keep it together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The EU declaration of conformity shall identify the product with digital elements for which it has been drawn up. A copy of the EU declaration of conformity shall be made available to the relevant authorities upon request. | Annex VIII, Part II, §10 and Part III, §3.2 | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | The technical documentation shall contain at least the following information, as applicable to the relevant product with digital elements: | Annex VII | '- | |
| 2 | 1. a general description of the product with digital elements, including: | Annex VII, §1 | Assessed by notified body | |
| 3 | (a) its intended purpose; | Annex VII, §1 (a) | Assessed by notified body | |
| 4 | (b) versions of software affecting compliance with essential cybersecurity requirements; | Annex VII, §1 (b) | Assessed by notified body | |
| 5 | (c) where the product with digital elements is a hardware product, photographs or illustrations showing external features, marking and internal layout; | Annex VII, §1 (c) | Assessed by notified body | |
| 6 | (d) user information and instructions as set out in Annex II; | Annex VII, §1 (d) | Assessed by notified body | |
| 7 | 2. a description of the design, development and production of the product with digital elements and vulnerability handling processes, including: | Annex VII, §2 | Assessed by notified body | |
| 8 | (a) necessary information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing; | Annex VII, §2 (a) | Assessed by notified body | |
| 9 | (b) necessary information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates; | Annex VII, §2 (b) | Assessed by notified body | |
| 10 | (c) necessary information and specifications of the production and monitoring processes of the product with digital elements and the validation of those processes; | Annex VII, §2 (c) | self-Assessed by notified body | |
| 11 | 3. an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained pursuant to Article 13, including how the essential cybersecurity requirements set out in Part I of Annex I are applicable; | Annex VII, §3 | Assessed by notified body | |
| 12 | 4. relevant information that was taken into account to determine the support period pursuant to Article 13(8) of the product with digital elements; | Annex VII, §4 | Assessed by notified body | |
| 13 | 5. a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential cybersecurity requirements set out in Parts I and II of Annex I, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied; | Annex VII, §5 | Assessed by notified body | |
| 14 | 6. reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential cybersecurity requirements as set out in Parts I and II of Annex I; | Annex VII, §6 | Assessed by notified body | |
| 16 | 8. where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for that authority to be able to check compliance with the essential cybersecurity requirements set out in Annex I. | Annex VII, §8 | Assessed by notified body | |
| 15 | 7. a copy of the EU declaration of conformity; | Annex VII, §7 | Assessed by notified body |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | A manufacturer shall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16. | Article 14(1) and 14(7) | Mandatory Reporting | |
| 2 | For the purposes of the notification referred to in paragraph 1, the manufacturer shall submit: | Article 14 (2) | Mandatory Reporting | |
| 3 | (a) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; | Article 14 (2) (a) | Mandatory Reporting | |
| 4 | (b) unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be; | Article 14 (2) (b) | Mandatory Reporting | |
| 5 | (c) unless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following: | Article 14 (2) (c) | Mandatory Reporting | |
| 6 | (i) a description of the vulnerability, including its severity and impact; | Article 14 (2) (c) (i) | Mandatory Reporting | |
| 7 | (ii) where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability; | Article 14 (2) (c) (ii) | Mandatory Reporting | |
| 8 | (iii) details about the security update or other corrective measures that have been made available to remedy the vulnerability. | Article 14 (2) (c) (iII) | Mandatory Reporting | |
| 9 | A manufacturer shall notify any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platform | Article 14 (3) | Single platform is not yet established (Dec 2024) | |
| 10 | For the purposes of the notification referred to in paragraph 3, the manufacturer shall submit: | Article 14 (4) | Mandatory Reporting | |
| 11 | (a) an early warning notification of a severe incident having an impact on the security of the product with digital elements, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts, which shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; | Article 14 (4) (a) | Mandatory Reporting | |
| 12 | (b) unless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the incident, which shall provide general information, where available, about the nature of the incident, an initial assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be; | Article 14 (4) (b) | Mandatory Reporting | |
| 13 | (c) unless the relevant information has already been provided, a final report, within one month after the submission of the incident notification under point (b), including at least the following: | Article 14 (4) (c) | Mandatory Reporting | |
| 14 | (i) a detailed description of the incident, including its severity and impact; | Article 14 (4) (c) (i) | Mandatory Reporting | |
| 15 | (ii) the type of threat or root cause that is likely to have triggered the incident; | Article 14 (4) (c) (ii) | Mandatory Reporting | |
| 16 | (iii) applied and ongoing mitigation measures. | Article 14 (4) (c) (iii) | Mandatory Reporting | |
| 17 | After becoming aware of an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements, the manufacturer shall inform the impacted users of the product with digital elements, and where appropriate all users, of that vulnerability or incident and, where necessary, of any risk mitigation and corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident, where appropriate in a structured, machine-readable format that is easily automatically processable. Where the manufacturer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRTs designated as coordinators may provide such information to the users when considered to be proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident. | Article 14 (8) | Mandatory Reporting | |
| 18 | Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA. | Article 15 (1) | Voluntary Reporting | |
| 19 | Manufacturers as well as other natural or legal persons may notify any incident having an impact on the security of the product with digital elements as well as near misses that could have resulted in such an incident on a voluntary basis to a CSIRT designated as coordinator or ENISA. | Article 15 (2) | Voluntary Reporting |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 3 | The manufacturer shall lodge an application for assessment of its quality system with the notified body of its choice, for the products with digital elements concerned. The application shall include: | Annex VIII, Part IV, §3.1 | - | |
| 4 | (a) the name and address of the manufacturer and, if the application is lodged by the authorised representative, the name and address of that authorised representative; | Annex VIII, Part IV, §3.1 (a) | - | |
| 5 | (b) the technical documentation for one model of each category of products with digital elements intended to be manufactured or developed. The technical documentation shall, wherever applicable, contain at least the elements as set out in Annex VII; | Annex VIII, Part IV, §3.1 (b) | - | |
| 6 | (c) the documentation concerning the quality system; and | Annex VIII, Part IV, §3.1 (c) | - | |
| 7 | (d) a written declaration that the same application has not been lodged with any other notified body. | Annex VIII, Part IV, §3.1 (d) | - | |
| 8 | The quality system shall ensure compliance of the products with digital elements with the essential cybersecurity requirements set out in Part I of Annex I and compliance of the vulnerability handling processes put in place by the manufacturer with the requirements set out in Part II of Annex I. All the elements, requirements and provisions adopted by the manufacturer shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions. That quality system documentation shall permit a consistent interpretation of the quality programmes, plans, manuals and records. It shall, in particular, contain an adequate description of: | Annex VIII, Part IV, §3.2 | - | |
| 9 | (a) the quality objectives and the organisational structure, responsibilities and powers of the management with regard to design, development, product quality and vulnerability handling; | Annex VIII, Part IV, §3.2 (a) | - | |
| 10 | (b) the technical design and development specifications, including standards, that will be applied and, where the relevant harmonised standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential cybersecurity requirements set out in Part I of Annex I that apply to the products with digital elements will be met; | Annex VIII, Part IV, §3.2 (b) | - | |
| 11 | (c) the procedural specifications, including standards, that will be applied and, where the relevant harmonised standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential cybersecurity requirements set out in Part II of Annex I that apply to the manufacturer will be met; | Annex VIII, Part IV, §3.2 (c) | - | |
| 12 | (d) the design and development control, as well as design and development verification techniques, processes and systematic actions that will be used when designing and developing the products with digital elements pertaining to the product category covered; | Annex VIII, Part IV, §3.2 (d) | - | |
| 13 | (e) the corresponding production, quality control and quality assurance techniques, processes and systematic actions that will be used; | Annex VIII, Part IV, §3.2 (e) | - | |
| 14 | (f) the examinations and tests that will be carried out before, during and after production, and the frequency with which they will be carried out; | Annex VIII, Part IV, §3.2 (f) | ||
| 15 | (g) the quality records, such as inspection reports and test data, calibration data and qualification reports on the personnel concerned; | Annex VIII, Part IV, §3.2 (g) | ||
| 16 | (h) the means of monitoring the achievement of the required design and product quality and the effective operation of the quality system. | Annex VIII, Part IV, §3.2 (h) | ||
| 17 | The manufacturer shall undertake to fulfil the obligations arising out of the quality system as approved and to maintain it so that it remains adequate and efficient. | Annex VIII, Part IV, §3.4 | ||
| 18 | The manufacturer shall keep the notified body that has approved the quality system informed of any intended change to the quality system. | Annex VIII, Part IV, §3.5 | ||
| 19 | Surveillance under the responsibility of the notified body: The manufacturer shall, for assessment purposes, allow the notified body access to the design, development, production, inspection, testing and storage sites, and shall provide it with all necessary information, in particular: | Annex VIII, Part IV, §4.2 | ||
| 20 | (a) the quality system documentation;. | Annex VIII, Part IV, §4.2 (a) | ||
| 21 | (b) the quality records as provided for by the design part of the quality system, such as results of analyses, calculations and tests; | Annex VIII, Part IV, §4.2 (b) | ||
| 22 | (c) the quality records as provided for by the manufacturing part of the quality system, such as inspection reports and test data, calibration data and qualification reports on the personnel concerned. | Annex VIII, Part IV, §4.2 (c) | ||
| 1 | Conformity based on full quality assurance is the conformity assessment procedure whereby the manufacturer fulfils the obligations set out in points 2 and 5 of this Part, and ensures and declares on its sole responsibility that the products with digital elements or product categories concerned satisfy the essential cybersecurity requirements set out in Part I of Annex I and that the vulnerability handling processes put in place by the manufacturer meet the requirements set out in Part II of Annex I. | Annex VIII, Part IV, §1 | ||
| 2 | The manufacturer shall operate an approved quality system as specified in point 3 for the design, development and final product inspection and testing of the products with digital elements concerned and for handling vulnerabilities, maintain its effectiveness throughout the support period, and shall be subject to surveillance as specified in point 4. | Annex VIII, Part IV, §2 |
Companies developing software not classified as Critical Products or Important Products Class II can self-assess their software compliance with the CRA’s requirements.
You can check Annex III of the Regulation for a list of Important Products and Annex IV for a list of Critical Products.
Companies developing software classified as Important Products Class I who either conform fully to an harmonised standard or conform fully to common specifications or has a European cybersecurity certification, can also self-assess their compliance with the CRA’s requirements.
⚠️ Software developers of Important Products Class I who have not applied or have applied only in part harmonised standards, common specifications or European cybersecurity certification schemes must undergo a third party assessment (see “Important and Critical software tab”)
In any case, software developers of non-Important Products may choose to undergo the same assessment process as Important and Critical Products, wherein compliance with the CRA is assessed by a notified body.
Check the Important and Critical software tab to read more on third-party assessment.
| ID | Requirement | Reference | Comment | |
|---|---|---|---|---|
| 1 | Software developers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including in relation to the health and safety of users. | article 13(2) | self-written - to be reviewed by notified body for critical and important products | ▢ |
| 2 | The cybersecurity risk assessment shall be documented and updated as appropriate during a support period to be determined in accordance with paragraph 8 of this Article. That cybersecurity risk assessment shall comprise at least an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the conditions of use, of the product with digital elements, such as the operational environment or the assets to be protected, taking into account the length of time the product is expected to be in use. The cybersecurity risk assessment shall indicate whether and, if so in what manner, the security requirements set out in Part I, point (2), of Annex I are applicable to the relevant product with digital elements and how those requirements are implemented as informed by the cybersecurity risk assessment. It shall also indicate how the software developer is to apply Part I, point (1), of Annex I and the vulnerability handling requirements set out in Part II of Annex I. | Article 13(3) | self-written - to be reviewed by notified body for critical and important products | ▢ |
| 3 | When placing a product with digital elements on the market, the software developer shall include the cybersecurity risk assessment in the technical documentation. For products with digital elements which are also subject to other Union legal acts, the cybersecurity risk assessment may be part of the risk assessment required by those Union legal acts. Where certain essential cybersecurity requirements are not applicable to the product with digital elements, the software developer shall include a clear justification to that effect in that technical documentation. | Article 13(4) | self-written - to be reviewed by notified body for critical and important products | ▢ |
| 4 | The software developer shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the products with digital elements, including vulnerabilities of which they become aware and any relevant information provided by third parties, and shall, where applicable, update the cybersecurity risk assessment of the products | Article 13(7) | self-written - to be reviewed by notified body for critical and important products | ▢ |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 2 | On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall: | Annex I, Part 1 §2 | '- | |
| 3 | (a) be made available on the market without known exploitable vulnerabilities; | Annex I, Part 1 §2a | Self-assessment | |
| 4 | (b) be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state; | Annex I, Part 1 §2b | Self-assessment | |
| 5 | (c) ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt- out mechanism, through the notification of available updates to users, and the option to temporarily postpone them; | Annex 1, Part 1 §2c | Self-assessment | |
| 6 | (d) ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access; | Annex I, Part 1 §2d | Self-assessment | |
| 7 | (e) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means; | Annex I, Part 1 §2e | Self-assessment | |
| 8 | (f) protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions; | Annex I, Part 1 §2f | Self-assessment | |
| 9 | (g) process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation); | Annex I, Part 1 §2g | Self-assessment | |
| 10 | (h) protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks; | Annex I, Part 1 §2h | Self-assessment | |
| 11 | (i) minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks; | Annex I, Part 1 §2i | Self-assessment | |
| 12 | (j) be designed, developed and produced to limit attack surfaces, including external interfaces; | Annex I, Part 1 §2j | Self-assessment | |
| 13 | (k) be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques; | Annex I, Part 1 §2k | Self-assessment | |
| 14 | (l) provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user; | Annex I, Part 1 §2l | Self-assessment | |
| 15 | (m) provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner. | Annex I, Part 1 §2m | Self-assessment | |
| 18 | (2) in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates; | Annex I, Part 2 §1 | Self-assessment | |
| 17 | (1) identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products; | Annex I, Part 2 §2 | Self-assessment | |
| 19 | (3) apply effective and regular tests and reviews of the security of the product with digital elements; | Annex I, Part 2 §3 | Self-assessment | |
| 20 | (4) once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where software developers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch; | Annex I, Part 2 §4 | Self-assessment | |
| 21 | (5) put in place and enforce a policy on coordinated vulnerability disclosure; | Annex I, Part 2 §5 | Self-assessment | |
| 22 | (6) take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements; | Annex I, Part 2 §6 | Self-assessment | |
| 23 | (7) provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner; | Annex I, Part 2 §7 | Self-assessment | |
| 24 | (8) ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between the software developer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken. | Annex I, Part 2 §8 | Self-assessment | |
| 1 | Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks. | Annex I, Part 1 §1 | Self-assessment | |
| 16 | Developers of software with digital elements shall: | Annex I - Part II | '- |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | At minimum, the product with digital elements shall be accompanied by: | Annex II | - | |
| 2 | 1. the name, registered trade name or registered trademark of the software developer, and the postal address, the email address or other digital contact as well as, where available, the website at which the software developer can be contacted; | Annex II, §1 | self-written | |
| 3 | 2. the single point of contact where information about vulnerabilities of the product with digital elements can be reported and received, and where the software developer's policy on coordinated vulnerability disclosure can be found; | Annex II, §2 | self-written | |
| 4 | 3. name and type and any additional information enabling the unique identification of the product with digital elements; | Annex II, §3 | self-written | |
| 5 | 4. the intended purpose of the product with digital elements, including the security environment provided by the software developer , as well as the product’s essential functionalities and information about the security properties; | Annex II, §4 | self-written | |
| 6 | 5. any known or foreseeable circumstance, related to the use of the product with digital elements in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to significant cybersecurity risks; | Annex II, §5 | self-written | |
| 7 | 6. where applicable, the internet address at which the EU declaration of conformity can be accessed; | Annex II, §6 | self-written | |
| 8 | 7. the type of technical security support offered by the software developer and the end-date of the support period during which users can expect vulnerabilities to be handled and to receive security updates; | Annex VI, §7 | self-written | |
| 9 | 8. detailed instructions or an internet address referring to such detailed instructions and information on: | Annex II, §8 | self-written | |
| 10 | (a) the necessary measures during initial commissioning and throughout the lifetime of the product with digital elements to ensure its secure use; | Annex II, §8 (a) | self-written | |
| 11 | (b) how changes to the product with digital elements can affect the security of data; | Annex II, §8 (b) | self-written | |
| 12 | (c) how security-relevant updates can be installed; | Annex II, §8 (c) | self-written | |
| 13 | (d) the secure decommissioning of the product with digital elements, including information on how user data can be securely removed; | Annex II, §8 (d) | self-written | |
| 14 | (e) how the default setting enabling the automatic installation of security updates, as required by Part I, point (2)(c), of Annex I, can be turned off; | Annex II, §8 (e) | self-written | |
| 15 | (f) where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential cybersecurity requirements set out in Annex I and the documentation requirements set out in Annex VII. | Annex II, §8 (f) | self-written | |
| 16 | 9. If the software developer decides to make available the software bill of materials to the user, information on where the software bill of materials can be accessed. | Annex II, §9 | Not mandatory | |
| 17 | The user information and instructions as set out in Annex II (detailed above), shall be included in the Technical Documentation. | Annex VII, §1 (d) | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | The EU declaration of conformity referred to in Article 28, shall contain all of the following information: | Annex V | The EU Declaration of conformity is self-written | |
| 2 | (1) Name and type and any additional information enabling the unique identification of the product with digital elements | Annex V, §1 | '- | |
| 3 | (2) Name and address of the software developer or its authorised representative | Annex V, §2 | '- | |
| 4 | (3) A statement that the EU declaration of conformity is issued under the sole responsibility of the provider | Annex V, §3 | '- | |
| 5 | (4) Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate) | Annex V, §4 | '- | |
| 6 | (5) A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation | Annex V, §5 | '- | |
| 8 | (7) Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued | Annex V, §7 | if applicable | |
| 10 | SIMPLIFIED EU DECLARATION OF CONFORMITY | Annex VI | Only for SMEs and micro-enterprises | |
| 7 | (6) References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared | Annex V, §6 | if applicable | |
| 9 | (8) Additional information: | Annex V, §8 | '- | |
| 11 | The simplified EU declaration of conformity referred to in shall be provided as follows: Hereby, ... [name of software developer ] declares that the product with digital elements type ... [designation of type of product with digital element] is in compliance with Regulation (EU) 2024/…+ . The full text of the EU declaration of conformity is available at the following internet address: … | Annex VI | self-written | |
| 12 | The software developer shall draw up a written EU declaration of conformity for each product with digital elements in accordance with Article 28 and keep it together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The EU declaration of conformity shall identify the product with digital elements for which it has been drawn up. A copy of the EU declaration of conformity shall be made available to the relevant authorities upon request. | Annex VIII, Part I, §4.2 | '- |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | The technical documentation shall contain at least the following information, as applicable to the relevant product with digital elements: | Annex VII | '- | |
| 2 | 1. a general description of the product with digital elements, including: | Annex VII, §1 | self-written | |
| 3 | (a) its intended purpose; | Annex VII, §1 (a) | self-written | |
| 4 | (b) versions of software affecting compliance with essential cybersecurity requirements; | Annex VII, §1 (b) | self-written | |
| 5 | (c) where the product with digital elements is a hardware product, photographs or illustrations showing external features, marking and internal layout; | Annex VII, §1 (c) | self-written | |
| 6 | (d) user information and instructions as set out in Annex II; | Annex VII, §1 (d) | self-written | |
| 7 | 2. a description of the design, development and production of the product with digital elements and vulnerability handling processes, including: | Annex VII, §2 | self-written | |
| 8 | (a) necessary information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing; | Annex VII, §2 (a) | self-written | |
| 9 | (b) necessary information and specifications of the vulnerability handling processes put in place by the software developer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates; | Annex VII, §2 (b) | self-written | |
| 10 | (c) necessary information and specifications of the production and monitoring processes of the product with digital elements and the validation of those processes; | Annex VII, §2 (c) | self-written | |
| 11 | 3. an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained pursuant to Article 13, including how the essential cybersecurity requirements set out in Part I of Annex I are applicable; | Annex VII, §3 | self-written | |
| 12 | 4. relevant information that was taken into account to determine the support period pursuant to Article 13(8) of the product with digital elements; | Annex VII, §4 | self-written | |
| 13 | 5. a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential cybersecurity requirements set out in Parts I and II of Annex I, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied; | Annex VII, §5 | self-written | |
| 14 | 6. reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential cybersecurity requirements as set out in Parts I and II of Annex I; | Annex VII, §6 | if applicable | |
| 16 | 8. where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for that authority to be able to check compliance with the essential cybersecurity requirements set out in Annex I. | Annex VII, §8 | if applicable | |
| 15 | 7. a copy of the EU declaration of conformity; | Annex VII, §7 | self-written |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | A software developer shall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The software developer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16. | Article 14(1) and 14(7) | Mandatory Reporting | |
| 2 | For the purposes of the notification referred to in paragraph 1, the software developer shall submit: | Article 14 (2) | Mandatory Reporting | |
| 3 | (a) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the software developer becoming aware of it, indicating, where applicable, the Member States on the territory of which the software developer is aware that their product with digital elements has been made available; | Article 14 (2) (a) | Mandatory Reporting | |
| 4 | (b) unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the software developer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the software developer considers the notified information to be; | Article 14 (2) (b) | Mandatory Reporting | |
| 5 | (c) unless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following: | Article 14 (2) (c) | Mandatory Reporting | |
| 6 | (i) a description of the vulnerability, including its severity and impact; | Article 14 (2) (c) (i) | Mandatory Reporting | |
| 7 | (ii) where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability; | Article 14 (2) (c) (ii) | Mandatory Reporting | |
| 8 | (iii) details about the security update or other corrective measures that have been made available to remedy the vulnerability. | Article 14 (2) (c) (iII) | Mandatory Reporting | |
| 9 | A software developer shall notify any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The software developer shall notify that incident via the single reporting platform | Article 14 (3) | Single platform is not yet established (Dec 2024) | |
| 10 | For the purposes of the notification referred to in paragraph 3, the software developer shall submit: | Article 14 (4) | Mandatory Reporting | |
| 11 | (a) an early warning notification of a severe incident having an impact on the security of the product with digital elements, without undue delay and in any event within 24 hours of the software developer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts, which shall also indicate, where applicable, the Member States on the territory of which the software developer is aware that their product with digital elements has been made available; | Article 14 (4) (a) | Mandatory Reporting | |
| 12 | (b) unless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the software developer becoming aware of the incident, which shall provide general information, where available, about the nature of the incident, an initial assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the software developer considers the notified information to be; | Article 14 (4) (b) | Mandatory Reporting | |
| 13 | (c) unless the relevant information has already been provided, a final report, within one month after the submission of the incident notification under point (b), including at least the following: | Article 14 (4) (c) | Mandatory Reporting | |
| 14 | (i) a detailed description of the incident, including its severity and impact; | Article 14 (4) (c) (i) | Mandatory Reporting | |
| 15 | (ii) the type of threat or root cause that is likely to have triggered the incident; | Article 14 (4) (c) (ii) | Mandatory Reporting | |
| 16 | (iii) applied and ongoing mitigation measures. | Article 14 (4) (c) (iii) | Mandatory Reporting | |
| 17 | After becoming aware of an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements, the software developer shall inform the impacted users of the product with digital elements, and where appropriate all users, of that vulnerability or incident and, where necessary, of any risk mitigation and corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident, where appropriate in a structured, machine-readable format that is easily automatically processable. Where the software developer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRTs designated as coordinators may provide such information to the users when considered to be proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident. | Article 14 (8) | Mandatory Reporting | |
| 18 | Software developers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA. | Article 15 (1) | Voluntary Reporting | |
| 19 | Software developers as well as other natural or legal persons may notify any incident having an impact on the security of the product with digital elements as well as near misses that could have resulted in such an incident on a voluntary basis to a CSIRT designated as coordinator or ENISA. | Article 15 (2) | Voluntary Reporting |
Companies developing software products classified as Important Products Class I (if their software products do not fully conform to harmonized standards or common specification or have not been certified with a European Cybersecurity Certification), Important Products Class II and Critical Products must undergo an external assessment process conducted by a notified body responsible for verifying the compliance of the software products with the requirements of the CRA.
⚠️ As of November 2024, no notified body has been announced.
You can check the Annex III of the regulation for a list of Important Products.
Additionally, companies developing software products classified as Critical Products could be required in the future to obtain a European cybersecurity certificate at assurance level at least ‘substantial’ instead of undergoing the CRA’s dedicated assessment modules (see below); this is according to article 27(9). However, as of November 2024, the Commission has not yet adopted delegated acts that are required to determine which products are concerned and what certification scheme must be followed. In the absence of such delegated acts, manufacturers of Critical Products can follow the same certification procedures as Important Products.
⚠️ Once delegated acts are published and we know more about these certifications schemes, this web page will be updated.
You can check the Annex IV of the regulation for a list of Critical Products.
What are the paths to third party assessment ?
Companies developing software products classified as Important and Critical Products can freely choose among two paths for the assessment of their software products: module B (or module B + module C) and module H.
| ID | Requirement | Reference | Comment | |
|---|---|---|---|---|
| 1 | Software developers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including in relation to the health and safety of users. | article 13(2) | self-written - to be reviewed by notified body for critical and important products | ▢ |
| 2 | The cybersecurity risk assessment shall be documented and updated as appropriate during a support period to be determined in accordance with paragraph 8 of this Article. That cybersecurity risk assessment shall comprise at least an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the conditions of use, of the product with digital elements, such as the operational environment or the assets to be protected, taking into account the length of time the product is expected to be in use. The cybersecurity risk assessment shall indicate whether and, if so in what manner, the security requirements set out in Part I, point (2), of Annex I are applicable to the relevant product with digital elements and how those requirements are implemented as informed by the cybersecurity risk assessment. It shall also indicate how the software developer is to apply Part I, point (1), of Annex I and the vulnerability handling requirements set out in Part II of Annex I. | Article 13(3) | self-written - to be reviewed by notified body for critical and important products | ▢ |
| 3 | When placing a product with digital elements on the market, the software developer shall include the cybersecurity risk assessment in the technical documentation. For products with digital elements which are also subject to other Union legal acts, the cybersecurity risk assessment may be part of the risk assessment required by those Union legal acts. Where certain essential cybersecurity requirements are not applicable to the product with digital elements, the software developer shall include a clear justification to that effect in that technical documentation. | Article 13(4) | self-written - to be reviewed by notified body for critical and important products | ▢ |
| 4 | The software developer shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the products with digital elements, including vulnerabilities of which they become aware and any relevant information provided by third parties, and shall, where applicable, update the cybersecurity risk assessment of the products | Article 13(7) | self-written - to be reviewed by notified body for critical and important products | ▢ |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 2 | On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall: | Annex I, Part 1 §2 | - | |
| 3 | (a) be made available on the market without known exploitable vulnerabilities; | Annex I, Part 1 §2a | Assessed by notified body | |
| 4 | (b) be made available on the market with a secure by default configuration, unless otherwise agreed between the software developer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to itsoriginal state; | Annex I, Part 1 §2b | Assessed by notified body | |
| 5 | (c) ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt- out mechanism, through the notification of available updates to users, and the option to temporarily postpone them; | Annex 1, Part 1 §2c | Assessed by notified body | |
| 6 | (d) ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access; | Annex I, Part 1 §2d | Assessed by notified body | |
| 7 | (e) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means; | Annex I, Part 1 §2e | Assessed by notified body | |
| 8 | (f) protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions; | Annex I, Part 1 §2f | Assessed by notified body | |
| 9 | (g) process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation); | Annex I, Part 1 §2g | Assessed by notified body | |
| 10 | (h) protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks; | Annex I, Part 1 §2h | Assessed by notified body | |
| 11 | (i) minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks; | Annex I, Part 1 §2i | Assessed by notified body | |
| 12 | (j) be designed, developed and produced to limit attack surfaces, including external interfaces; | Annex I, Part 1 §2j | Assessed by notified body | |
| 13 | (k) be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques; | Annex I, Part 1 §2k | Assessed by notified body | |
| 14 | (l) provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user; | Annex I, Part 1 §2l | Assessed by notified body | |
| 15 | (m) provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner. | Annex I, Part 1 §2m | Assessed by notified body | |
| 18 | (2) in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates; | Annex I, Part 2 §1 | Assessed by notified body | |
| 17 | (1) identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products; | Annex I, Part 2 §2 | Assessed by notified body | |
| 19 | (3) apply effective and regular tests and reviews of the security of the product with digital elements; | Annex I, Part 2 §3 | Assessed by notified body | |
| 20 | (4) once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where software developers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch; | Annex I, Part 2 §4 | Assessed by notified body | |
| 21 | (5) put in place and enforce a policy on coordinated vulnerability disclosure; | Annex I, Part 2 §5 | Assessed by notified body | |
| 22 | (6) take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements; | Annex I, Part 2 §6 | Assessed by notified body | |
| 23 | (7) provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner; | Annex I, Part 2 §7 | Assessed by notified body | |
| 24 | (8) ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a software developer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken. | Annex I, Part 2 §8 | Assessed by notified body | |
| 1 | Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks. | Annex I, Part 1 §1 | Assessed by notified body | |
| 16 | Software developers of products with digital elements shall: | Annex I - Part II | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | At minimum, the product with digital elements shall be accompanied by: | Annex II | '- | |
| 2 | 1. the name, registered trade name or registered trademark of the manufacturer, and the postal address, the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted; | Annex II, §1 | Assessed by notified body, as part of the Technical Documentation | |
| 3 | 2. the single point of contact where information about vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found; | Annex II, §2 | Assessed by notified body, as part of the Technical Documentation | |
| 4 | 3. name and type and any additional information enabling the unique identification of the product with digital elements; | Annex II, §3 | Assessed by notified body, as part of the Technical Documentation | |
| 5 | 4. the intended purpose of the product with digital elements, including the security environment provided by the manufacturer, as well as the product’s essential functionalities and information about the security properties; | Annex II, §4 | Assessed by notified body, as part of the Technical Documentation | |
| 6 | 5. any known or foreseeable circumstance, related to the use of the product with digital elements in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to significant cybersecurity risks; | Annex II, §5 | Assessed by notified body, as part of the Technical Documentation | |
| 7 | 6. where applicable, the internet address at which the EU declaration of conformity can be accessed; | Annex II, §6 | Assessed by notified body, as part of the Technical Documentation | |
| 8 | 7. the type of technical security support offered by the manufacturer and the end-date of the support period during which users can expect vulnerabilities to be handled and to receive security updates; | Annex VI, §7 | Assessed by notified body, as part of the Technical Documentation | |
| 9 | 8. detailed instructions or an internet address referring to such detailed instructions and information on: | Annex II, §8 | Assessed by notified body, as part of the Technical Documentation | |
| 10 | (a) the necessary measures during initial commissioning and throughout the lifetime of the product with digital elements to ensure its secure use; | Annex II, §8 (a) | Assessed by notified body, as part of the Technical Documentation | |
| 11 | (b) how changes to the product with digital elements can affect the security of data; | Annex II, §8 (b) | Assessed by notified body, as part of the Technical Documentation | |
| 12 | (c) how security-relevant updates can be installed; | Annex II, §8 (c) | Assessed by notified body, as part of the Technical Documentation | |
| 13 | (d) the secure decommissioning of the product with digital elements, including information on how user data can be securely removed; | Annex II, §8 (d) | Assessed by notified body, as part of the Technical Documentation | |
| 14 | (e) how the default setting enabling the automatic installation of security updates, as required by Part I, point (2)(c), of Annex I, can be turned off; | Annex II, §8 (e) | Assessed by notified body, as part of the Technical Documentation | |
| 15 | (f) where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential cybersecurity requirements set out in Annex I and the documentation requirements set out in Annex VII. | Annex II, §8 (f) | Assessed by notified body, as part of the Technical Documentation | |
| 16 | 9. If the manufacturer decides to make available the software bill of materials to the user, information on where the software bill of materials can be accessed. | Annex II, §9 | Not mandatory | |
| 49 | The user information and instructions as set out in Annex II (detailed above), shall be included in the Technical Documentation. | Annex VII, §1 (d) | '- |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | The EU declaration of conformity referred to in Article 28, shall contain all of the following information: | Annex V | The EU Declaration of conformity is self-written | |
| 2 | (1) Name and type and any additional information enabling the unique identification of the product with digital elements | Annex V, §1 | - | |
| 3 | (2) Name and address of the manufacturer or its authorised representative | Annex V, §2 | - | |
| 4 | (3) A statement that the EU declaration of conformity is issued under the sole responsibility of the provider | Annex V, §3 | - | |
| 5 | (4) Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate) | Annex V, §4 | - | |
| 6 | (5) A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation | Annex V, §5 | - | |
| 8 | (7) Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued | Annex V, §7 | if applicable | |
| 10 | SIMPLIFIED EU DECLARATION OF CONFORMITY | Annex VI | Only for SMEs and micro-enterprises | |
| 7 | (6) References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared | Annex V, §6 | if applicable | |
| 9 | (8) Additional information: | Annex V, §8 | - | |
| 11 | The simplified EU declaration of conformity referred to in shall be provided as follows: Hereby, ... [name of manufacturer] declares that the product with digital elements type ... [designation of type of product with digital element] is in compliance with Regulation (EU) 2024/…+ . The full text of the EU declaration of conformity is available at the following internet address: … | Annex VI | self-written | |
| 12 | The manufacturer shall draw up a written EU declaration of conformity for each product with digital elements in accordance with Article 28 and keep it together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The EU declaration of conformity shall identify the product with digital elements for which it has been drawn up. A copy of the EU declaration of conformity shall be made available to the relevant authorities upon request. | Annex VIII, Part I, §4.2 | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | The technical documentation shall contain at least the following information, as applicable to the relevant product with digital elements: | Annex VII | '- | |
| 2 | 1. a general description of the product with digital elements, including: | Annex VII, §1 | Assessed by notified body | |
| 3 | (a) its intended purpose; | Annex VII, §1 (a) | Assessed by notified body | |
| 4 | (b) versions of software affecting compliance with essential cybersecurity requirements; | Annex VII, §1 (b) | Assessed by notified body | |
| 5 | (c) where the product with digital elements is a hardware product, photographs or illustrations showing external features, marking and internal layout; | Annex VII, §1 (c) | Assessed by notified body | |
| 6 | (d) user information and instructions as set out in Annex II; | Annex VII, §1 (d) | Assessed by notified body | |
| 7 | 2. a description of the design, development and production of the product with digital elements and vulnerability handling processes, including: | Annex VII, §2 | Assessed by notified body | |
| 8 | (a) necessary information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing; | Annex VII, §2 (a) | Assessed by notified body | |
| 9 | (b) necessary information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates; | Annex VII, §2 (b) | Assessed by notified body | |
| 10 | (c) necessary information and specifications of the production and monitoring processes of the product with digital elements and the validation of those processes; | Annex VII, §2 (c) | self-Assessed by notified body | |
| 11 | 3. an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained pursuant to Article 13, including how the essential cybersecurity requirements set out in Part I of Annex I are applicable; | Annex VII, §3 | Assessed by notified body | |
| 12 | 4. relevant information that was taken into account to determine the support period pursuant to Article 13(8) of the product with digital elements; | Annex VII, §4 | Assessed by notified body | |
| 13 | 5. a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential cybersecurity requirements set out in Parts I and II of Annex I, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied; | Annex VII, §5 | Assessed by notified body | |
| 14 | 6. reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential cybersecurity requirements as set out in Parts I and II of Annex I; | Annex VII, §6 | Assessed by notified body | |
| 16 | 8. where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for that authority to be able to check compliance with the essential cybersecurity requirements set out in Annex I. | Annex VII, §8 | Assessed by notified body | |
| 15 | 7. a copy of the EU declaration of conformity; | Annex VII, §7 | Assessed by notified body |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | A manufacturer shall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16. | Article 14(1) and 14(7) | Mandatory Reporting | |
| 2 | For the purposes of the notification referred to in paragraph 1, the manufacturer shall submit: | Article 14 (2) | Mandatory Reporting | |
| 3 | (a) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; | Article 14 (2) (a) | Mandatory Reporting | |
| 4 | (b) unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be; | Article 14 (2) (b) | Mandatory Reporting | |
| 5 | (c) unless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following: | Article 14 (2) (c) | Mandatory Reporting | |
| 6 | (i) a description of the vulnerability, including its severity and impact; | Article 14 (2) (c) (i) | Mandatory Reporting | |
| 7 | (ii) where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability; | Article 14 (2) (c) (ii) | Mandatory Reporting | |
| 8 | (iii) details about the security update or other corrective measures that have been made available to remedy the vulnerability. | Article 14 (2) (c) (iII) | Mandatory Reporting | |
| 9 | A manufacturer shall notify any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platform | Article 14 (3) | Single platform is not yet established (Dec 2024) | |
| 10 | For the purposes of the notification referred to in paragraph 3, the manufacturer shall submit: | Article 14 (4) | Mandatory Reporting | |
| 11 | (a) an early warning notification of a severe incident having an impact on the security of the product with digital elements, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts, which shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; | Article 14 (4) (a) | Mandatory Reporting | |
| 12 | (b) unless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the incident, which shall provide general information, where available, about the nature of the incident, an initial assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be; | Article 14 (4) (b) | Mandatory Reporting | |
| 13 | (c) unless the relevant information has already been provided, a final report, within one month after the submission of the incident notification under point (b), including at least the following: | Article 14 (4) (c) | Mandatory Reporting | |
| 14 | (i) a detailed description of the incident, including its severity and impact; | Article 14 (4) (c) (i) | Mandatory Reporting | |
| 15 | (ii) the type of threat or root cause that is likely to have triggered the incident; | Article 14 (4) (c) (ii) | Mandatory Reporting | |
| 16 | (iii) applied and ongoing mitigation measures. | Article 14 (4) (c) (iii) | Mandatory Reporting | |
| 17 | After becoming aware of an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements, the manufacturer shall inform the impacted users of the product with digital elements, and where appropriate all users, of that vulnerability or incident and, where necessary, of any risk mitigation and corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident, where appropriate in a structured, machine-readable format that is easily automatically processable. Where the manufacturer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRTs designated as coordinators may provide such information to the users when considered to be proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident. | Article 14 (8) | Mandatory Reporting | |
| 18 | Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA. | Article 15 (1) | Voluntary Reporting | |
| 19 | Manufacturers as well as other natural or legal persons may notify any incident having an impact on the security of the product with digital elements as well as near misses that could have resulted in such an incident on a voluntary basis to a CSIRT designated as coordinator or ENISA. | Article 15 (2) | Voluntary Reporting |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 3 | The manufacturer shall lodge an application for assessment of its quality system with the notified body of its choice, for the products with digital elements concerned. The application shall include: | Annex VIII, Part II, §3 | - | |
| 4 | the name and address of the manufacturer and, if the application is lodged by the authorised representative, the name and address of that authorised representative; | Annex VIII, Part II, §3.1 | - | |
| 5 | a written declaration that the same application has not been lodged with any other notified body; | Annex VIII, Part II, §3.2 | - | |
| 6 | the technical documentation, which shall make it possible to assess the conformity of the product with digital elements with the applicable essential cybersecurity requirements as set out in Part I of Annex I and the manufacturer’s vulnerability handling processes set out in Part II of Annex I and shall include an adequate analysis and assessment of the risks. The technical documentation shall specify the applicable requirements and cover, as far as relevant for the assessment, the design, manufacture and operation of the product with digital elements. The technical documentation shall contain, wherever applicable, at least the elements set out in Annex VII; | Annex VIII, Part II, §3.3 | - | |
| 7 | the supporting evidence for the adequacy of the technical design and development solutions and vulnerability handling processes. This supporting evidence shall mention any documents that have been used, in particular where the relevant harmonised standards or technical specifications have not been applied in full. The supporting evidence shall include, where necessary, the results of tests carried out by the appropriate laboratory of the manufacturer, or by another testing laboratory on its behalf and under its responsibility. | Annex VIII, Part II, §3.4 | - | |
| 8 | The manufacturer shall inform the notified body that holds the technical documentation relating to the EU-type examination certificate of all modifications to the approved type and the vulnerability handling processes that may affect the conformity with the essential cybersecurity requirements set out in Annex I, or the conditions for validity of the certificate. Such modifications shall require additional approval in the form of an addition to the original EU-type examination certificate. | Annex VIII, Part II, §7 | - | |
| 9 | The manufacturer shall keep a copy of the EU-type examination certificate, its annexes and additions together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. | Annex VIII, Part II, §10 | - | |
| 1 | EU-type examination is the part of a conformity assessment procedure in which a notified body examines the technical design and development of a product with digital elements and the vulnerability handling processes put in place by the manufacturer, and attests that a product with digital elements meets the essential cybersecurity requirements set out in Part I of Annex I and that the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I. | Annex VIII, Part II, §1 | - | |
| 2 | EU-type examination shall be carried out by assessing the adequacy of the technical design and development of the product with digital elements through the examination of the technical documentation and supporting evidence referred to in point 3, and the examination of specimens of one or more critical parts of the product (combination of production type and design type). | Annex VIII, Part II, §2 | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | Manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including in relation to the health and safety of users. | article 13(2) | self-written - to be reviewed by notified body for critical and important products | |
| 2 | The cybersecurity risk assessment shall be documented and updated as appropriate during a support period to be determined in accordance with paragraph 8 of this Article. That cybersecurity risk assessment shall comprise at least an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the conditions of use, of the product with digital elements, such as the operational environment or the assets to be protected, taking into account the length of time the product is expected to be in use. The cybersecurity risk assessment shall indicate whether and, if so in what manner, the security requirements set out in Part I, point (2), of Annex I are applicable to the relevant product with digital elements and how those requirements are implemented as informed by the cybersecurity risk assessment. It shall also indicate how the manufacturer is to apply Part I, point (1), of Annex I and the vulnerability handling requirements set out in Part II of Annex I. | Article 13(3) | self-written - to be reviewed by notified body for critical and important products | |
| 3 | When placing a product with digital elements on the market, the manufacturer shall include the cybersecurity risk assessment in the technical documentation. For products with digital elements which are also subject to other Union legal acts, the cybersecurity risk assessment may be part of the risk assessment required by those Union legal acts. Where certain essential cybersecurity requirements are not applicable to the product with digital elements, the manufacturer shall include a clear justification to that effect in that technical documentation. | Article 13(4) | self-written - to be reviewed by notified body for critical and important products | |
| 4 | The manufacturers shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the products with digital elements, including vulnerabilities of which they become aware and any relevant information provided by third parties, and shall, where applicable, update the cybersecurity risk assessment of the products | Article 13(7) | self-written - to be reviewed by notified body for critical and important products |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 2 | On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall: | Annex I, Part 1 §2 | - | |
| 3 | (a) be made available on the market without known exploitable vulnerabilities; | Annex I, Part 1 §2a | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 4 | (b) be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state; | Annex I, Part 1 §2b | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 5 | (c) ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt- out mechanism, through the notification of available updates to users, and the option to temporarily postpone them; | Annex 1, Part 1 §2c | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 6 | (d) ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access; | Annex I, Part 1 §2d | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 7 | (e) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means; | Annex I, Part 1 §2e | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 8 | (f) protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions; | Annex I, Part 1 §2f | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 9 | (g) process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation); | Annex I, Part 1 §2g | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 10 | (h) protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks; | Annex I, Part 1 §2h | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 11 | (i) minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks; | Annex I, Part 1 §2i | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 12 | (j) be designed, developed and produced to limit attack surfaces, including external interfaces; | Annex I, Part 1 §2j | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 13 | (k) be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques; | Annex I, Part 1 §2k | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 14 | (l) provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user; | Annex I, Part 1 §2l | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 15 | (m) provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner. | Annex I, Part 1 §2m | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 18 | (2) in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates; | Annex I, Part 2 §1 | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 17 | (1) identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products; | Annex I, Part 2 §2 | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 19 | (3) apply effective and regular tests and reviews of the security of the product with digital elements; | Annex I, Part 2 §3 | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 20 | (4) once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch; | Annex I, Part 2 §4 | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 21 | (5) put in place and enforce a policy on coordinated vulnerability disclosure; | Annex I, Part 2 §5 | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 22 | (6) take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements; | Annex I, Part 2 §6 | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 23 | (7) provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner; | Annex I, Part 2 §7 | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 24 | (8) ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken. | Annex I, Part 2 §8 | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 1 | Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks. | Annex I, Part 1 §1 | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 16 | Manufacturers of products with digital elements shall: | Annex I - Part II | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | At minimum, the product with digital elements shall be accompanied by: | Annex II | - | |
| 2 | 1. the name, registered trade name or registered trademark of the manufacturer, and the postal address, the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted; | Annex II, §1 | self-written | |
| 3 | 2. the single point of contact where information about vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found; | Annex II, §2 | self-written | |
| 4 | 3. name and type and any additional information enabling the unique identification of the product with digital elements; | Annex II, §3 | self-written | |
| 5 | 4. the intended purpose of the product with digital elements, including the security environment provided by the manufacturer, as well as the product’s essential functionalities and information about the security properties; | Annex II, §4 | self-written | |
| 6 | 5. any known or foreseeable circumstance, related to the use of the product with digital elements in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to significant cybersecurity risks; | Annex II, §5 | self-written | |
| 7 | 6. where applicable, the internet address at which the EU declaration of conformity can be accessed; | Annex II, §6 | self-written | |
| 8 | 7. the type of technical security support offered by the manufacturer and the end-date of the support period during which users can expect vulnerabilities to be handled and to receive security updates; | Annex VI, §7 | self-written | |
| 9 | 8. detailed instructions or an internet address referring to such detailed instructions and information on: | Annex II, §8 | self-written | |
| 10 | (a) the necessary measures during initial commissioning and throughout the lifetime of the product with digital elements to ensure its secure use; | Annex II, §8 (a) | self-written | |
| 11 | (b) how changes to the product with digital elements can affect the security of data; | Annex II, §8 (b) | self-written | |
| 12 | (c) how security-relevant updates can be installed; | Annex II, §8 (c) | self-written | |
| 13 | (d) the secure decommissioning of the product with digital elements, including information on how user data can be securely removed; | Annex II, §8 (d) | self-written | |
| 14 | (e) how the default setting enabling the automatic installation of security updates, as required by Part I, point (2)(c), of Annex I, can be turned off; | Annex II, §8 (e) | self-written | |
| 15 | (f) where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential cybersecurity requirements set out in Annex I and the documentation requirements set out in Annex VII. | Annex II, §8 (f) | self-written | |
| 16 | 9. If the manufacturer decides to make available the software bill of materials to the user, information on where the software bill of materials can be accessed. | Annex II, §9 | Not mandatory | |
| 17 | The user information and instructions as set out in Annex II (detailed above), shall be included in the Technical Documentation. | Annex VII, §1 (d) | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | The EU declaration of conformity referred to in Article 28, shall contain all of the following information: | Annex V | The EU Declaration of conformity is self-written | |
| 2 | (1) Name and type and any additional information enabling the unique identification of the product with digital elements | Annex V, §1 | - | |
| 3 | (2) Name and address of the manufacturer or its authorised representative | Annex V, §2 | - | |
| 4 | (3) A statement that the EU declaration of conformity is issued under the sole responsibility of the provider | Annex V, §3 | - | |
| 5 | (4) Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate) | Annex V, §4 | - | |
| 6 | (5) A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation | Annex V, §5 | - | |
| 8 | (7) Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued | Annex V, §7 | mandatory | |
| 10 | SIMPLIFIED EU DECLARATION OF CONFORMITY | Annex VI | Only for SMEs and micro-enterprises | |
| 7 | (6) References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared | Annex V, §6 | if applicable | |
| 9 | (8) Additional information: | Annex V, §8 | - | |
| 11 | The simplified EU declaration of conformity referred to in shall be provided as follows: Hereby, ... [name of manufacturer] declares that the product with digital elements type ... [designation of type of product with digital element] is in compliance with Regulation (EU) 2024/…+ . The full text of the EU declaration of conformity is available at the following internet address: … | Annex VI | self-written | |
| 12 | The manufacturer shall draw up a written EU declaration of conformity for each product with digital elements and keep it together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The EU declaration of conformity shall identify the product with digital elements for which it has been drawn up. A copy of the EU declaration of conformity shall be made available to the relevant authorities upon request. | Annex VIII, Part II, §10 and Part III, §3.2 | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | The technical documentation shall contain at least the following information, as applicable to the relevant product with digital elements: | Annex VII | - | |
| 2 | 1. a general description of the product with digital elements, including: | Annex VII, §1 | self-written | |
| 3 | (a) its intended purpose; | Annex VII, §1 (a) | self-written | |
| 4 | (b) versions of software affecting compliance with essential cybersecurity requirements; | Annex VII, §1 (b) | self-written | |
| 5 | (c) where the product with digital elements is a hardware product, photographs or illustrations showing external features, marking and internal layout; | Annex VII, §1 (c) | self-written | |
| 6 | (d) user information and instructions as set out in Annex II; | Annex VII, §1 (d) | self-written | |
| 7 | 2. a description of the design, development and production of the product with digital elements and vulnerability handling processes, including: | Annex VII, §2 | self-written | |
| 8 | (a) necessary information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing; | Annex VII, §2 (a) | self-written | |
| 9 | (b) necessary information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates; | Annex VII, §2 (b) | self-written | |
| 10 | (c) necessary information and specifications of the production and monitoring processes of the product with digital elements and the validation of those processes; | Annex VII, §2 (c) | self-written | |
| 11 | 3. an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained pursuant to Article 13, including how the essential cybersecurity requirements set out in Part I of Annex I are applicable; | Annex VII, §3 | self-written | |
| 12 | 4. relevant information that was taken into account to determine the support period pursuant to Article 13(8) of the product with digital elements; | Annex VII, §4 | self-written | |
| 13 | 5. a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential cybersecurity requirements set out in Parts I and II of Annex I, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied; | Annex VII, §5 | self-written | |
| 14 | 6. reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential cybersecurity requirements as set out in Parts I and II of Annex I; | Annex VII, §6 | if applicable | |
| 16 | 8. where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for that authority to be able to check compliance with the essential cybersecurity requirements set out in Annex I. | Annex VII, §8 | if applicable | |
| 15 | 7. a copy of the EU declaration of conformity; | Annex VII, §7 | self-written |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | A manufacturer shall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16. | Article 14(1) and 14(7) | Mandatory Reporting | |
| 2 | For the purposes of the notification referred to in paragraph 1, the manufacturer shall submit: | Article 14 (2) | Mandatory Reporting | |
| 3 | (a) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; | Article 14 (2) (a) | Mandatory Reporting | |
| 4 | (b) unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be; | Article 14 (2) (b) | Mandatory Reporting | |
| 5 | (c) unless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following: | Article 14 (2) (c) | Mandatory Reporting | |
| 6 | (i) a description of the vulnerability, including its severity and impact; | Article 14 (2) (c) (i) | Mandatory Reporting | |
| 7 | (ii) where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability; | Article 14 (2) (c) (ii) | Mandatory Reporting | |
| 8 | (iii) details about the security update or other corrective measures that have been made available to remedy the vulnerability. | Article 14 (2) (c) (iII) | Mandatory Reporting | |
| 9 | A manufacturer shall notify any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platform | Article 14 (3) | Single platform is not yet established (Dec 2024) | |
| 10 | For the purposes of the notification referred to in paragraph 3, the manufacturer shall submit: | Article 14 (4) | Mandatory Reporting | |
| 11 | (a) an early warning notification of a severe incident having an impact on the security of the product with digital elements, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts, which shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; | Article 14 (4) (a) | Mandatory Reporting | |
| 12 | (b) unless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the incident, which shall provide general information, where available, about the nature of the incident, an initial assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be; | Article 14 (4) (b) | Mandatory Reporting | |
| 13 | (c) unless the relevant information has already been provided, a final report, within one month after the submission of the incident notification under point (b), including at least the following: | Article 14 (4) (c) | Mandatory Reporting | |
| 14 | (i) a detailed description of the incident, including its severity and impact; | Article 14 (4) (c) (i) | Mandatory Reporting | |
| 15 | (ii) the type of threat or root cause that is likely to have triggered the incident; | Article 14 (4) (c) (ii) | Mandatory Reporting | |
| 16 | (iii) applied and ongoing mitigation measures. | Article 14 (4) (c) (iii) | Mandatory Reporting | |
| 17 | After becoming aware of an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements, the manufacturer shall inform the impacted users of the product with digital elements, and where appropriate all users, of that vulnerability or incident and, where necessary, of any risk mitigation and corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident, where appropriate in a structured, machine-readable format that is easily automatically processable. Where the manufacturer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRTs designated as coordinators may provide such information to the users when considered to be proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident. | Article 14 (8) | Mandatory Reporting | |
| 18 | Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA. | Article 15 (1) | Voluntary Reporting | |
| 19 | Manufacturers as well as other natural or legal persons may notify any incident having an impact on the security of the product with digital elements as well as near misses that could have resulted in such an incident on a voluntary basis to a CSIRT designated as coordinator or ENISA. | Article 15 (2) | Voluntary Reporting |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | Manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including in relation to the health and safety of users. | article 13(2) | self-written - to be reviewed by notified body for critical and important products | |
| 2 | The cybersecurity risk assessment shall be documented and updated as appropriate during a support period to be determined in accordance with paragraph 8 of this Article. That cybersecurity risk assessment shall comprise at least an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the conditions of use, of the product with digital elements, such as the operational environment or the assets to be protected, taking into account the length of time the product is expected to be in use. The cybersecurity risk assessment shall indicate whether and, if so in what manner, the security requirements set out in Part I, point (2), of Annex I are applicable to the relevant product with digital elements and how those requirements are implemented as informed by the cybersecurity risk assessment. It shall also indicate how the manufacturer is to apply Part I, point (1), of Annex I and the vulnerability handling requirements set out in Part II of Annex I. | Article 13(3) | self-written - to be reviewed by notified body for critical and important products | |
| 3 | When placing a product with digital elements on the market, the manufacturer shall include the cybersecurity risk assessment in the technical documentation. For products with digital elements which are also subject to other Union legal acts, the cybersecurity risk assessment may be part of the risk assessment required by those Union legal acts. Where certain essential cybersecurity requirements are not applicable to the product with digital elements, the manufacturer shall include a clear justification to that effect in that technical documentation. | Article 13(4) | self-written - to be reviewed by notified body for critical and important products | |
| 4 | The manufacturers shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the products with digital elements, including vulnerabilities of which they become aware and any relevant information provided by third parties, and shall, where applicable, update the cybersecurity risk assessment of the products | Article 13(7) | self-written - to be reviewed by notified body for critical and important products |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 2 | On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall: | Annex I, Part 1 §2 | - | |
| 3 | (a) be made available on the market without known exploitable vulnerabilities; | Annex I, Part 1 §2a | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 4 | (b) be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state; | Annex I, Part 1 §2b | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 5 | (c) ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt- out mechanism, through the notification of available updates to users, and the option to temporarily postpone them; | Annex 1, Part 1 §2c | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 6 | (d) ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access; | Annex I, Part 1 §2d | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 7 | (e) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means; | Annex I, Part 1 §2e | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 8 | (f) protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions; | Annex I, Part 1 §2f | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 9 | (g) process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation); | Annex I, Part 1 §2g | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 10 | (h) protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks; | Annex I, Part 1 §2h | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 11 | (i) minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks; | Annex I, Part 1 §2i | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 12 | (j) be designed, developed and produced to limit attack surfaces, including external interfaces; | Annex I, Part 1 §2j | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 13 | (k) be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques; | Annex I, Part 1 §2k | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 14 | (l) provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user; | Annex I, Part 1 §2l | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 15 | (m) provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner. | Annex I, Part 1 §2m | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 18 | (2) in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates; | Annex I, Part 2 §1 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 17 | (1) identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products; | Annex I, Part 2 §2 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 19 | (3) apply effective and regular tests and reviews of the security of the product with digital elements; | Annex I, Part 2 §3 | Self-Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.assessment | |
| 20 | (4) once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch; | Annex I, Part 2 §4 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 21 | (5) put in place and enforce a policy on coordinated vulnerability disclosure; | Annex I, Part 2 §5 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 22 | (6) take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements; | Annex I, Part 2 §6 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 23 | (7) provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner; | Annex I, Part 2 §7 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 24 | (8) ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken. | Annex I, Part 2 §8 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 1 | Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks. | Annex I, Part 1 §1 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 16 | Manufacturers of products with digital elements shall: | Annex I - Part II | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | At minimum, the product with digital elements shall be accompanied by: | Annex II | '- | |
| 2 | 1. the name, registered trade name or registered trademark of the manufacturer, and the postal address, the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted; | Annex II, §1 | Assessed by notified body, as part of the Technical Documentation | |
| 3 | 2. the single point of contact where information about vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found; | Annex II, §2 | Assessed by notified body, as part of the Technical Documentation | |
| 4 | 3. name and type and any additional information enabling the unique identification of the product with digital elements; | Annex II, §3 | Assessed by notified body, as part of the Technical Documentation | |
| 5 | 4. the intended purpose of the product with digital elements, including the security environment provided by the manufacturer, as well as the product’s essential functionalities and information about the security properties; | Annex II, §4 | Assessed by notified body, as part of the Technical Documentation | |
| 6 | 5. any known or foreseeable circumstance, related to the use of the product with digital elements in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to significant cybersecurity risks; | Annex II, §5 | Assessed by notified body, as part of the Technical Documentation | |
| 7 | 6. where applicable, the internet address at which the EU declaration of conformity can be accessed; | Annex II, §6 | Assessed by notified body, as part of the Technical Documentation | |
| 8 | 7. the type of technical security support offered by the manufacturer and the end-date of the support period during which users can expect vulnerabilities to be handled and to receive security updates; | Annex VI, §7 | Assessed by notified body, as part of the Technical Documentation | |
| 9 | 8. detailed instructions or an internet address referring to such detailed instructions and information on: | Annex II, §8 | Assessed by notified body, as part of the Technical Documentation | |
| 10 | (a) the necessary measures during initial commissioning and throughout the lifetime of the product with digital elements to ensure its secure use; | Annex II, §8 (a) | Assessed by notified body, as part of the Technical Documentation | |
| 11 | (b) how changes to the product with digital elements can affect the security of data; | Annex II, §8 (b) | Assessed by notified body, as part of the Technical Documentation | |
| 12 | (c) how security-relevant updates can be installed; | Annex II, §8 (c) | Assessed by notified body, as part of the Technical Documentation | |
| 13 | (d) the secure decommissioning of the product with digital elements, including information on how user data can be securely removed; | Annex II, §8 (d) | Assessed by notified body, as part of the Technical Documentation | |
| 14 | (e) how the default setting enabling the automatic installation of security updates, as required by Part I, point (2)(c), of Annex I, can be turned off; | Annex II, §8 (e) | Assessed by notified body, as part of the Technical Documentation | |
| 15 | (f) where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential cybersecurity requirements set out in Annex I and the documentation requirements set out in Annex VII. | Annex II, §8 (f) | Assessed by notified body, as part of the Technical Documentation | |
| 16 | 9. If the manufacturer decides to make available the software bill of materials to the user, information on where the software bill of materials can be accessed. | Annex II, §9 | Not mandatory | |
| 49 | The user information and instructions as set out in Annex II (detailed above), shall be included in the Technical Documentation. | Annex VII, §1 (d) | '- |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | The EU declaration of conformity referred to in Article 28, shall contain all of the following information: | Annex V | The EU Declaration of conformity is self-written | |
| 2 | (1) Name and type and any additional information enabling the unique identification of the product with digital elements | Annex V, §1 | - | |
| 3 | (2) Name and address of the software developer or its authorised representative | Annex V, §2 | - | |
| 4 | (3) A statement that the EU declaration of conformity is issued under the sole responsibility of the provider | Annex V, §3 | - | |
| 5 | (4) Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate) | Annex V, §4 | - | |
| 6 | (5) A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation | Annex V, §5 | - | |
| 8 | (7) Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued | Annex V, §7 | mandatory | |
| 10 | SIMPLIFIED EU DECLARATION OF CONFORMITY | Annex VI | Only for SMEs and micro-enterprises | |
| 7 | (6) References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared | Annex V, §6 | if applicable | |
| 9 | (8) Additional information: | Annex V, §8 | - | |
| 11 | The simplified EU declaration of conformity referred to in shall be provided as follows: Hereby, ... [name of software developer] declares that the product with digital elements type ... [designation of type of product with digital element] is in compliance with Regulation (EU) 2024/…+ . The full text of the EU declaration of conformity is available at the following internet address: … | Annex VI | self-written | |
| 12 | The software developer shall draw up a written declaration of conformity for each product model and keep it at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The declaration of conformity shall identify the product model for which it has been drawn up. A copy of the declaration of conformity shall be made available to the relevant authorities upon request. | Annex VIII, Part IV, §5 | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | The technical documentation shall contain at least the following information, as applicable to the relevant product with digital elements: | Annex VII | '- | |
| 2 | 1. a general description of the product with digital elements, including: | Annex VII, §1 | Assessed by notified body | |
| 3 | (a) its intended purpose; | Annex VII, §1 (a) | Assessed by notified body | |
| 4 | (b) versions of software affecting compliance with essential cybersecurity requirements; | Annex VII, §1 (b) | Assessed by notified body | |
| 5 | (c) where the product with digital elements is a hardware product, photographs or illustrations showing external features, marking and internal layout; | Annex VII, §1 (c) | Assessed by notified body | |
| 6 | (d) user information and instructions as set out in Annex II; | Annex VII, §1 (d) | Assessed by notified body | |
| 7 | 2. a description of the design, development and production of the product with digital elements and vulnerability handling processes, including: | Annex VII, §2 | Assessed by notified body | |
| 8 | (a) necessary information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing; | Annex VII, §2 (a) | Assessed by notified body | |
| 9 | (b) necessary information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates; | Annex VII, §2 (b) | Assessed by notified body | |
| 10 | (c) necessary information and specifications of the production and monitoring processes of the product with digital elements and the validation of those processes; | Annex VII, §2 (c) | self-Assessed by notified body | |
| 11 | 3. an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained pursuant to Article 13, including how the essential cybersecurity requirements set out in Part I of Annex I are applicable; | Annex VII, §3 | Assessed by notified body | |
| 12 | 4. relevant information that was taken into account to determine the support period pursuant to Article 13(8) of the product with digital elements; | Annex VII, §4 | Assessed by notified body | |
| 13 | 5. a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential cybersecurity requirements set out in Parts I and II of Annex I, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied; | Annex VII, §5 | Assessed by notified body | |
| 14 | 6. reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential cybersecurity requirements as set out in Parts I and II of Annex I; | Annex VII, §6 | Assessed by notified body | |
| 16 | 8. where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for that authority to be able to check compliance with the essential cybersecurity requirements set out in Annex I. | Annex VII, §8 | Assessed by notified body | |
| 15 | 7. a copy of the EU declaration of conformity; | Annex VII, §7 | Assessed by notified body |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | A manufacturer shall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16. | Article 14(1) and 14(7) | Mandatory Reporting | |
| 2 | For the purposes of the notification referred to in paragraph 1, the manufacturer shall submit: | Article 14 (2) | Mandatory Reporting | |
| 3 | (a) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; | Article 14 (2) (a) | Mandatory Reporting | |
| 4 | (b) unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be; | Article 14 (2) (b) | Mandatory Reporting | |
| 5 | (c) unless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following: | Article 14 (2) (c) | Mandatory Reporting | |
| 6 | (i) a description of the vulnerability, including its severity and impact; | Article 14 (2) (c) (i) | Mandatory Reporting | |
| 7 | (ii) where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability; | Article 14 (2) (c) (ii) | Mandatory Reporting | |
| 8 | (iii) details about the security update or other corrective measures that have been made available to remedy the vulnerability. | Article 14 (2) (c) (iII) | Mandatory Reporting | |
| 9 | A manufacturer shall notify any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platform | Article 14 (3) | Single platform is not yet established (Dec 2024) | |
| 10 | For the purposes of the notification referred to in paragraph 3, the manufacturer shall submit: | Article 14 (4) | Mandatory Reporting | |
| 11 | (a) an early warning notification of a severe incident having an impact on the security of the product with digital elements, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts, which shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; | Article 14 (4) (a) | Mandatory Reporting | |
| 12 | (b) unless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the incident, which shall provide general information, where available, about the nature of the incident, an initial assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be; | Article 14 (4) (b) | Mandatory Reporting | |
| 13 | (c) unless the relevant information has already been provided, a final report, within one month after the submission of the incident notification under point (b), including at least the following: | Article 14 (4) (c) | Mandatory Reporting | |
| 14 | (i) a detailed description of the incident, including its severity and impact; | Article 14 (4) (c) (i) | Mandatory Reporting | |
| 15 | (ii) the type of threat or root cause that is likely to have triggered the incident; | Article 14 (4) (c) (ii) | Mandatory Reporting | |
| 16 | (iii) applied and ongoing mitigation measures. | Article 14 (4) (c) (iii) | Mandatory Reporting | |
| 17 | After becoming aware of an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements, the manufacturer shall inform the impacted users of the product with digital elements, and where appropriate all users, of that vulnerability or incident and, where necessary, of any risk mitigation and corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident, where appropriate in a structured, machine-readable format that is easily automatically processable. Where the manufacturer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRTs designated as coordinators may provide such information to the users when considered to be proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident. | Article 14 (8) | Mandatory Reporting | |
| 18 | Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA. | Article 15 (1) | Voluntary Reporting | |
| 19 | Manufacturers as well as other natural or legal persons may notify any incident having an impact on the security of the product with digital elements as well as near misses that could have resulted in such an incident on a voluntary basis to a CSIRT designated as coordinator or ENISA. | Article 15 (2) | Voluntary Reporting |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 3 | The manufacturer shall lodge an application for assessment of its quality system with the notified body of its choice, for the products with digital elements concerned. The application shall include: | Annex VIII, Part IV, §3.1 | - | |
| 4 | (a) the name and address of the manufacturer and, if the application is lodged by the authorised representative, the name and address of that authorised representative; | Annex VIII, Part IV, §3.1 (a) | - | |
| 5 | (b) the technical documentation for one model of each category of products with digital elements intended to be manufactured or developed. The technical documentation shall, wherever applicable, contain at least the elements as set out in Annex VII; | Annex VIII, Part IV, §3.1 (b) | - | |
| 6 | (c) the documentation concerning the quality system; and | Annex VIII, Part IV, §3.1 (c) | - | |
| 7 | (d) a written declaration that the same application has not been lodged with any other notified body. | Annex VIII, Part IV, §3.1 (d) | - | |
| 8 | The quality system shall ensure compliance of the products with digital elements with the essential cybersecurity requirements set out in Part I of Annex I and compliance of the vulnerability handling processes put in place by the manufacturer with the requirements set out in Part II of Annex I. All the elements, requirements and provisions adopted by the manufacturer shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions. That quality system documentation shall permit a consistent interpretation of the quality programmes, plans, manuals and records. It shall, in particular, contain an adequate description of: | Annex VIII, Part IV, §3.2 | - | |
| 9 | (a) the quality objectives and the organisational structure, responsibilities and powers of the management with regard to design, development, product quality and vulnerability handling; | Annex VIII, Part IV, §3.2 (a) | - | |
| 10 | (b) the technical design and development specifications, including standards, that will be applied and, where the relevant harmonised standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential cybersecurity requirements set out in Part I of Annex I that apply to the products with digital elements will be met; | Annex VIII, Part IV, §3.2 (b) | - | |
| 11 | (c) the procedural specifications, including standards, that will be applied and, where the relevant harmonised standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential cybersecurity requirements set out in Part II of Annex I that apply to the manufacturer will be met; | Annex VIII, Part IV, §3.2 (c) | - | |
| 12 | (d) the design and development control, as well as design and development verification techniques, processes and systematic actions that will be used when designing and developing the products with digital elements pertaining to the product category covered; | Annex VIII, Part IV, §3.2 (d) | - | |
| 13 | (e) the corresponding production, quality control and quality assurance techniques, processes and systematic actions that will be used; | Annex VIII, Part IV, §3.2 (e) | - | |
| 14 | (f) the examinations and tests that will be carried out before, during and after production, and the frequency with which they will be carried out; | Annex VIII, Part IV, §3.2 (f) | ||
| 15 | (g) the quality records, such as inspection reports and test data, calibration data and qualification reports on the personnel concerned; | Annex VIII, Part IV, §3.2 (g) | ||
| 16 | (h) the means of monitoring the achievement of the required design and product quality and the effective operation of the quality system. | Annex VIII, Part IV, §3.2 (h) | ||
| 17 | The manufacturer shall undertake to fulfil the obligations arising out of the quality system as approved and to maintain it so that it remains adequate and efficient. | Annex VIII, Part IV, §3.4 | ||
| 18 | The manufacturer shall keep the notified body that has approved the quality system informed of any intended change to the quality system. | Annex VIII, Part IV, §3.5 | ||
| 19 | Surveillance under the responsibility of the notified body: The manufacturer shall, for assessment purposes, allow the notified body access to the design, development, production, inspection, testing and storage sites, and shall provide it with all necessary information, in particular: | Annex VIII, Part IV, §4.2 | ||
| 20 | (a) the quality system documentation;. | Annex VIII, Part IV, §4.2 (a) | ||
| 21 | (b) the quality records as provided for by the design part of the quality system, such as results of analyses, calculations and tests; | Annex VIII, Part IV, §4.2 (b) | ||
| 22 | (c) the quality records as provided for by the manufacturing part of the quality system, such as inspection reports and test data, calibration data and qualification reports on the personnel concerned. | Annex VIII, Part IV, §4.2 (c) | ||
| 1 | Conformity based on full quality assurance is the conformity assessment procedure whereby the manufacturer fulfils the obligations set out in points 2 and 5 of this Part, and ensures and declares on its sole responsibility that the products with digital elements or product categories concerned satisfy the essential cybersecurity requirements set out in Part I of Annex I and that the vulnerability handling processes put in place by the manufacturer meet the requirements set out in Part II of Annex I. | Annex VIII, Part IV, §1 | ||
| 2 | The manufacturer shall operate an approved quality system as specified in point 3 for the design, development and final product inspection and testing of the products with digital elements concerned and for handling vulnerabilities, maintain its effectiveness throughout the support period, and shall be subject to surveillance as specified in point 4. | Annex VIII, Part IV, §2 |
The Cyber Resilience Act defines “free and open-source software” as software whose source code is publicly accessible and distributed under a license that allows users to freely access, modify, use, and redistribute the software.
An open-source software steward is a legal entity, distinct from a manufacturer, that plays an ongoing, active role in supporting the development and maintenance of specific software products containing digital elements classified as free and open-source software. As such, open-source software stewrds are not considered manufacturers unless they take on additional commercial functions like product marketing or distribution.
Additonnaly, open-source software stewards are subject to the CRA only when they support the development of products “intended for commercial activities.” These activities include integration into commercial services or monetized products. However, the primary focus of open-source software stewards is to support the development of free and open-source software, ensuring its continued evolution and availability. Unlike manufacturers, stewards do not market or brand the software as their own, nor do they derive significant revenue beyond what is necessary to provide free support and maintain the software. Their role is centered around community-driven development and the technical stewardship of the software project, rather than commercial interests.
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 2 | Open-source software stewards shall cooperate with the market surveillance authorities, at their request, with a view to mitigating the cybersecurity risks posed by a product with digital elements qualifying as free and open-source software. Further to a reasoned request from a market surveillance authority, open-source software stewards shall provide that authority, in a language which can be easily understood by that authority, with the documentation referred to in paragraph 1, in paper or electronic form. | Article 24 §2 | - | |
| 1 | Open-source software stewards shall put in place and document in a verifiable manner a cybersecurity policy to foster the development of a secure product with digital elements as well as an effective handling of vulnerabilities by the developers of that product. That policy shall also foster the voluntary reporting of vulnerabilities as laid down in Article 15 by the developers of that product and take into account the specific nature of the open- source software steward and the legal and organisational arrangements to which it is subject. That policy shall, in particular, include aspects related to documenting, addressing and remediating vulnerabilities and promote the sharing of information concerning discovered vulnerabilities within the open-source community | Article 24 §1 | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 2 | For the purpose of complying with paragraph 1, manufacturers shall exercise due diligence when integrating components sourced from third parties so that those components do not compromise the cybersecurity of the product with digital elements, including when integrating components of free and open-source software that have not been made available on the market in the course of a commercial activity. | Article 13 §5 | Requirement for manufacturers | |
| 1 | In order to facilitate the due diligence obligation set out in Article 13(5), in particular as regards manufacturers that integrate free and open-source software components in their products with digital elements, the Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation by establishing voluntary security attestation programmes allowing the developers or users of products with digital elements qualifying as free and open-source software as well as other third parties to assess the conformity of such products with all or certain essential cybersecurity requirements or other obligations laid down in this Regulation. | Article 25 | As of 12.2024 - no delegated act has been published |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 7 | The obligations laid down in Article 14(3) and (8) shall apply to open-source software stewards to the extent that severe incidents having an impact on the security of products with digital elements affect network and information systems provided by the open-source software stewards for the development of such products. | Article 24 §3 | - | |
| 1 | The obligations laid down in Article 14(1) shall apply to open-source software stewards to the extent that they are involved in the development of the products with digital elements. | Article 24 §3 | - | |
| 2 | A manufacturer shall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. | Article 14 §1 | only applicable if the steward is involved in commercial product development | |
| 3 | For the purposes of the notification referred to in paragraph 1, the manufacturer shall submit: | Article 14 §2 | only applicable if the steward is involved in commercial product development | |
| 4 | (a) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; | Article 14 §2 (a) | only applicable if the steward is involved in commercial product development | |
| 5 | (b) unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be; | Article 14 §2 (b) | only applicable if the steward is involved in commercial product development | |
| 6 | (c) unless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following: (i) a description of the vulnerability, including its severity and impact; (ii) where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability; (iii) details about the security update or other corrective measures that have been made available to remedy the vulnerability. | Article 14 §2 (c) | only applicable if the steward is involved in commercial product development | |
| 8 | A manufacturer shall notify any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. | Article 14 §3 | only applicable if the steward is involved in commercial product development | |
| 9 | For the purposes of the notification referred to in paragraph 3, the manufacturer shall submit: | Article 14 §4 | only applicable if the steward is involved in commercial product development | |
| 10 | (a) an early warning notification of a severe incident having an impact on the security of the product with digital elements, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts, which shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; | Article 14 §4 (a) | only applicable if the steward is involved in commercial product development | |
| 11 | (b) unless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the incident, which shall provide general information, where available, about the nature of the incident, an initial assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be; | Article 14 §4 (b) | only applicable if the steward is involved in commercial product development | |
| 12 | (c) unless the relevant information has already been provided, a final report, within one month after the submission of the incident notification under point (b), including at least the following: (i) a detailed description of the incident, including its severity and impact; (ii) the type of threat or root cause that is likely to have triggered the incident; (iii) applied and ongoing mitigation measures. | Article 14 §4 (c) | only applicable if the steward is involved in commercial product development | |
| 13 | For the purposes of paragraph 3, an incident having an impact on the security of the product with digital elements shall be considered to be severe where: | Article 14 §5 | only applicable if the steward is involved in commercial product development | |
| 14 | (a) it negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of sensitive or important data or functions; or | Article 14 §5 (a) | only applicable if the steward is involved in commercial product development | |
| 15 | (b) it has led or is capable of leading to the introduction or execution of malicious code in a product with digital elements or in the network and information systems of a user of the product with digital elements | Article 14 §5 (b) | only applicable if the steward is involved in commercial product development | |
| 16 | After becoming aware of an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements, the manufacturer shall inform the impacted users of the product with digital elements, and where appropriate all users, of that vulnerability or incident and, where necessary, of any risk mitigation and corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident, where appropriate in a structured, machine-readable format that is easily automatically processable. Where the manufacturer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRTs designated as coordinators may provide such information to the users when considered to be proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident. | Article 14 §8 | only applicable if the steward is involved in commercial product development |
As a reminder, the CRA defines importers of products with digital elements as “a natural or legal person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union;” article 3(16).
Important: Importers who import products with digital elements under their own trademarks or substantially modify* existing products are to be considered to be a manufacturer for the purposes of the CRA and shall assume the full set of responsibilities and obligations outlined in Articles 13 and 14 for manufacturers, ensuring the product meets the CRA’s requirements:
* “Substantial modification” refers to changes that affect the product’s compliance with the essential cybersecurity requirements or alter its intended purpose.
⚠️ These importers should refer to the “hardware manufacturers” tab or “software developers” tab, whichever fits best.
| ID | Requirement | Reference | Check |
|---|---|---|---|
| 1 | Importers shall place on the market only products with digital elements that comply with the essential cybersecurity requirements set out in Part I of Annex I and where the processes put in place by the manufacturer comply with the essential cybersecurity requirements set out in Part II of Annex I. | article 19(1) | |
| 2 | Before placing a product with digital elements on the market, importers shall ensure that: | article 19(2) | |
| 3 | the appropriate conformity assessment procedures (modules A, B, C or H) have been carried out by the manufacturer; | article 19(2) (a) | |
| 4 | the manufacturer has drawn up the technical documentation; | article 19(2) (b) | |
| 5 | the product with digital elements bears the CE marking and is accompanied by the EU declaration of conformity and the information and instructions to the user in a language which can be easily understood by users and market surveillance authorities; | article 19(2) (c) | |
| 6 | the manufacturer has complied with the requirements set out in Article 13(15 - product can be identified with a batch number or similar), (16 - manufacturers' contact information) and (19 - end of support period). | article 19(2) (d) | |
| 7 | Importers shall, for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer, keep a copy of the EU declaration of conformity at the disposal of the market surveillance authorities and ensure that the technical documentation can be made available to those authorities, upon request. | article 19(6) |
| ID | Requirement | Reference | Check |
|---|---|---|---|
| 1 | Importers shall indicate their name, registered trade name or registered trademark, the postal address, email address or other digital contact as well as, where applicable, the website at which they can be contacted on the product with digital elements or on its packaging or in a document accompanying the product with digital elements. The contact details shall be in a language easily understood by users and market surveillance authorities. | article 19 (4) |
| ID | Requirement | Reference | Check |
|---|---|---|---|
| 1 | Where the importer of a product with digital elements becomes aware that the manufacturer of that product has ceased its operations and, as result, is not able to comply with the obligations laid down in this Regulation, the importer shall inform the relevant market surveillance authorities about this situation, as well as, by any means available and to the extent possible, the users of the products with digital elements placed on the market. | article 19(8) | |
| 2 | Importers shall, further to a reasoned request from a market surveillance authority, provide it with all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I as well as of the processes put in place by the manufacturer with the essential cybersecurity requirements set out in Part II of Annex I in a language that can be easily understood by that authority. They shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by a product with digital elements, which they have placed on the market. | article 19(7) | |
| 4 | Importers who know or have reason to believe that a product with digital elements which they have placed on the market is not in conformity with this Regulation shall immediately take the corrective measures necessary to ensure that the product with digital elements is brought into conformity with this Regulation, or to withdraw or recall the product, if appropriate. Upon becoming aware of a vulnerability in the product with digital elements, importers shall inform the manufacturer without undue delay about that vulnerability. Furthermore, where the product with digital elements presents a significant cybersecurity risk, importers shall immediately inform the market surveillance authorities of the Member States in which they have made the product with digital elements available on the market to that effect, giving details, in particular, of non-compliance and of any corrective measures taken. | article 19(5) | |
| 3 | Where an importer considers or has reason to believe that a product with digital elements or the processes put in place by the manufacturer are not in conformity with this Regulation, the importer shall not place the product on the market until that product or the processes put in place by the manufacturer have been brought into conformity with this Regulation. Furthermore, where the product with digital elements presents a significant cybersecurity risk, the importer shall inform the manufacturer and the market surveillance authorities to that effect. Where an importer has reason to believe that a product with digital elements may present a significant cybersecurity risk in light of non-technical risk factors, the importer shall inform the market surveillance authorities to that effect. Upon receipt of such information, the market surveillance authorities shall follow the procedures referred to in Article 54(2). | article 19(3) |
As a reminder, the CRA defines distributors of products with digital elements as “a natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its properties;” article 3(17).
Important: Distribors who distribute products with digital elements under their own trademarks or substantially modify* existing products are to be considered to be a manufacturer for the purposes of the CRA and shall assume the full set of responsibilities and obligations outlined in Articles 13 and 14 for manufacturers, ensuring the product meets the CRA’s requirements:
* “Substantial modification” refers to changes that affect the product’s compliance with the essential cybersecurity requirements or alter its intended purpose.
⚠️ These distributors should refer to the “hardware manufacturers” tab or “software developers” tab, whichever fits best.
| ID | Requirement | Reference | Check |
|---|---|---|---|
| 1 | When making a product with digital elements available on the market, distributors shall act with due care in relation to the requirements set out in this Regulation. | article 20(1) | |
| 2 | Before making a product with digital elements available on the market, distributors shall verify that: | article 20(2) | |
| 3 | the product with digital elements bears the CE marking; | article 20(2) (a) | |
| 4 | the manufacturer and the importer have complied with the obligations set out in Article 13(15 - product can be identified with a batch number or similar), (16 - manufacturers' contact information), (18 - products are sold will all required documentation), (19 - end of support period), and (20 - EU Declaration of Conformity) and Article19(4 - importer has provided their contact information on the product), and have provided all necessary documents to the distributor. | article 20(2) (b) |
| ID | Requirement | Reference | Check |
|---|---|---|---|
| 1 | Where a distributor considers or has reason to believe, on the basis of information in its possession, that a product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential cybersecurity requirements set out in Annex I, the distributor shall not make the product with digital elements available on the market until that product or the processes put in place by the manufacturer have been brought into conformity with this Regulation. Furthermore, where the product with digital elements poses a significant cybersecurity risk, the distributor shall inform, without undue delay, the manufacturer and the market surveillance authorities to that effect. | article 20(3) | |
| 2 | Distributors who know or have reason to believe, on the basis of information in their possession, that a product with digital elements, which they have made available on the market, or the processes put in place by its manufacturer are not in conformity with this Regulation shall make sure that the corrective measures necessary to bring that product with digital elements or the processes put in place by its manufacturer into conformity, or to withdraw or recall the product, if appropriate, are taken. Upon becoming aware of a vulnerability in the product with digital elements, distributors shall inform the manufacturer without undue delay about that vulnerability. Furthermore, where the product with digital elements presents a significant cybersecurity risk, distributors shall immediately inform the market surveillance authorities of the Member States in which they have made the product with digital elements available on the market to that effect, giving details, in particular, of the non-compliance and of any corrective measures taken. | article 20(4) | |
| 3 | Distributors shall, further to a reasoned request from a market surveillance authority, provide all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements and the processes put in place by its manufacturer with this Regulation in a language that can be easily understood by that authority. They shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by a product with digital elements which they have made available on the market | article 20(5) | |
| 4 | Where the distributor of a product with digital elements becomes aware, on the basis of information in its possession, that the manufacturer of that product has ceased its operations and, as result, is not able to comply with the obligations laid down in this Regulation, the distributor shall inform, without undue delay, the relevant market surveillance authorities about this situation, as well as, by any means available and to the extent possible, the users of the products with digital elements placed on the market. | article 20(6) |
The CRA does not directly defines the term “resellers”, instead, we must look at the definition of the term “economic operator”, and specifically, the second half of the definition: ‘economic operator’ means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products on the market in accordance with this Regulation”; article 3(12).
Important: Resellers who resell products with digital elements under their own trademarks or substantially modify* existing products are to be considered to be a manufacturer for the purposes of the CRA and shall assume the full set of responsibilities and obligations outlined in Articles 13 and 14 for manufacturers, ensuring the product meets the CRA’s requirements:
* “Substantial modification” refers to changes that affect the product’s compliance with the essential cybersecurity requirements or alter its intended purpose.
⚠️ These resellers should refer to the “hardware manufacturers” tab or “software developers” tab, whichever fits best.
| ID | Requirement | Reference | Check |
|---|---|---|---|
| 1 | A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of a product with digital elements and makes that product available on the market, shall be considered to be a manufacturer for the purposes of this Regulation. | article 22(1) | |
| 2 | The person referred to in paragraph 1 of this Article shall be subject to the obligations set out in Articles 13 (obligations of the manufacturer) and 14 (reporting obligations) for the part of the product with digital elements that is affected by the substantial modification or, if the substantial modification has an impact on the cybersecurity of the product with digital elements as a whole, for the entire product. | article 22(2) |
| ID | Requirement | Reference | Check |
|---|---|---|---|
| 1 | Economic operators shall, on request, provide the market surveillance authorities with the following information: | article 23(1) | |
| 2 | the name and address of any economic operator who has supplied them with a product with digital elements; | article 23(1) (a) | |
| 3 | where available, the name and address of any economic operator to whom they have supplied a product with digital elements. | article 23(1) (b) | |
| 4 | Economic operators shall be able to present the information referred to in paragraph 1 for 10 years after they have been supplied with the product with digital elements and for 10 years after they have supplied the product with digital elements. | article 23(2) |