Dans un monde de plus en plus connecté, les cyber-attaques présentent des risques importants pour les fabricants d'objets connectés.
En s'engageant proactivement dans la Loi sur la cyber-résilience et en adoptant les mesures requises, les fabricants peuvent naviguer plus efficacement dans le monde complexe de la cyber)sécurité. Cela leur permet de protéger leurs produits de manière plus efficace tout en contribuant à créer un écosystème plus sûr et plus résilient, bénéficiant ainsi à l'ensemble de la chaîne d'approvisionnement.
Découvrez notre guide pour les fabriquants d'objets connectés !
Avant de mettre sur le marché un produit contenant des éléments numériques, les fabriquants doivent s'assurer que
For the purposes of complying with the obligation laid down in paragraph 1, manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing security incidents and minimising the impacts of such incidents, including in relation to the health and safety of users.
For the purpose of complying with paragraph 1, manufacturers shall exercise due diligence when integrating components sourced from third parties so that those components do not compromise the cybersecurity of the product with digital elements, including when integrating components of free and open-source software that have not been made available on the market in the course of a commercial activity.
Les fabricants déterminent la période de support de manière à ce qu'elle reflète la durée pendant laquelle le produit est censé être utilisé, en tenant compte, en particulier, des attentes raisonnables de l'utilisateur, de la nature du produit, y compris sa destination, ainsi que du droit de l'Union pertinent déterminant la durée de vie des produits comportant des éléments numériques. Lorsqu'ils déterminent la période de soutien, les fabricants peuvent également tenir compte des périodes de soutien des produits dotés d'éléments numériques offrant une fonctionnalité similaire mis sur le marché par d'autres fabricants, de la disponibilité de l'environnement d'exploitation, des périodes de soutien des composants intégrés qui fournissent des fonctions essentielles et proviennent de tiers, ainsi que des orientations pertinentes fournies par le groupe de coopération administrative spécialisé (ADCO) établi en vertu de l'article 52, paragraphe 15, et par la Commission. Les éléments à prendre en compte pour déterminer la durée de la période d'assistance sont examinés de manière à garantir la proportionnalité.
Sans préjudice du deuxième alinéa, la période d'assistance est d'au moins cinq ans. Lorsqu'il est prévu que le produit contenant des éléments numériques sera utilisé pendant moins de cinq ans, la période d'assistance correspond à la durée d'utilisation prévue.
Before placing a product with digital elements on the market, manufacturers shall draw up the technical documentation referred to in Article 31.
Ils effectuent ou font effectuer les procédures choisies d'évaluation de la conformité visées à l'article 32.
Lorsque la conformité du produit contenant des éléments numériques aux exigences essentielles énoncées à l'annexe I, partie I, et des processus mis en place par le fabricant aux exigences essentielles énoncées à l'annexe I, partie II, a été démontrée par cette procédure d'évaluation de la conformité, les fabricants établissent la déclaration UE de conformité conformément à l'article 28 et apposent le marquage CE conformément à l'article 30.
Manufacturers shall ensure that their products with digital elements bear a type, batch or serial number or other element allowing their identification, or, where that is not possible, ensure that this information is provided on their packaging or in a document accompanying the product with digital elements.
Manufacturers shall indicate the name, registered trade name or registered trade mark of the manufacturer, and the postal address, email address or other digital contact details, as well as, where applicable, the website at which the manufacturer can be contacted, on the product with digital elements, on its packaging or in a document accompanying the product with digital elements. That information shall also be included in the information and instructions to the user referred to in Annex II. The contact details shall be in a language which can be easily understood by users and market surveillance authorities.
The following mandatory documentation requirements must be fulfilled by manufacturers:
When placing a product with digital elements on the market, the manufacturer shall include the cybersecurity risk assessment referred to in paragraph 3 of this Article in the technical documentation required pursuant to Article 31 and Annex VII. For products with digital elements referred to in Article 12 and Article 32(6), which are also subject to other Union legal acts, the cybersecurity risk assessment may be part of the risk assessment required by those Union legal acts. Where certain essential requirements are not applicable to the product with digital elements, the manufacturer shall include a clear justification to that effect in that technical documentation.
The manufacturers shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the products with digital elements, including vulnerabilities of which it becomes aware and any relevant information provided by third parties, and shall, where applicable, update the cybersecurity risk assessment of the products.
Manufacturers shall keep the technical documentation and the EU declaration of conformity ▌ at the disposal of the market surveillance authorities for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer,.
Manufacturers shall ensure that their products with digital elements bear a type, batch or serial number or other element allowing their identification, or, where that is not possible, that that information is provided on their packaging or in a document accompanying the product with digital elements.
Manufacturers shall indicate the name, registered trade name or registered trademark of the manufacturer, and the postal address, email address or other digital contact details, as well as, where applicable, the website where the manufacturer can be contacted, on the product with digital elements, on its packaging or in a document accompanying the product with digital elements. That information shall also be included in the information and instructions to the user referred to in Annex II. The contact details shall be in a language which can be easily understood by users and market surveillance authorities.
Manufacturers shall ensure that products with digital elements are accompanied by the information and instructions to the user set out in Annex II, in paper or electronic form. Such information and instructions shall be provided in a language which can be easily understood by users and market surveillance authorities. They shall be clear, understandable, intelligible and legible. They shall allow for the secure installation, operation and use of products with digital elements. Manufacturers shall keep the information and instructions to the user set out in Annex II at the disposal of users and market surveillance authorities for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. Where such information and instructions are provided online, manufacturers shall ensure that they are accessible, user-friendly and available online for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer.
Manufacturers shall either provide a copy of the EU declaration of conformity or a simplified EU declaration of conformity with the product with digital elements. Where a simplified EU declaration of conformity is provided, it shall contain the exact internet address at which the full EU declaration of conformity can be accessed.
Manufacturers shall, upon a reasoned request from a market surveillance authority, provide that authority, in a language which can be easily understood by that
authority, with all the information and documentation, in paper or electronic form,
necessary to demonstrate the conformity of the product with digital elements and of the processes put in place by the manufacturer with the essential requirements set out in Annex I. Manufacturers shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by the product with digital
elements which they have placed on the market.
These reporting requirements aim to enhance cybersecurity measures and enable coordinated responses to vulnerabilities and incidents. Consequently, manufacturers must:
A manufacturer shall ▌ notify ▌ any actively exploited vulnerability contained in the
product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16.
For the purposes of the notification referred to in paragraph 1, the manufacturer shall submit:
(a) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;
(b) unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which
shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability
concerned as well as any corrective or mitigating measures taken, and
corrective or mitigating measures that users can take, and which shall also
indicate, where applicable, how sensitive the manufacturer deems the
notified information to be;
(c) à moins que les informations pertinentes n'aient déjà été fournies, un rapport final, au plus tard 14 jours après qu'une mesure corrective ou d'atténuation est disponible, comprenant au moins les éléments suivants :
(i) une description de la vulnérabilité, y compris sa gravité et son impact ;
(ii) le cas échéant, des informations concernant tout acteur malveillant qui a exploité ou qui exploite la vulnérabilité ;
(iii) des détails sur la mise à jour de sécurité ou d'autres mesures correctives qui ont été mises à disposition pour remédier à la vulnérabilité.
A manufacturer shall ▌ notify ▌ any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platform established pursuant to Article 16.
For the purposes of the notification referred to in paragraph 3, the manufacturer shall submit:
(a) an early warning notification of a severe incident having an impact on the security of the product with digital elements, without undue delay and in any
event within 24 hours of the manufacturer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts, which shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;
(b) unless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the incident, which shall provide general information, where available, about the nature of the incident, an initial
assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer deems
the notified information to be;
(c) unless the relevant information has already been provided, a final report, within one month after the submission of the incident notification under point (b), including at least the following:
(i) a detailed description of the incident, including its severity and impact;
(ii) the type of threat or root cause that is likely to have triggered the incident;
(iii) applied and ongoing mitigation measures.
The notifications referred to in paragraphs 1 and 3 of this Article shall be
submitted via the single reporting platform referred to in Article 16 using one of the electronic notification end-points referred to in Article 16(1). The notification shall be submitted using the electronic notification end-point of the CSIRT
designated as coordinator of the Member State where the manufacturers have their main establishment in the Union and shall be simultaneously accessible to ENISA.
For the purposes of this Regulation, a manufacturer shall be considered to have its
main establishment in the Union, in the Member State where the decisions related to the cybersecurity of its products with digital elements are predominantly taken.
If such a Member State cannot be determined, the main establishment shall be considered to be in the Member State where the manufacturer concerned has the establishment with the highest number of employees in the Union.
Where a manufacturer has no main establishment in the Union, it shall submit the notifications referred to in paragraphs 1 and 3 using the electronic notification end-point of the CSIRT designated as coordinator in the Member State determined
pursuant to the following order and based on the information available to the manufacturer:
(a) the Member State in which the authorised representative acting on behalf of the manufacturer for the highest number of products with digital elements of that manufacturer is established;
(b) the Member State in which the importer placing on the market the highest number of products with digital elements of that manufacturer is established;
(c) the Member State in which the distributor making available on the market the highest number of products with digital elements of that manufacturer is established;
(d) the Member State in which the highest number of users of products with digital elements of that manufacturer are located.
In relation to the third subparagraph, point (d), a manufacturer may submit notifications related to any subsequent actively exploited vulnerability or severe incident having an impact on the security of the product with digital elements to the same CSIRT designated as coordinator to which it first reported.
▌
▌ After becoming aware of an actively exploited vulnerability or a severe incident, the manufacturer shall inform the impacted users of the product with digital
elements, and where appropriate all users, about the actively exploited vulnerability
or a severe incident having an impact on the security of the product with digital elements and, where necessary, about risk mitigation and any corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident,
where appropriate in a structured and easily automatically processible, machinereadable format. Where the manufacturer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRTs designated as
coordinators may provide such information to the users when considered
proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident.
Manufacturers as well as other natural or legal persons may notify any
vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary
basis to a CSIRT designated as coordinator or ENISA.
Manufacturers as well as other natural or legal persons may notify any incident having an impact on the security of the product with digital elements as well as
near misses that could have resulted in such an incident on a voluntary basis to a CSIRT designated as coordinator or ENISA.
Nouveautés et événements sur la cybersécurité
Consultez les derniers événements sur la cybersécurité et la loi sur la cyberrésilience.