An CRA; Iarscríbhinní I–VIII

Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks.

On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall:

be made available on the market without known exploitable vulnerabilities;

be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state;

ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them;

ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access;

protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means;

protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions;

process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation);

protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks;

minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks;

be designed, developed and produced to limit attack surfaces, including external interfaces;

be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques;

provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user;

provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner.

identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products;

in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates;

apply effective and regular tests and reviews of the security of the product with digital elements;

once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch;

put in place and enforce a policy on coordinated vulnerability disclosure;

take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements;

provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner;

ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.

ainm, trádainm cláraithe nó trádmharc cláraithe an mhonaróra, agus seoladh poist, seoladh ríomhphoist nó teagmháil dhigiteach eile chomh maith leis an suíomh gréasáin inar féidir dul i dteagmháil leis an monaróir, i gcás ina bhfuil sé ar fáil;

an pointe teagmhála aonair inar féidir faisnéis faoi leochaileachtaí an táirge ag a bhfuil eilimintí digiteacha a thuairisciú agus a fháil, agus an áit inar féidir teacht ar bheartas an mhonaróra maidir le nochtadh comhordaithe leochaileachtaí;

ainm agus cineál agus aon fhaisnéis bhreise lena gcumasaítear sainaithint uathúil an táirge ag a bhfuil eilimintí digiteacha;

an chríoch a beartaíodh don táirge ag a bhfuil eilimintí digiteacha, lena n-áirítear an timpeallacht slándála arna soláthar ag an monaróir, mar aon le bunfheidhmiúlachtaí an táirge agus faisnéis faoi na hairíonna slándála;

aon imthoisc aitheanta nó intuartha, a bhaineann le húsáid an táirge ag a bhfuil eilimintí digiteacha i gcomhréir leis an gcríoch a beartaíodh dó nó faoi dhálaí mí-úsáide atá intuartha le réasún, arb imthoisc í a bhféadfadh rioscaí suntasacha cibearshlándála eascairt aisti;

i gcás inarb infheidhme, an seoladh idirlín ag a bhféadfar rochtain a fháil ar dhearbhú comhréireachta AE;

an cineál tacaíochta slándála teicniúla a thairgeann an monaróir agus dáta deiridh na tréimhse tacaíochta ar lena linn is féidir le húsáideoirí a bheith ag súil leis go láimhseálfar leochaileachtaí agus le nuashonruithe slándála a fháil;

treoracha mionsonraithe nó seoladh idirlín a thagraíonn do na treoracha mionsonraithe sin agus faisnéis faoin méid seo a leanas:

na bearta is gá a dhéanamh le linn choimisiúnú tosaigh an táirge agus le linn shaolré an táirge ag a bhfuil eilimintí digiteacha chun a úsáid shlán a áirithiú;

an chaoi ar féidir le hathruithe ar an táirge ag a bhfuil eilimintí digiteacha difear a dhéanamh don tslándáil sonraí;

an chaoi chun nuashonruithe a bhaineann leis an tslándáil a shuiteáil;

díchoimisiúnú slán an táirge ag a bhfuil eilimintí digiteacha, lena n-áirítear faisnéis faoin gcaoi ar féidir sonraí úsáideora a bhaint go slán;

an chaoi ar féidir an socrú réamhshocraithe lena gcumasaítear suiteáil uathoibríoch nuashonruithe slándála, mar a cheanglaítear le Cuid I, pointe (2)(c), d’Iarscríbhinn I, a chasadh as;

i gcás ina bhfuil sé beartaithe an táirge ag a bhfuil eilimintí digiteacha a chomhtháthú i dtáirgí eile ag a bhfuil eilimintí digiteacha, an fhaisnéis is gá chun go gcomhlíonfaidh an suimeálaí na ceanglais chibearshlándála fhíor-riachtanacha a leagtar amach in Iarscríbhinn I agus na ceanglais doiciméadachta a leagtar amach in Iarscríbhinn VII.

Má chinneann an monaróir an liosta ábhar bogearraí a chur ar fáil don úsáideoir, faisnéis faoin áit ar féidir rochtain a fháil ar an liosta ábhar bogearraí.

Córais bainistithe céannachta agus bogearraí agus crua-earraí bainistithe rochtana pribhléidithe, lena n-áirítear fíordheimhniú agus léitheoirí rialaithe rochtana, lena n-áirítear léitheoirí bithmhéadracha

Brabhsálaithe neamhspleácha agus brabhsálaithe leabaithe

Bainisteoirí pasfhocal

Bogearraí lena ndéantar bogearraí mailíseacha a chuardach, a bhaint nó a chur ar coraintín

Táirgí ag a bhfuil eilimintí digiteacha a bhfuil feidhm acu mar líonra príobháideach fíorúil (VPN)

Córais bainistíochta líonraí

Córais bainistíochta faisnéise slándála agus teagmhas slándála (SIEM)

Bainisteoirí bútála

Príomhbhonneagar poiblí agus bogearraí eisiúna deimhnithe dhigitigh

Comhéadain fhisiceacha agus fhíorúla líonra

Córais oibriúcháin

Ródairí, móideimí atá beartaithe lena nascadh leis an idirlíon agus lasca

Micreaphróiseálaithe a bhfuil feidhmiúlachtaí slándála acu

Micririalaitheoirí a bhfuil feidhmiúlachtaí slándála acu

Ciorcaid chomhtháite aonfheidhmeacha (ASIC) agus eagair geataí in-ríomhchláraithe sa réimse (FPGA) a bhfuil feidhmiúlachtaí slándála acu

Cúntóirí fíorúla baile cliste ilfheidhmeacha

Táirgí baile cliste a bhfuil feidhmiúlachtaí slándála acu, lena n-áirítear glais dorais chliste, ceamaraí slándála, córais faireacháin leanaí agus córais aláraim

Bréagáin atá nasctha leis an idirlíon a chumhdaítear le Treoir 2009/48/CE ó Pharlaimint na hEorpa agus ón gComhairle (1) ag a bhfuil gnéithe idirghníomhacha sóisialta (e.g. labhairt nó scannánú) nó ag a bhfuil gnéithe rianaithe suímh

Táirgí inchaite pearsanta atá le caitheamh nó le cur ar chorp an duine ag a bhfuil críoch faireacháin sláinte (amhail rianú) agus nach bhfuil feidhm ag Rialachán (AE) 2017/745 ná (AE) 2017/746 maidir leo, nó táirgí inchaite pearsanta atá beartaithe lena n-úsáid ag leanaí agus le haghaidh leanaí

Hipearmhaoirseoirí agus córais ama rite coimeádán lena dtacaítear le rith fíorúlaithe córas oibriúcháin agus timpeallachtaí comhchosúla

Ballaí dóiteáin, córais braite ionraidh agus córais choisc

Micreaphróiseálaithe nach féidir baint dóibh

Micririalaitheoirí nach féidir baint dóibh

Ainm agus cineál agus aon fhaisnéis bhreise lena gcumasaítear sainaithint uathúil an táirge ag a bhfuil eilimintí digiteacha

Ainm agus seoladh an mhonaróra nó ionadaí údaraithe an mhonaróra sin

Ráiteas gur faoi fhreagracht aonair an tsoláthraí a eisítear dearbhú comhréireachta AE

Cuspóir an dearbhúcháin (aitheantas an táirge ag a bhfuil eilimintí digiteacha lena gceadaítear inrianaitheacht, lena bhféadfaí grianghraf a áireamh, i gcás inarb iomchuí)

Ráiteas go bhfuil cuspóir an dearbhúcháin ar a dtugtar tuairisc thuas i gcomhréir le reachtaíocht ábhartha an Aontais um chomhchuibhiú

Tagairtí d’aon chaighdeán comhchuibhithe ábhartha eile a úsáidtear nó aon sonraíocht choiteann nó deimhniúchán cibearshlándála eile a ndearbhaítear comhréireacht ina leith

I gcás inarb infheidhme, ainm agus uimhir an chomhlachta faoina dtugtar fógra, tuairisc ar an nós imeachta um measúnú comhréireachta agus sainaithint an deimhnithe a eisíodh

Faisnéis bhreise:

tuairisc ghinearálta ar an táirge ag a bhfuil eilimintí digiteacha, lena gcuimsítear an méid seo a leanas:

an chríoch a beartaíodh dó;

leaganacha de bhogearraí a dhéanann difear don chomhlíontacht leis na ceanglais chibearshlándála fhíor-riachtanacha;

i gcás inar táirge crua-earraí é an táirge ag a bhfuil eilimintí digiteacha, grianghraif nó léaráidí a léiríonn na gnéithe seachtracha, an mharcáil agus an leagan amach inmheánach;

faisnéis agus treoracha le haghaidh an úsáideora mar a leagtar amach in Iarscríbhinn II;

tuairisc ar dhearadh, ar fhorbairt agus ar tháirgeadh an táirge ag a bhfuil eilimintí digiteacha agus ar phróisis láimhseála leochaileachtaí, lena n-áirítear an méid seo a leanas:

faisnéis riachtanach faoi dhearadh agus faoi fhorbairt an táirge ag a bhfuil eilimintí digiteacha, lena n-áirítear i gcás inarb infheidhme, líníochtaí agus scéimeanna agus/nó tuairisc ar ollstruchtúr an chórais lena mínítear an chaoi a gcuireann na comhpháirteanna bogearraí le chéile nó an tionchar a bhíonn acu ar a chéile agus conas a chomhtháthaítear iad sa phróiseáil fhoriomlán;

faisnéis riachtanach agus sonraíochtaí maidir leis na próisis láimhseála leochaileachtaí arna gcur i bhfeidhm ag an monaróir, lena n-áirítear an liosta ábhar bogearraí, an beartas um nochtadh comhordaithe leochaileachtaí, fianaise ar sheoladh teagmhála a sholáthar chun leochaileachtaí a thuairisciú agus tuairisc ar na réitigh theicniúla a roghnaítear chun nuashonruithe a dháileadh go slán;

faisnéis riachtanach agus sonraíochtaí maidir le próisis táirgthe agus faireacháin le haghaidh an táirge ag a bhfuil eilimintí digiteacha agus maidir le bailíochtú na bpróiseas sin.

measúnú ar na rioscaí cibearshlándála ar ina n-aghaidh a dhéantar an táirge ag a bhfuil eilimintí digiteacha a dhearadh, a fhorbairt, a tháirgeadh, a chur ar fáil agus a choinneáil ar bun de bhun Airteagal 13, lena n-áirítear an chaoi a bhfuil na ceanglais chibearshlándála fhíor-riachtanacha a leagtar amach i gCuid I d’Iarscríbhinn 1 infheidhme;

faisnéis ábhartha a cuireadh san áireamh chun an tréimhse thacaíochta de bhun Airteagal 13(8) den táirge ag a bhfuil eilimintí digiteacha a chinneadh;

liosta de na caighdeáin chomhchuibhithe a cuireadh i bhfeidhm ina n-iomláine nó i bpáirt agus ar foilsíodh a dtagairtí in Iris Oifigiúil an Aontais Eorpaigh, sonraíochtaí coiteanna mar a leagtar amach in Airteagal 27 den Rialachán seo nó scéimeanna Eorpacha um dheimhniú cibearshlándála arna nglacadh de bhun Rialachán (AE) 2019/881 de bhun Airteagal 27(8) den Rialachán seo, agus, i gcás nár cuireadh i bhfeidhm na caighdeáin chomhchuibhithe, na sonraíochtaí coiteanna ná na scéimeanna Eorpacha um dheimhniú cibearshlándála sin, tuairiscí ar na réitigh a glacadh chun na ceanglais chibearshlándála fhíor-riachtanacha a leagtar amach i gCodanna I agus II d’Iarscríbhinn I a chomhlíonadh, lena n-áirítear liosta de na sonraíochtaí teicniúla ábhartha eile a cuireadh i bhfeidhm. I gcás caighdeáin chomhchuibhithe, sonraíochtaí coiteanna nó scéimeanna Eorpacha um dheimhniú cibearshlándála a bheith i bhfeidhm i bpáirt, sonrófar sa doiciméadacht theicniúil na codanna a cuireadh i bhfeidhm;

tuairiscí ar na tástálacha a rinneadh chun a fhíorú go gcomhlíonann an táirge ag a bhfuil eilimintí digiteacha agus na próisis láimhseála leochaileachtaí na ceanglais chibearshlándála fhíor-riachtanacha is infheidhme mar leagtar amach i gCodanna I agus II d’Iarscríbhinn I;

cóip de dhearbhú comhréireachta AE;

i gcás inarb infheidhme, an liosta ábhar bogearraí, i ndiaidh iarraidh réasúnaithe ó údarás um fhaireachas margaidh ar choinníoll go bhfuil gá leis chun go mbeidh an t-údarás sin in ann comhlíontacht leis na ceanglais chibearshlándála fhíor-riachtanacha a leagtar amach in Iarscríbhinn I a sheiceáil.

Internal control is the conformity assessment procedure whereby the manufacturer fulfils the obligations set out in points 2, 3 and 4 of this Part, and ensures and declares on its sole responsibility that the products with digital elements satisfy all the essential cybersecurity requirements set out in Part I of Annex I and the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.

The manufacturer shall draw up the technical documentation described in Annex VII.

Design, development, production and vulnerability handling of products with digital elements

Conformity marking and declaration of conformity

Ionadaithe údaraithe

EU-type examination is the part of a conformity assessment procedure in which a notified body examines the technical design and development of a product with digital elements and the vulnerability handling processes put in place by the manufacturer, and attests that a product with digital elements meets the essential cybersecurity requirements set out in Part I of Annex I and that the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.

EU-type examination shall be carried out by assessing the adequacy of the technical design and development of the product with digital elements through the examination of the technical documentation and supporting evidence referred to in point 3, and the examination of specimens of one or more critical parts of the product (combination of production type and design type).

The manufacturer shall lodge an application for EU-type examination with a single notified body of its choice.

The notified body shall:

The notified body shall draw up an evaluation report that records the activities undertaken in accordance with point 4 and their outcomes. Without prejudice to its obligations vis-à-vis the notifying authorities, the notified body shall release the content of that report, in full or in part, only with the agreement of the manufacturer.

Where the type and the vulnerability handling processes meet the essential cybersecurity requirements set out in Annex I, the notified body shall issue an EU-type examination certificate to the manufacturer. The certificate shall contain the name and address of the manufacturer, the conclusions of the examination, the conditions (if any) for its validity and the necessary data for identification of the approved type and vulnerability handling processes. The certificate may have one or more annexes attached.

The notified body shall keep itself apprised of any changes in the generally acknowledged state of the art which indicate that the approved type and the vulnerability handling processes may no longer comply with the applicable essential cybersecurity requirements set out in Annex I, and shall determine whether such changes require further investigation. If so, the notified body shall inform the manufacturer accordingly.

The notified body shall carry out periodic audits to ensure that the vulnerability handling processes as set out in Part II of Annex I are implemented adequately.

Each notified body shall inform its notifying authorities concerning the EU-type examination certificates and any additions thereto which it has issued or withdrawn, and shall, periodically or upon request, make available to its notifying authorities the list of certificates and any additions thereto refused, suspended or otherwise restricted.

The manufacturer shall keep a copy of the EU-type examination certificate, its annexes and additions together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer.

The manufacturer’s authorised representative may lodge the application referred to in point 3 and fulfil the obligations set out in points 7 and 10, provided that the relevant obligations are specified in the mandate.

Conformity to type based on internal production control is the part of a conformity assessment procedure whereby the manufacturer fulfils the obligations set out in points 2 and 3 of this Part, and ensures and declares that the products with digital elements concerned are in conformity with the type described in the EU-type examination certificate and satisfy the essential cybersecurity requirements set out in Part I of Annex I and that the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.

Production

Conformity marking and declaration of conformity

Authorised representative

Conformity based on full quality assurance is the conformity assessment procedure whereby the manufacturer fulfils the obligations set out in points 2 and 5 of this Part, and ensures and declares on its sole responsibility that the products with digital elements or product categories concerned satisfy the essential cybersecurity requirements set out in Part I of Annex I and that the vulnerability handling processes put in place by the manufacturer meet the requirements set out in Part II of Annex I.

Design, development, production and vulnerability handling of products with digital elements

Quality system

the name and address of the manufacturer and, if the application is lodged by the authorised representative, the name and address of that authorised representative;

the technical documentation for one model of each category of products with digital elements intended to be manufactured or developed. The technical documentation shall, wherever applicable, contain at least the elements as set out in Annex VII;

the documentation concerning the quality system; and

a written declaration that the same application has not been lodged with any other notified body.

the quality objectives and the organisational structure, responsibilities and powers of the management with regard to design, development, product quality and vulnerability handling;

the technical design and development specifications, including standards, that will be applied and, where the relevant harmonised standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential cybersecurity requirements set out in Part I of Annex I that apply to the products with digital elements will be met;

the procedural specifications, including standards, that will be applied and, where the relevant harmonised standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential cybersecurity requirements set out in Part II of Annex I that apply to the manufacturer will be met;

the design and development control, as well as design and development verification techniques, processes and systematic actions that will be used when designing and developing the products with digital elements pertaining to the product category covered;

the corresponding production, quality control and quality assurance techniques, processes and systematic actions that will be used;

the examinations and tests that will be carried out before, during and after production, and the frequency with which they will be carried out;

the quality records, such as inspection reports and test data, calibration data and qualification reports on the personnel concerned;

the means of monitoring the achievement of the required design and product quality and the effective operation of the quality system.

Surveillance under the responsibility of the notified body

the quality system documentation;

the quality records as provided for by the design part of the quality system, such as results of analyses, calculations and tests;

the quality records as provided for by the manufacturing part of the quality system, such as inspection reports and test data, calibration data and qualification reports on the personnel concerned.

Conformity marking and declaration of conformity

The manufacturer shall, for a period ending at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer, keep at the disposal of the national authorities:

the technical documentation referred to in point 3.1;

the documentation concerning the quality system referred to in point 3.1;

the change referred to in point 3.5, as approved;

the decisions and reports of the notified body referred to in points 3.5 and 4.3.

Each notified body shall inform its notifying authorities of quality system approvals issued or withdrawn, and shall, periodically or upon request, make available to its notifying authorities the list of quality system approvals refused, suspended or otherwise restricted.

Authorised representative