コンプライアンス・チェックリスト

データを保護し、脆弱性を取り除き、脅威に備える。サイバーレジリエンス法準拠チェックリストで、あなたの会社、製品、ソフトウェアがCRAに対応しているかどうかを確認しよう!

迅速な対応と期限内の準備のために、不足している可能性のある要件を特定する。

European flag

関連リンク

法律を読む
CRA 解説
EUのウェブサイトへ
メーカー 非重要 製品

製品メーカー ない クリティカル製品または重要製品クラスⅡに分類される製品は、CRAの要求事項への準拠を自己評価することができる。.

を確認することができる。 附属書III 重要品目リストについては同規則を参照のこと。 附属書IV クリティカル製品のリストはこちら。

Additionally, manufacturers of Important Products Class I who either 適合 十分に 調和された基準 または 共通仕様に準拠 または は欧州のサイバーセキュリティ認証を取得している、 can also self-assess their compliance with the CRA’s requirements.

⚠️ Manufacturers of Important Products Class I who have not applied or have applied only in part to harmonised standards, common specifications or European cybersecurity certification schemes マスト undergo a third party assessment (see “Important and Critical Products tab”).

In any case, manufacturers of non-Important Products may choose to undergo the same assessment process as Important Products, wherein compliance with the CRA is assessed by a notified body. In this case, they will need to select between two main modules, B or H, that are further described in the 重要かつ重要な製品 タブに表示され、以下に説明する条件とは異なる条件を満たすもの。

サイバーセキュリティ・リスク評価
身分証明書必要条件参考コメントチェック
1Manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including in relation to the health and safety of users.article 13(2) self-written - to be reviewed by notified body for critical and important products
2The cybersecurity risk assessment shall be documented and updated as appropriate during a support period to be determined in accordance with paragraph 8 of this Article. That cybersecurity risk assessment shall comprise at least an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the conditions of use, of the product with digital elements, such as the operational environment or the assets to be protected, taking into account the length of time the product is expected to be in use. The cybersecurity risk assessment shall indicate whether and, if so in what manner, the security requirements set out in Part I, point (2), of Annex I are applicable to the relevant product with digital elements and how those requirements are implemented as informed by the cybersecurity risk assessment. It shall also indicate how the manufacturer is to apply Part I, point (1), of Annex I and the vulnerability handling requirements set out in Part II of Annex I.Article 13(3)self-written - to be reviewed by notified body for critical and important products
3When placing a product with digital elements on the market, the manufacturer shall include the cybersecurity risk assessment in the technical documentation. For products with digital elements which are also subject to other Union legal acts, the cybersecurity risk assessment may be part of the risk assessment required by those Union legal acts. Where certain essential cybersecurity requirements are not applicable to the product with digital elements, the manufacturer shall include a clear justification to that effect in that technical documentation.Article 13(4)self-written - to be reviewed by notified body for critical and important products
4The manufacturers shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the products with digital elements, including vulnerabilities of which they become aware and any relevant information provided by third parties, and shall, where applicable, update the cybersecurity risk assessment of the productsArticle 13(7)self-written - to be reviewed by notified body for critical and important products
一般要件
身分証明書必要条件参考コメントチェック
2On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall:Annex I, Part 1 §2-
3

(a)悪用可能な既知の脆弱性がない状態で市場に提供されること;

Annex I, Part 1 §2a自己評価
4

(b) be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state;

Annex I, Part 1 §2b自己評価
5

(c) ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt- out mechanism, through the notification of available updates to users, and the option to temporarily postpone them;

Annex 1, Part 1 §2c 自己評価
6

(d) 認証、ID またはアクセス管理システムを含むがこれに限定されない、適切な管理メカニズ ムにより、不正アクセスからの保護を確保し、不正アクセスの可能性について報告する;

Annex I, Part 1 §2d自己評価
7

(e) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means;

Annex I, Part 1 §2e自己評価
8

(f)保存、送信、またはその他の方法で処理されたデータ、個人またはその他のデータ、コマンド、プログラム、および設定の完全性を、ユーザーによって許可されていない操作または変更から保護し、破損について報告すること;

Annex I, Part 1 §2f自己評価
9

(g) process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation);

Annex I, Part 1 §2g自己評価
10

(h) protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks;

Annex I, Part 1 §2h自己評価
11

(i)製品自体または接続デバイスが、他のデバイスまたはネットワークが提供するサービスの可用性に与える悪影響を最小限に抑えること;

Annex I, Part 1 §2i自己評価
12

(j) 外部インタフェースを含む攻撃面を制限するように設計、開発、製造されること;

Annex I, Part 1 §2j自己評価
13

(k)適切な搾取緩和の仕組みと技術を用いて、事故の影響を軽減するように設計、開発、製造されること;

Annex I, Part 1 §2k自己評価
14

(l) データ、サービスまたは機能へのアクセスまたは変更を含む、関連する内部活動を記録および監視することにより、セキュリティ関連情報を提供すること;

Annex I, Part 1 §2l自己評価
15

(m) 利用者がすべてのデータおよび設定を安全かつ容易に永続的に削除できる可能性を提供し、そのようなデータが他の製品またはシステムに転送される可能性がある場合、これが安全な方法で行われることを保証すること。

Annex I, Part 1 §2m自己評価
18

(2) デジタル要素を有する製品にもたらされるリスクに関連して、セキュリティ更新を提供することを含め、脆弱性に遅滞なく対処し、是正すること。技術的に可能な場合、新たなセキュリティ更新は、機能の更新とは別に提供すること;

Annex I, Part 2 §1自己評価
17

(1) デジタル要素を含む製品に含まれる脆弱性とコンポーネントを特定し、文書化する。これには、少なくとも製品のトップレベルの依存関係を網羅する、一般的に使用され機械で読み取り可能な形式のソフトウェア部品表を作成することが含まれる;

Annex I, Part 2 §2自己評価
19

(3) デジタル要素を含む製品のセキュリティについて、効果的かつ定期的なテストとレビューを適用する;

Annex I, Part 2 §3自己評価
20

(4) セキュリティアップデートが利用可能になったら、修正された脆弱性に関する情報を共有し、公開する。これには、脆弱性の説明、影響を受けるデジタル要素を持つ製品をユーザーが特定できる情報、脆弱性の影響、深刻度、ユーザーが脆弱性を修正するのに役立つ明確かつアクセス可能な情報を含む;

Annex I, Part 2 §4自己評価
21

(5) 協調的な脆弱性開示に関するポリシーを導入し、実施する;

Annex I, Part 2 §5自己評価
22

(6) take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements;

Annex I, Part 2 §6自己評価
23

(7) provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner;

Annex I, Part 2 §7自己評価
24

(8) ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.

Annex I, Part 2 §8自己評価
1Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks.Annex I, Part 1 §1自己評価
16デジタル要素を含む製品の製造業者は、次のことを行わなければならない:Annex I - Part II-
Information and instruction to the users
身分証明書必要条件参考コメントチェック
1最低限、デジタル要素を含む製品を添付しなければならない:Annex II-
2

1. the name, registered trade name or registered trademark of the manufacturer, and the postal address, the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted;

付属書II、§1自書
3

2. the single point of contact where information about vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found;

附属書II、§2自書
4

3. name and type and any additional information enabling the unique identification of the product with digital elements;

附属書II、§3自書
5

4.製造者が提供するセキュリティ環境、製品の必須機能、セキュリティ特性に関する情報を含む、デジタル要素を含む製品の意図された目的;

附属書II、§4自書
6

5.意図された目的に従って、または合理的に予見可能な誤用の条件下で、デジタル要素を含む製品を使用することに関連し、重大なサイバーセキュリティリスクにつながる可能性のある、既知または予見可能な状況;

附属書II、§5自書
7

6. 該当する場合、EU適合宣言にアクセスできるインターネットアドレス;

附属書II、§6自書
8

7. 製造者が提供するテクニカルセキュリティサポートの種類と、ユーザーが脆弱性への対応やセキュリティアップデートの提供を期待できるサポート期間の終了日;

Annex VI, §7自書
9

8. 詳細な指示、またはそのような詳細な指示や情報を参照するインターネットアドレス:

Annex II, §8自書
10

(a)最初の試運転時及びデジタル要素を含む製品の耐用期間を通じて、その安全な使用を確保するために必要な措置;

Annex II, §8 (a)自書
11

(b) デジタル要素を含む製品への変更が、データのセキュリティにどのような影響を与えるか;

Annex II, §8 (b)自書
12

(c) セキュリティ関連のアップデートをインストールする方法;

Annex II, §8 (c)自書
13

(d) ユーザーデータを安全に削除する方法に関する情報を含む、デジタル要素を含む製品の安全な廃棄;

Annex II, §8 (d)自書
14

(e) how the default setting enabling the automatic installation of security updates, as required by Part I, point (2)(c), of Annex I, can be turned off;

Annex II, §8 (e)自書
15

(f) where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential cybersecurity requirements set out in Annex I and the documentation requirements set out in Annex VII.

Annex II, §8 (f)自書
16

9.製造者がソフトウェアの部品表をユーザーに提供することを決定した場合、ソフトウェアの部品表にアクセスできる場所に関する情報。

附属書II、§9Not mandatory
17The user information and instructions as set out in Annex II (detailed above), shall be included in the Technical Documentation.Annex VII, §1 (d)-
EU適合宣言
身分証明書必要条件参考コメントチェック
1第28条のEU適合宣言書には、以下のすべての情報を記載しなければならない:Annex VThe EU Declaration of conformity is self-written
2

(1) Name and type and any additional information enabling the unique identification of the product with digital elements

Annex V, §1-
3

(2) Name and address of the manufacturer or its authorised representative

Annex V, §2-
4

(3) A statement that the EU declaration of conformity is issued under the sole responsibility of the provider

Annex V, §3-
5

(4) Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate)

Annex V, §4-
6

(5) A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation

Annex V, §5-
8

(7) Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued

Annex V, §7該当する場合
10簡易EU適合宣言書Annex VIOnly for SMEs and micro-enterprises
7

(6) References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared

Annex V, §6該当する場合
9

(8) Additional information:
Signed for and on behalf of:
(発行地と発行日):
(名前, 関数)
(署名):

Annex V, §8-
11The simplified EU declaration of conformity referred to in shall be provided as follows: Hereby, ... [name of manufacturer] declares that the product with digital elements type ... [designation of type of product with digital element] is in compliance with Regulation (EU) 2024/…+ . The full text of the EU declaration of conformity is available at the following internet address: …Annex VI自書
12The manufacturer shall draw up a written EU declaration of conformity for each product with digital elements in accordance with Article 28 and keep it together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The EU declaration of conformity shall identify the product with digital elements for which it has been drawn up. A copy of the EU declaration of conformity shall be made available to the relevant authorities upon request.Annex VIII, Part I, §4.2-
技術文書
身分証明書必要条件参考コメントチェック
1The technical documentation shall contain at least the following information, as applicable to the relevant product with digital elements:Annex VII-
2

1. デジタル要素を含む製品の概要説明:

Annex VII, §1自書
3

(a) その意図された目的;

Annex VII, §1 (a)自書
4

(b) versions of software affecting compliance with essential cybersecurity requirements;

Annex VII, §1 (b)自書
5

(c) デジタル要素を含む製品がハードウェア製品である場合、外観の特徴、マーキング、内部レイアウトを示す写真またはイラスト;

Annex VII, §1 (c)自書
6

(d) 附属書IIに定める使用者情報および指示;

Annex VII, §1 (d)自書
7

2. デジタル要素を含む製品の設計、開発、生産、および脆弱性処理プロセスに関する記述:

Annex VII, §2自書
8

(a) デジタル要素を含む製品の設計と開発に関する必要な情報。該当する場合は、図面や回路図、およびソフトウェアコンポーネントがどのように互いの上に構築され、あるいは互いに連動し、全体的な処理に統合されるかを説明するシステムアーキテクチャの説明を含む;

Annex VII, §2 (a)自書
9

(b) ソフトウェアの部品表、調整された脆弱性開示方針、脆弱性を報告するための連絡先が提供されている証拠、アップデートの安全な配布のために選択された技術的ソリューションの説明を含む、製造者によって実施された脆弱性処理プロセスの必要な情報および仕様;

Annex VII, §2 (b)自書
10

(c)デジタル要素を含む製品の製造および監視プロセス、ならびにそれらのプロセスの検証に関する必要な情報および仕様;

Annex VII, §2 (c)自書
11

3. an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained pursuant to Article 13, including how the essential cybersecurity requirements set out in Part I of Annex I are applicable;

Annex VII, §3自書
12

4. relevant information that was taken into account to determine the support period pursuant to Article 13(8) of the product with digital elements;

Annex VII, §4自書
13

5. a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential cybersecurity requirements set out in Parts I and II of Annex I, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied;

Annex VII, §5自書
14

6. reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential cybersecurity requirements as set out in Parts I and II of Annex I;

Annex VII, §6該当する場合
16

8. where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for that authority to be able to check compliance with the essential cybersecurity requirements set out in Annex I.

Annex VII, §8該当する場合
15

7. EU適合宣言書のコピー;

Annex VII, §7自書
Reporting requirements
身分証明書必要条件参考コメントチェック
1A manufacturer shall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16.Article 14(1) and 14(7)Mandatory Reporting
2第1項の届出のために、製造者は以下の書類を提出しなければならない:Article 14 (2)Mandatory Reporting
3

(a) 活発に悪用されている脆弱性について、過度の遅滞なく、いかなる場合でも製造者がそれを認識してから24時間以内に、早期警告通知を行うこと;

Article 14 (2) (a)Mandatory Reporting
4

(b) unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be;

Article 14 (2) (b)Mandatory Reporting
5

(c) 関連情報がすでに提供されている場合を除き、是正措置または緩和措置が利用可能になってから14日以内に、少なくとも以下を含む最終報告書を提出する:

Article 14 (2) (c)Mandatory Reporting
6

(i) 脆弱性の説明(その重大性と影響を含む);

Article 14 (2) (c) (i)Mandatory Reporting
7

(ii) 利用可能な場合、脆弱性を悪用した、または悪用している悪意のある行為者に関する情報;

Article 14 (2) (c) (ii)Mandatory Reporting
8

(iii) 脆弱性を是正するために提供されたセキュリティアップデートまたはその他の是正措置の詳細。

Article 14 (2) (c) (iII)Mandatory Reporting
9A manufacturer shall notify any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platformArticle 14 (3)Single platform is not yet established (Dec 2024)
10第3項の届出のために、製造者は以下を提出しなければならない:Article 14 (4)Mandatory Reporting
11

(a) an early warning notification of a severe incident having an impact on the security of the product with digital elements, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts, which shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;

Article 14 (4) (a)Mandatory Reporting
12

(b) unless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the incident, which shall provide general information, where available, about the nature of the incident, an initial assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be;

Article 14 (4) (b)Mandatory Reporting
13

(c) 関連情報が既に提供されている場合を除き、(b)に基づく事故通知書の提出後1ヶ月以内に、少なくとも以下を含む最終報告書を提出すること:

Article 14 (4) (c)Mandatory Reporting
14

(i)その重大性と影響を含む、事故の詳細な説明;

Article 14 (4) (c) (i)Mandatory Reporting
15

(ii) インシデントの引き金となったと思われる脅威の種類または根本原因;

Article 14 (4) (c) (ii)Mandatory Reporting
16

(iii) 適用済みおよび継続中の緩和策。

Article 14 (4) (c) (iii)Mandatory Reporting
17After becoming aware of an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements, the manufacturer shall inform the impacted users of the product with digital elements, and where appropriate all users, of that vulnerability or incident and, where necessary, of any risk mitigation and corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident, where appropriate in a structured, machine-readable format that is easily automatically processable. Where the manufacturer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRTs designated as coordinators may provide such information to the users when considered to be proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident.Article 14 (8)Mandatory Reporting
18製造業者だけでなく、その他の自然人または法人も、デジタル要素を含む製品に含まれる脆弱性、およびデジタル要素を含む製品のリスクプロファイルに影響を与える可能性のあるサイバー脅威を、コーディネーターとして指定されたCSIRTまたはENISAに任意で通知することができる。Article 15 (1)Voluntary Reporting
19製造者だけでなく、その他の自然人または法人も、デジタル要素を含む製品のセキュリティに影響を及ぼすインシデントや、そのようなインシデントにつながる可能性があったニアミスを、コーディネーターとして指定されたCSIRTまたはENISAに任意で通知することができる。Article 15 (2)Voluntary Reporting
メーカー 重要 そして クリティカル 製品

Manufacturers of Important Products Class I (自社製品がない場合 十分に conform to harmonized standards or common specification or have not been certified with a European Cybersecurity Certification), Important Products Class II and Critical Products マスト undergo an external assessment process conducted by a notified body responsible for verifying the compliance of the products with the requirements of the CRA.

⚠️ As of November 2024, no notified body has been announced.

を確認することができます。 附属書III 重要品目リストについては、規則の項を参照のこと。

Additionally, manufacturers of Critical Products が必要となる可能性がある。 今後  to obtain a European cybersecurity certificate at assurance level at least ‘substantial’ instead of undergoing the CRA’s dedicated assessment modules (see below); this is according to article 27(9). However, as of November 2024, the Commission has not yet adopted delegated acts that are required to determine which products are concerned and what certification scheme must be followed. In the absence of such delegated acts, manufacturers of Critical Products can follow the same certification procedures as Important Products.

⚠️ Once delegated acts are published and we know more about these certifications schemes, this web page will be updated.

を確認することができます。 附属書IV クリティカル・プロダクトのリストについては、規制の項を参照のこと。

 

What are the paths to third party assessment ?

重要・重要製品のメーカーは、自社製品の評価について、モジュールB(またはモジュールB+モジュールC)とモジュールHの2つの経路から自由に選択することができる。

Module H: Conformity Based on Full Quality Assurance
Module H is a comprehensive assessment path which requires the establishment and maintenance of a robust 品質システム by the manufacturer. This quality system must include documented policies, procedures, and instructions meticulously outlining every stage of the product lifecycle, from design and development to production and vulnerability handling.
 
Module B: EU-Type Examination
While Module B doesn’t mandate a full-fledged quality system like Module H, manufacturers are still obligated to demonstrate that their technical design and development processes, along with vulnerability handling procedures, meet the CRA’s requirements. 
The primary focus of Module B, though, is the examination of a representative specimen (a combination of production and design type) of the product by a notified body. This examination aims to verify that the specimen aligns with the technical documentation and adheres to the relevant harmonized standards or technical specifications detailed in the documentation.
 
Module B+ Module C
Once a product type is certified under module B, other products of the same type can be certified through module C, which is a certification path that does not require for a new assessment by a notified body, providing that the new product is of the same type as the one certified via module A.

したがって、モジュールBがハードウェア自体に焦点を当てるのに対し、モジュールHは、CRAに準拠するための基礎として、製造者のプロセス(すなわち品質システム)に注目する。

道を選ぶ

サイバーセキュリティ・リスク評価
身分証明書必要条件参考コメントチェック
1Manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including in relation to the health and safety of users.article 13(2) self-written - to be reviewed by notified body for critical and important products
2The cybersecurity risk assessment shall be documented and updated as appropriate during a support period to be determined in accordance with paragraph 8 of this Article. That cybersecurity risk assessment shall comprise at least an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the conditions of use, of the product with digital elements, such as the operational environment or the assets to be protected, taking into account the length of time the product is expected to be in use. The cybersecurity risk assessment shall indicate whether and, if so in what manner, the security requirements set out in Part I, point (2), of Annex I are applicable to the relevant product with digital elements and how those requirements are implemented as informed by the cybersecurity risk assessment. It shall also indicate how the manufacturer is to apply Part I, point (1), of Annex I and the vulnerability handling requirements set out in Part II of Annex I.Article 13(3)self-written - to be reviewed by notified body for critical and important products
3When placing a product with digital elements on the market, the manufacturer shall include the cybersecurity risk assessment in the technical documentation. For products with digital elements which are also subject to other Union legal acts, the cybersecurity risk assessment may be part of the risk assessment required by those Union legal acts. Where certain essential cybersecurity requirements are not applicable to the product with digital elements, the manufacturer shall include a clear justification to that effect in that technical documentation.Article 13(4)self-written - to be reviewed by notified body for critical and important products
4The manufacturers shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the products with digital elements, including vulnerabilities of which they become aware and any relevant information provided by third parties, and shall, where applicable, update the cybersecurity risk assessment of the productsArticle 13(7)self-written - to be reviewed by notified body for critical and important products
一般要件
身分証明書必要条件参考コメントチェック
2On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall:Annex I, Part 1 §2-
3

(a)悪用可能な既知の脆弱性がない状態で市場に提供されること;

Annex I, Part 1 §2aノーティファイド・ボディによる評価
4

(b) be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state;

Annex I, Part 1 §2bノーティファイド・ボディによる評価
5

(c) ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt- out mechanism, through the notification of available updates to users, and the option to temporarily postpone them;

Annex 1, Part 1 §2c ノーティファイド・ボディによる評価
6

(d) 認証、ID またはアクセス管理システムを含むがこれに限定されない、適切な管理メカニズ ムにより、不正アクセスからの保護を確保し、不正アクセスの可能性について報告する;

Annex I, Part 1 §2dノーティファイド・ボディによる評価
7

(e) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means;

Annex I, Part 1 §2eノーティファイド・ボディによる評価
8

(f)保存、送信、またはその他の方法で処理されたデータ、個人またはその他のデータ、コマンド、プログラム、および設定の完全性を、ユーザーによって許可されていない操作または変更から保護し、破損について報告すること;

Annex I, Part 1 §2fノーティファイド・ボディによる評価
9

(g) process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation);

Annex I, Part 1 §2gノーティファイド・ボディによる評価
10

(h) protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks;

Annex I, Part 1 §2hノーティファイド・ボディによる評価
11

(i)製品自体または接続デバイスが、他のデバイスまたはネットワークが提供するサービスの可用性に与える悪影響を最小限に抑えること;

Annex I, Part 1 §2iノーティファイド・ボディによる評価
12

(j) 外部インタフェースを含む攻撃面を制限するように設計、開発、製造されること;

Annex I, Part 1 §2jノーティファイド・ボディによる評価
13

(k)適切な搾取緩和の仕組みと技術を用いて、事故の影響を軽減するように設計、開発、製造されること;

Annex I, Part 1 §2kノーティファイド・ボディによる評価
14

(l) データ、サービスまたは機能へのアクセスまたは変更を含む、関連する内部活動を記録および監視することにより、セキュリティ関連情報を提供すること;

Annex I, Part 1 §2lノーティファイド・ボディによる評価
15

(m) 利用者がすべてのデータおよび設定を安全かつ容易に永続的に削除できる可能性を提供し、そのようなデータが他の製品またはシステムに転送される可能性がある場合、これが安全な方法で行われることを保証すること。

Annex I, Part 1 §2mノーティファイド・ボディによる評価
18

(2) デジタル要素を有する製品にもたらされるリスクに関連して、セキュリティ更新を提供することを含め、脆弱性に遅滞なく対処し、是正すること。技術的に可能な場合、新たなセキュリティ更新は、機能の更新とは別に提供すること;

Annex I, Part 2 §1ノーティファイド・ボディによる評価
17

(1) デジタル要素を含む製品に含まれる脆弱性とコンポーネントを特定し、文書化する。これには、少なくとも製品のトップレベルの依存関係を網羅する、一般的に使用され機械で読み取り可能な形式のソフトウェア部品表を作成することが含まれる;

Annex I, Part 2 §2ノーティファイド・ボディによる評価
19

(3) デジタル要素を含む製品のセキュリティについて、効果的かつ定期的なテストとレビューを適用する;

Annex I, Part 2 §3ノーティファイド・ボディによる評価
20

(4) セキュリティアップデートが利用可能になったら、修正された脆弱性に関する情報を共有し、公開する。これには、脆弱性の説明、影響を受けるデジタル要素を持つ製品をユーザーが特定できる情報、脆弱性の影響、深刻度、ユーザーが脆弱性を修正するのに役立つ明確かつアクセス可能な情報を含む;

Annex I, Part 2 §4ノーティファイド・ボディによる評価
21

(5) 協調的な脆弱性開示に関するポリシーを導入し、実施する;

Annex I, Part 2 §5ノーティファイド・ボディによる評価
22

(6) take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements;

Annex I, Part 2 §6ノーティファイド・ボディによる評価
23

(7) provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner;

Annex I, Part 2 §7ノーティファイド・ボディによる評価
24

(8) ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.

Annex I, Part 2 §8ノーティファイド・ボディによる評価
1Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks.Annex I, Part 1 §1ノーティファイド・ボディによる評価
16デジタル要素を含む製品の製造業者は、次のことを行わなければならない:Annex I - Part II
Information and instruction to the users
身分証明書必要条件参考コメントチェック
1最低限、デジタル要素を含む製品を添付しなければならない:Annex II'-
2

1. the name, registered trade name or registered trademark of the manufacturer, and the postal address, the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted;

付属書II、§1Assessed by notified body, as part of the Technical Documentation
3

2. the single point of contact where information about vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found;

附属書II、§2Assessed by notified body, as part of the Technical Documentation
4

3. name and type and any additional information enabling the unique identification of the product with digital elements;

附属書II、§3Assessed by notified body, as part of the Technical Documentation
5

4.製造者が提供するセキュリティ環境、製品の必須機能、セキュリティ特性に関する情報を含む、デジタル要素を含む製品の意図された目的;

附属書II、§4Assessed by notified body, as part of the Technical Documentation
6

5.意図された目的に従って、または合理的に予見可能な誤用の条件下で、デジタル要素を含む製品を使用することに関連し、重大なサイバーセキュリティリスクにつながる可能性のある、既知または予見可能な状況;

附属書II、§5Assessed by notified body, as part of the Technical Documentation
7

6. 該当する場合、EU適合宣言にアクセスできるインターネットアドレス;

附属書II、§6Assessed by notified body, as part of the Technical Documentation
8

7. 製造者が提供するテクニカルセキュリティサポートの種類と、ユーザーが脆弱性への対応やセキュリティアップデートの提供を期待できるサポート期間の終了日;

Annex VI, §7Assessed by notified body, as part of the Technical Documentation
9

8. 詳細な指示、またはそのような詳細な指示や情報を参照するインターネットアドレス:

Annex II, §8Assessed by notified body, as part of the Technical Documentation
10

(a)最初の試運転時及びデジタル要素を含む製品の耐用期間を通じて、その安全な使用を確保するために必要な措置;

Annex II, §8 (a)Assessed by notified body, as part of the Technical Documentation
11

(b) デジタル要素を含む製品への変更が、データのセキュリティにどのような影響を与えるか;

Annex II, §8 (b)Assessed by notified body, as part of the Technical Documentation
12

(c) セキュリティ関連のアップデートをインストールする方法;

Annex II, §8 (c)Assessed by notified body, as part of the Technical Documentation
13

(d) ユーザーデータを安全に削除する方法に関する情報を含む、デジタル要素を含む製品の安全な廃棄;

Annex II, §8 (d)Assessed by notified body, as part of the Technical Documentation
14

(e) how the default setting enabling the automatic installation of security updates, as required by Part I, point (2)(c), of Annex I, can be turned off;

Annex II, §8 (e)Assessed by notified body, as part of the Technical Documentation
15

(f) where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential cybersecurity requirements set out in Annex I and the documentation requirements set out in Annex VII.

Annex II, §8 (f)Assessed by notified body, as part of the Technical Documentation
16

9.製造者がソフトウェアの部品表をユーザーに提供することを決定した場合、ソフトウェアの部品表にアクセスできる場所に関する情報。

附属書II、§9Not mandatory
49The user information and instructions as set out in Annex II (detailed above), shall be included in the Technical Documentation.Annex VII, §1 (d)'-
EU適合宣言
身分証明書必要条件参考コメントチェック
1第28条のEU適合宣言書には、以下のすべての情報を記載しなければならない:Annex VThe EU Declaration of conformity is self-written
2

(1) Name and type and any additional information enabling the unique identification of the product with digital elements

Annex V, §1-
3

(2) Name and address of the manufacturer or its authorised representative

Annex V, §2-
4

(3) A statement that the EU declaration of conformity is issued under the sole responsibility of the provider

Annex V, §3-
5

(4) Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate)

Annex V, §4-
6

(5) A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation

Annex V, §5-
8

(7) Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued

Annex V, §7mandatory
10簡易EU適合宣言書Annex VIOnly for SMEs and micro-enterprises
7

(6) References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared

Annex V, §6該当する場合
9

(8) Additional information:
Signed for and on behalf of:
(発行地と発行日):
(名前, 関数)
(署名):

Annex V, §8-
11The simplified EU declaration of conformity referred to in shall be provided as follows: Hereby, ... [name of manufacturer] declares that the product with digital elements type ... [designation of type of product with digital element] is in compliance with Regulation (EU) 2024/…+ . The full text of the EU declaration of conformity is available at the following internet address: …Annex VI自書
12The manufacturer shall draw up a written EU declaration of conformity for each product with digital elements and keep it together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The EU declaration of conformity shall identify the product with digital elements for which it has been drawn up. A copy of the EU declaration of conformity shall be made available to the relevant authorities upon request.Annex VIII, Part II, §10 and Part III, §3.2-
技術文書
身分証明書必要条件参考コメントチェック
1The technical documentation shall contain at least the following information, as applicable to the relevant product with digital elements:Annex VII'-
2

1. デジタル要素を含む製品の概要説明:

Annex VII, §1ノーティファイド・ボディによる評価
3

(a) その意図された目的;

Annex VII, §1 (a)ノーティファイド・ボディによる評価
4

(b) versions of software affecting compliance with essential cybersecurity requirements;

Annex VII, §1 (b)ノーティファイド・ボディによる評価
5

(c) デジタル要素を含む製品がハードウェア製品である場合、外観の特徴、マーキング、内部レイアウトを示す写真またはイラスト;

Annex VII, §1 (c)ノーティファイド・ボディによる評価
6

(d) 附属書IIに定める使用者情報および指示;

Annex VII, §1 (d)ノーティファイド・ボディによる評価
7

2. デジタル要素を含む製品の設計、開発、生産、および脆弱性処理プロセスに関する記述:

Annex VII, §2ノーティファイド・ボディによる評価
8

(a) デジタル要素を含む製品の設計と開発に関する必要な情報。該当する場合は、図面や回路図、およびソフトウェアコンポーネントがどのように互いの上に構築され、あるいは互いに連動し、全体的な処理に統合されるかを説明するシステムアーキテクチャの説明を含む;

Annex VII, §2 (a)ノーティファイド・ボディによる評価
9

(b) ソフトウェアの部品表、調整された脆弱性開示方針、脆弱性を報告するための連絡先が提供されている証拠、アップデートの安全な配布のために選択された技術的ソリューションの説明を含む、製造者によって実施された脆弱性処理プロセスの必要な情報および仕様;

Annex VII, §2 (b)ノーティファイド・ボディによる評価
10

(c)デジタル要素を含む製品の製造および監視プロセス、ならびにそれらのプロセスの検証に関する必要な情報および仕様;

Annex VII, §2 (c)self-Assessed by notified body
11

3. an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained pursuant to Article 13, including how the essential cybersecurity requirements set out in Part I of Annex I are applicable;

Annex VII, §3ノーティファイド・ボディによる評価
12

4. relevant information that was taken into account to determine the support period pursuant to Article 13(8) of the product with digital elements;

Annex VII, §4ノーティファイド・ボディによる評価
13

5. a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential cybersecurity requirements set out in Parts I and II of Annex I, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied;

Annex VII, §5ノーティファイド・ボディによる評価
14

6. reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential cybersecurity requirements as set out in Parts I and II of Annex I;

Annex VII, §6ノーティファイド・ボディによる評価
16

8. where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for that authority to be able to check compliance with the essential cybersecurity requirements set out in Annex I.

Annex VII, §8ノーティファイド・ボディによる評価
15

7. EU適合宣言書のコピー;

Annex VII, §7ノーティファイド・ボディによる評価
Reporting requirements​
身分証明書必要条件参考コメントチェック
1A manufacturer shall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16.Article 14(1) and 14(7)Mandatory Reporting
2第1項の届出のために、製造者は以下の書類を提出しなければならない:Article 14 (2)Mandatory Reporting
3

(a) 活発に悪用されている脆弱性について、過度の遅滞なく、いかなる場合でも製造者がそれを認識してから24時間以内に、早期警告通知を行うこと;

Article 14 (2) (a)Mandatory Reporting
4

(b) unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be;

Article 14 (2) (b)Mandatory Reporting
5

(c) 関連情報がすでに提供されている場合を除き、是正措置または緩和措置が利用可能になってから14日以内に、少なくとも以下を含む最終報告書を提出する:

Article 14 (2) (c)Mandatory Reporting
6

(i) 脆弱性の説明(その重大性と影響を含む);

Article 14 (2) (c) (i)Mandatory Reporting
7

(ii) 利用可能な場合、脆弱性を悪用した、または悪用している悪意のある行為者に関する情報;

Article 14 (2) (c) (ii)Mandatory Reporting
8

(iii) 脆弱性を是正するために提供されたセキュリティアップデートまたはその他の是正措置の詳細。

Article 14 (2) (c) (iII)Mandatory Reporting
9A manufacturer shall notify any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platformArticle 14 (3)Single platform is not yet established (Dec 2024)
10第3項の届出のために、製造者は以下を提出しなければならない:Article 14 (4)Mandatory Reporting
11

(a) an early warning notification of a severe incident having an impact on the security of the product with digital elements, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts, which shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;

Article 14 (4) (a)Mandatory Reporting
12

(b) unless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the incident, which shall provide general information, where available, about the nature of the incident, an initial assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be;

Article 14 (4) (b)Mandatory Reporting
13

(c) 関連情報が既に提供されている場合を除き、(b)に基づく事故通知書の提出後1ヶ月以内に、少なくとも以下を含む最終報告書を提出すること:

Article 14 (4) (c)Mandatory Reporting
14

(i)その重大性と影響を含む、事故の詳細な説明;

Article 14 (4) (c) (i)Mandatory Reporting
15

(ii) インシデントの引き金となったと思われる脅威の種類または根本原因;

Article 14 (4) (c) (ii)Mandatory Reporting
16

(iii) 適用済みおよび継続中の緩和策。

Article 14 (4) (c) (iii)Mandatory Reporting
17After becoming aware of an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements, the manufacturer shall inform the impacted users of the product with digital elements, and where appropriate all users, of that vulnerability or incident and, where necessary, of any risk mitigation and corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident, where appropriate in a structured, machine-readable format that is easily automatically processable. Where the manufacturer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRTs designated as coordinators may provide such information to the users when considered to be proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident.Article 14 (8)Mandatory Reporting
18製造業者だけでなく、その他の自然人または法人も、デジタル要素を含む製品に含まれる脆弱性、およびデジタル要素を含む製品のリスクプロファイルに影響を与える可能性のあるサイバー脅威を、コーディネーターとして指定されたCSIRTまたはENISAに任意で通知することができる。Article 15 (1)Voluntary Reporting
19製造者だけでなく、その他の自然人または法人も、デジタル要素を含む製品のセキュリティに影響を及ぼすインシデントや、そのようなインシデントにつながる可能性があったニアミスを、コーディネーターとして指定されたCSIRTまたはENISAに任意で通知することができる。Article 15 (2)Voluntary Reporting
認証申請書の提出
身分証明書必要条件参考コメントチェック
3The manufacturer shall lodge an application for assessment of its quality system with the notified body of its choice, for the products with digital elements concerned. The application shall include:Annex VIII, Part II, §3-
4

the name and address of the manufacturer and, if the application is lodged by the authorised representative, the name and address of that authorised representative;

Annex VIII, Part II, §3.1-
5

a written declaration that the same application has not been lodged with any other notified body;

Annex VIII, Part II, §3.2-
6

the technical documentation, which shall make it possible to assess the conformity of the product with digital elements with the applicable essential cybersecurity requirements as set out in Part I of Annex I and the manufacturer’s vulnerability handling processes set out in Part II of Annex I and shall include an adequate analysis and assessment of the risks. The technical documentation shall specify the applicable requirements and cover, as far as relevant for the assessment, the design, manufacture and operation of the product with digital elements. The technical documentation shall contain, wherever applicable, at least the elements set out in Annex VII;

Annex VIII, Part II, §3.3-
7

the supporting evidence for the adequacy of the technical design and development solutions and vulnerability handling processes. This supporting evidence shall mention any documents that have been used, in particular where the relevant harmonised standards or technical specifications have not been applied in full. The supporting evidence shall include, where necessary, the results of tests carried out by the appropriate laboratory of the manufacturer, or by another testing laboratory on its behalf and under its responsibility.

Annex VIII, Part II, §3.4-
8The manufacturer shall inform the notified body that holds the technical documentation relating to the EU-type examination certificate of all modifications to the approved type and the vulnerability handling processes that may affect the conformity with the essential cybersecurity requirements set out in Annex I, or the conditions for validity of the certificate. Such modifications shall require additional approval in the form of an addition to the original EU-type examination certificate.Annex VIII, Part II, §7-
9The manufacturer shall keep a copy of the EU-type examination certificate, its annexes and additions together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer.Annex VIII, Part II, §10-
1EU-type examination is the part of a conformity assessment procedure in which a notified body examines the technical design and development of a product with digital elements and the vulnerability handling processes put in place by the manufacturer, and attests that a product with digital elements meets the essential cybersecurity requirements set out in Part I of Annex I and that the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.Annex VIII, Part II, §1-
2EU-type examination shall be carried out by assessing the adequacy of the technical design and development of the product with digital elements through the examination of the technical documentation and supporting evidence referred to in point 3, and the examination of specimens of one or more critical parts of the product (combination of production type and design type).Annex VIII, Part II, §2-
サイバーセキュリティ・リスク評価
身分証明書必要条件参考コメントチェック
1Manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including in relation to the health and safety of users.article 13(2) self-written - to be reviewed by notified body for critical and important products
2The cybersecurity risk assessment shall be documented and updated as appropriate during a support period to be determined in accordance with paragraph 8 of this Article. That cybersecurity risk assessment shall comprise at least an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the conditions of use, of the product with digital elements, such as the operational environment or the assets to be protected, taking into account the length of time the product is expected to be in use. The cybersecurity risk assessment shall indicate whether and, if so in what manner, the security requirements set out in Part I, point (2), of Annex I are applicable to the relevant product with digital elements and how those requirements are implemented as informed by the cybersecurity risk assessment. It shall also indicate how the manufacturer is to apply Part I, point (1), of Annex I and the vulnerability handling requirements set out in Part II of Annex I.Article 13(3)self-written - to be reviewed by notified body for critical and important products
3When placing a product with digital elements on the market, the manufacturer shall include the cybersecurity risk assessment in the technical documentation. For products with digital elements which are also subject to other Union legal acts, the cybersecurity risk assessment may be part of the risk assessment required by those Union legal acts. Where certain essential cybersecurity requirements are not applicable to the product with digital elements, the manufacturer shall include a clear justification to that effect in that technical documentation.Article 13(4)self-written - to be reviewed by notified body for critical and important products
4The manufacturers shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the products with digital elements, including vulnerabilities of which they become aware and any relevant information provided by third parties, and shall, where applicable, update the cybersecurity risk assessment of the productsArticle 13(7)self-written - to be reviewed by notified body for critical and important products
一般要件
身分証明書必要条件参考コメントチェック
2On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall:Annex I, Part 1 §2-
3

(a)悪用可能な既知の脆弱性がない状態で市場に提供されること;

Annex I, Part 1 §2a同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
4

(b) be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state;

Annex I, Part 1 §2b同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
5

(c) ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt- out mechanism, through the notification of available updates to users, and the option to temporarily postpone them;

Annex 1, Part 1 §2c 同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
6

(d) 認証、ID またはアクセス管理システムを含むがこれに限定されない、適切な管理メカニズ ムにより、不正アクセスからの保護を確保し、不正アクセスの可能性について報告する;

Annex I, Part 1 §2d同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
7

(e) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means;

Annex I, Part 1 §2e同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
8

(f)保存、送信、またはその他の方法で処理されたデータ、個人またはその他のデータ、コマンド、プログラム、および設定の完全性を、ユーザーによって許可されていない操作または変更から保護し、破損について報告すること;

Annex I, Part 1 §2f同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
9

(g) process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation);

Annex I, Part 1 §2g同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
10

(h) protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks;

Annex I, Part 1 §2h同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
11

(i)製品自体または接続デバイスが、他のデバイスまたはネットワークが提供するサービスの可用性に与える悪影響を最小限に抑えること;

Annex I, Part 1 §2i同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
12

(j) 外部インタフェースを含む攻撃面を制限するように設計、開発、製造されること;

Annex I, Part 1 §2j同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
13

(k)適切な搾取緩和の仕組みと技術を用いて、事故の影響を軽減するように設計、開発、製造されること;

Annex I, Part 1 §2k同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
14

(l) データ、サービスまたは機能へのアクセスまたは変更を含む、関連する内部活動を記録および監視することにより、セキュリティ関連情報を提供すること;

Annex I, Part 1 §2l同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
15

(m) 利用者がすべてのデータおよび設定を安全かつ容易に永続的に削除できる可能性を提供し、そのようなデータが他の製品またはシステムに転送される可能性がある場合、これが安全な方法で行われることを保証すること。

Annex I, Part 1 §2m同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
18

(2) デジタル要素を有する製品にもたらされるリスクに関連して、セキュリティ更新を提供することを含め、脆弱性に遅滞なく対処し、是正すること。技術的に可能な場合、新たなセキュリティ更新は、機能の更新とは別に提供すること;

Annex I, Part 2 §1同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
17

(1) デジタル要素を含む製品に含まれる脆弱性とコンポーネントを特定し、文書化する。これには、少なくとも製品のトップレベルの依存関係を網羅する、一般的に使用され機械で読み取り可能な形式のソフトウェア部品表を作成することが含まれる;

Annex I, Part 2 §2同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
19

(3) デジタル要素を含む製品のセキュリティについて、効果的かつ定期的なテストとレビューを適用する;

Annex I, Part 2 §3同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
20

(4) セキュリティアップデートが利用可能になったら、修正された脆弱性に関する情報を共有し、公開する。これには、脆弱性の説明、影響を受けるデジタル要素を持つ製品をユーザーが特定できる情報、脆弱性の影響、深刻度、ユーザーが脆弱性を修正するのに役立つ明確かつアクセス可能な情報を含む;

Annex I, Part 2 §4同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
21

(5) 協調的な脆弱性開示に関するポリシーを導入し、実施する;

Annex I, Part 2 §5同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
22

(6) take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements;

Annex I, Part 2 §6同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
23

(7) provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner;

Annex I, Part 2 §7同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
24

(8) ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.

Annex I, Part 2 §8同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
1Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks.Annex I, Part 1 §1同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
16デジタル要素を含む製品の製造業者は、次のことを行わなければならない:Annex I - Part II-
Information and instruction to the users
身分証明書必要条件参考コメントチェック
1最低限、デジタル要素を含む製品を添付しなければならない:Annex II-
2

1. the name, registered trade name or registered trademark of the manufacturer, and the postal address, the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted;

付属書II、§1Self-written, based on a previously received EU-type certificate for the same type of product (module B)
3

2. the single point of contact where information about vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found;

附属書II、§2Self-written, based on a previously received EU-type certificate for the same type of product (module B)
4

3. name and type and any additional information enabling the unique identification of the product with digital elements;

附属書II、§3Self-written, based on a previously received EU-type certificate for the same type of product (module B)
5

4.製造者が提供するセキュリティ環境、製品の必須機能、セキュリティ特性に関する情報を含む、デジタル要素を含む製品の意図された目的;

附属書II、§4Self-written, based on a previously received EU-type certificate for the same type of product (module B)
6

5.意図された目的に従って、または合理的に予見可能な誤用の条件下で、デジタル要素を含む製品を使用することに関連し、重大なサイバーセキュリティリスクにつながる可能性のある、既知または予見可能な状況;

附属書II、§5Self-written, based on a previously received EU-type certificate for the same type of product (module B)
7

6. 該当する場合、EU適合宣言にアクセスできるインターネットアドレス;

附属書II、§6Self-written, based on a previously received EU-type certificate for the same type of product (module B)
8

7. 製造者が提供するテクニカルセキュリティサポートの種類と、ユーザーが脆弱性への対応やセキュリティアップデートの提供を期待できるサポート期間の終了日;

Annex VI, §7Self-written, based on a previously received EU-type certificate for the same type of product (module B)
9

8. 詳細な指示、またはそのような詳細な指示や情報を参照するインターネットアドレス:

Annex II, §8Self-written, based on a previously received EU-type certificate for the same type of product (module B)
10

(a)最初の試運転時及びデジタル要素を含む製品の耐用期間を通じて、その安全な使用を確保するために必要な措置;

Annex II, §8 (a)Self-written, based on a previously received EU-type certificate for the same type of product (module B)
11

(b) デジタル要素を含む製品への変更が、データのセキュリティにどのような影響を与えるか;

Annex II, §8 (b)Self-written, based on a previously received EU-type certificate for the same type of product (module B)
12

(c) セキュリティ関連のアップデートをインストールする方法;

Annex II, §8 (c)Self-written, based on a previously received EU-type certificate for the same type of product (module B)
13

(d) ユーザーデータを安全に削除する方法に関する情報を含む、デジタル要素を含む製品の安全な廃棄;

Annex II, §8 (d)Self-written, based on a previously received EU-type certificate for the same type of product (module B)
14

(e) how the default setting enabling the automatic installation of security updates, as required by Part I, point (2)(c), of Annex I, can be turned off;

Annex II, §8 (e)Self-written, based on a previously received EU-type certificate for the same type of product (module B)
15

(f) where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential cybersecurity requirements set out in Annex I and the documentation requirements set out in Annex VII.

Annex II, §8 (f)Self-written, based on a previously received EU-type certificate for the same type of product (module B)
16

9.製造者がソフトウェアの部品表をユーザーに提供することを決定した場合、ソフトウェアの部品表にアクセスできる場所に関する情報。

附属書II、§9Not mandatory
17The user information and instructions as set out in Annex II (detailed above), shall be included in the Technical Documentation.Annex VII, §1 (d)-
EU適合宣言
身分証明書必要条件参考コメントチェック
1第28条のEU適合宣言書には、以下のすべての情報を記載しなければならない:Annex VThe EU Declaration of conformity is self-written
2

(1) Name and type and any additional information enabling the unique identification of the product with digital elements

Annex V, §1-
3

(2) Name and address of the manufacturer or its authorised representative

Annex V, §2-
4

(3) A statement that the EU declaration of conformity is issued under the sole responsibility of the provider

Annex V, §3-
5

(4) Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate)

Annex V, §4-
6

(5) A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation

Annex V, §5-
8

(7) Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued

Annex V, §7mandatory
10簡易EU適合宣言書Annex VIOnly for SMEs and micro-enterprises
7

(6) References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared

Annex V, §6該当する場合
9

(8) Additional information:
Signed for and on behalf of:
(発行地と発行日):
(名前, 関数)
(署名):

Annex V, §8-
11The simplified EU declaration of conformity referred to in shall be provided as follows: Hereby, ... [name of manufacturer] declares that the product with digital elements type ... [designation of type of product with digital element] is in compliance with Regulation (EU) 2024/…+ . The full text of the EU declaration of conformity is available at the following internet address: …Annex VI自書
12The manufacturer shall draw up a written EU declaration of conformity for each product with digital elements and keep it together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The EU declaration of conformity shall identify the product with digital elements for which it has been drawn up. A copy of the EU declaration of conformity shall be made available to the relevant authorities upon request.Annex VIII, Part II, §10 and Part III, §3.2-
技術文書
身分証明書必要条件参考コメントチェック
1The technical documentation shall contain at least the following information, as applicable to the relevant product with digital elements:Annex VII-
2

1. デジタル要素を含む製品の概要説明:

Annex VII, §1Self-written, based on a previously received EU-type examination certificate for the same type of product (module B)
3

(a) その意図された目的;

Annex VII, §1 (a)Self-written, based on a previously received EU-type examination certificate for the same type of product (module B)
4

(b) versions of software affecting compliance with essential cybersecurity requirements;

Annex VII, §1 (b)Self-written, based on a previously received EU-type examination certificate for the same type of product (module B)
5

(c) デジタル要素を含む製品がハードウェア製品である場合、外観の特徴、マーキング、内部レイアウトを示す写真またはイラスト;

Annex VII, §1 (c)Self-written, based on a previously received EU-type examination certificate for the same type of product (module B)
6

(d) 附属書IIに定める使用者情報および指示;

Annex VII, §1 (d)Self-written, based on a previously received EU-type examination certificate for the same type of product (module B)
7

2. デジタル要素を含む製品の設計、開発、生産、および脆弱性処理プロセスに関する記述:

Annex VII, §2Self-written, based on a previously received EU-type examination certificate for the same type of product (module B)
8

(a) デジタル要素を含む製品の設計と開発に関する必要な情報。該当する場合は、図面や回路図、およびソフトウェアコンポーネントがどのように互いの上に構築され、あるいは互いに連動し、全体的な処理に統合されるかを説明するシステムアーキテクチャの説明を含む;

Annex VII, §2 (a)Self-written, based on a previously received EU-type examination certificate for the same type of product (module B)
9

(b) ソフトウェアの部品表、調整された脆弱性開示方針、脆弱性を報告するための連絡先が提供されている証拠、アップデートの安全な配布のために選択された技術的ソリューションの説明を含む、製造者によって実施された脆弱性処理プロセスの必要な情報および仕様;

Annex VII, §2 (b)Self-written, based on a previously received EU-type examination certificate for the same type of product (module B)
10

(c)デジタル要素を含む製品の製造および監視プロセス、ならびにそれらのプロセスの検証に関する必要な情報および仕様;

Annex VII, §2 (c)Self-written, based on a previously received EU-type examination certificate for the same type of product (module B)
11

3. an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained pursuant to Article 13, including how the essential cybersecurity requirements set out in Part I of Annex I are applicable;

Annex VII, §3Self-written, based on a previously received EU-type examination certificate for the same type of product (module B)
12

4. relevant information that was taken into account to determine the support period pursuant to Article 13(8) of the product with digital elements;

Annex VII, §4Self-written, based on a previously received EU-type examination certificate for the same type of product (module B)
13

5. a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential cybersecurity requirements set out in Parts I and II of Annex I, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied;

Annex VII, §5Self-written, based on a previously received EU-type examination certificate for the same type of product (module B)
14

6. reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential cybersecurity requirements as set out in Parts I and II of Annex I;

Annex VII, §6Self-written, based on a previously received EU-type examination certificate for the same type of product (module B)
16

8. where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for that authority to be able to check compliance with the essential cybersecurity requirements set out in Annex I.

Annex VII, §8Self-written, based on a previously received EU-type examination certificate for the same type of product (module B)
15

7. EU適合宣言書のコピー;

Annex VII, §7Self-written, based on a previously received EU-type examination certificate for the same type of product (module B)
Reporting requirements​
身分証明書必要条件参考コメントチェック
1A manufacturer shall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16.Article 14(1) and 14(7)Mandatory Reporting
2第1項の届出のために、製造者は以下の書類を提出しなければならない:Article 14 (2)Mandatory Reporting
3

(a) 活発に悪用されている脆弱性について、過度の遅滞なく、いかなる場合でも製造者がそれを認識してから24時間以内に、早期警告通知を行うこと;

Article 14 (2) (a)Mandatory Reporting
4

(b) unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be;

Article 14 (2) (b)Mandatory Reporting
5

(c) 関連情報がすでに提供されている場合を除き、是正措置または緩和措置が利用可能になってから14日以内に、少なくとも以下を含む最終報告書を提出する:

Article 14 (2) (c)Mandatory Reporting
6

(i) 脆弱性の説明(その重大性と影響を含む);

Article 14 (2) (c) (i)Mandatory Reporting
7

(ii) 利用可能な場合、脆弱性を悪用した、または悪用している悪意のある行為者に関する情報;

Article 14 (2) (c) (ii)Mandatory Reporting
8

(iii) 脆弱性を是正するために提供されたセキュリティアップデートまたはその他の是正措置の詳細。

Article 14 (2) (c) (iII)Mandatory Reporting
9A manufacturer shall notify any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platformArticle 14 (3)Single platform is not yet established (Dec 2024)
10第3項の届出のために、製造者は以下を提出しなければならない:Article 14 (4)Mandatory Reporting
11

(a) an early warning notification of a severe incident having an impact on the security of the product with digital elements, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts, which shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;

Article 14 (4) (a)Mandatory Reporting
12

(b) unless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the incident, which shall provide general information, where available, about the nature of the incident, an initial assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be;

Article 14 (4) (b)Mandatory Reporting
13

(c) 関連情報が既に提供されている場合を除き、(b)に基づく事故通知書の提出後1ヶ月以内に、少なくとも以下を含む最終報告書を提出すること:

Article 14 (4) (c)Mandatory Reporting
14

(i)その重大性と影響を含む、事故の詳細な説明;

Article 14 (4) (c) (i)Mandatory Reporting
15

(ii) インシデントの引き金となったと思われる脅威の種類または根本原因;

Article 14 (4) (c) (ii)Mandatory Reporting
16

(iii) 適用済みおよび継続中の緩和策。

Article 14 (4) (c) (iii)Mandatory Reporting
17After becoming aware of an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements, the manufacturer shall inform the impacted users of the product with digital elements, and where appropriate all users, of that vulnerability or incident and, where necessary, of any risk mitigation and corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident, where appropriate in a structured, machine-readable format that is easily automatically processable. Where the manufacturer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRTs designated as coordinators may provide such information to the users when considered to be proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident.Article 14 (8)Mandatory Reporting
18製造業者だけでなく、その他の自然人または法人も、デジタル要素を含む製品に含まれる脆弱性、およびデジタル要素を含む製品のリスクプロファイルに影響を与える可能性のあるサイバー脅威を、コーディネーターとして指定されたCSIRTまたはENISAに任意で通知することができる。Article 15 (1)Voluntary Reporting
19製造者だけでなく、その他の自然人または法人も、デジタル要素を含む製品のセキュリティに影響を及ぼすインシデントや、そのようなインシデントにつながる可能性があったニアミスを、コーディネーターとして指定されたCSIRTまたはENISAに任意で通知することができる。Article 15 (2)Voluntary Reporting
サイバーセキュリティ・リスク評価
身分証明書必要条件参考コメントチェック
1Manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including in relation to the health and safety of users.article 13(2) self-written - to be reviewed by notified body for critical and important products
2The cybersecurity risk assessment shall be documented and updated as appropriate during a support period to be determined in accordance with paragraph 8 of this Article. That cybersecurity risk assessment shall comprise at least an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the conditions of use, of the product with digital elements, such as the operational environment or the assets to be protected, taking into account the length of time the product is expected to be in use. The cybersecurity risk assessment shall indicate whether and, if so in what manner, the security requirements set out in Part I, point (2), of Annex I are applicable to the relevant product with digital elements and how those requirements are implemented as informed by the cybersecurity risk assessment. It shall also indicate how the manufacturer is to apply Part I, point (1), of Annex I and the vulnerability handling requirements set out in Part II of Annex I.Article 13(3)self-written - to be reviewed by notified body for critical and important products
3When placing a product with digital elements on the market, the manufacturer shall include the cybersecurity risk assessment in the technical documentation. For products with digital elements which are also subject to other Union legal acts, the cybersecurity risk assessment may be part of the risk assessment required by those Union legal acts. Where certain essential cybersecurity requirements are not applicable to the product with digital elements, the manufacturer shall include a clear justification to that effect in that technical documentation.Article 13(4)self-written - to be reviewed by notified body for critical and important products
4The manufacturers shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the products with digital elements, including vulnerabilities of which they become aware and any relevant information provided by third parties, and shall, where applicable, update the cybersecurity risk assessment of the productsArticle 13(7)self-written - to be reviewed by notified body for critical and important products
一般要件
身分証明書必要条件参考コメントチェック
2On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall:Annex I, Part 1 §2-
3

(a)悪用可能な既知の脆弱性がない状態で市場に提供されること;

Annex I, Part 1 §2aノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
4

(b) be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state;

Annex I, Part 1 §2bノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
5

(c) ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt- out mechanism, through the notification of available updates to users, and the option to temporarily postpone them;

Annex 1, Part 1 §2c ノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
6

(d) 認証、ID またはアクセス管理システムを含むがこれに限定されない、適切な管理メカニズ ムにより、不正アクセスからの保護を確保し、不正アクセスの可能性について報告する;

Annex I, Part 1 §2dノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
7

(e) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means;

Annex I, Part 1 §2eノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
8

(f)保存、送信、またはその他の方法で処理されたデータ、個人またはその他のデータ、コマンド、プログラム、および設定の完全性を、ユーザーによって許可されていない操作または変更から保護し、破損について報告すること;

Annex I, Part 1 §2fノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
9

(g) process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation);

Annex I, Part 1 §2gノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
10

(h) protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks;

Annex I, Part 1 §2hノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
11

(i)製品自体または接続デバイスが、他のデバイスまたはネットワークが提供するサービスの可用性に与える悪影響を最小限に抑えること;

Annex I, Part 1 §2iノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
12

(j) 外部インタフェースを含む攻撃面を制限するように設計、開発、製造されること;

Annex I, Part 1 §2jノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
13

(k)適切な搾取緩和の仕組みと技術を用いて、事故の影響を軽減するように設計、開発、製造されること;

Annex I, Part 1 §2kノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
14

(l) データ、サービスまたは機能へのアクセスまたは変更を含む、関連する内部活動を記録および監視することにより、セキュリティ関連情報を提供すること;

Annex I, Part 1 §2lノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
15

(m) 利用者がすべてのデータおよび設定を安全かつ容易に永続的に削除できる可能性を提供し、そのようなデータが他の製品またはシステムに転送される可能性がある場合、これが安全な方法で行われることを保証すること。

Annex I, Part 1 §2mノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
18

(2) デジタル要素を有する製品にもたらされるリスクに関連して、セキュリティ更新を提供することを含め、脆弱性に遅滞なく対処し、是正すること。技術的に可能な場合、新たなセキュリティ更新は、機能の更新とは別に提供すること;

Annex I, Part 2 §1ノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
17

(1) デジタル要素を含む製品に含まれる脆弱性とコンポーネントを特定し、文書化する。これには、少なくとも製品のトップレベルの依存関係を網羅する、一般的に使用され機械で読み取り可能な形式のソフトウェア部品表を作成することが含まれる;

Annex I, Part 2 §2ノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
19

(3) デジタル要素を含む製品のセキュリティについて、効果的かつ定期的なテストとレビューを適用する;

Annex I, Part 2 §3Self-Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.assessment
20

(4) セキュリティアップデートが利用可能になったら、修正された脆弱性に関する情報を共有し、公開する。これには、脆弱性の説明、影響を受けるデジタル要素を持つ製品をユーザーが特定できる情報、脆弱性の影響、深刻度、ユーザーが脆弱性を修正するのに役立つ明確かつアクセス可能な情報を含む;

Annex I, Part 2 §4ノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
21

(5) 協調的な脆弱性開示に関するポリシーを導入し、実施する;

Annex I, Part 2 §5ノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
22

(6) take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements;

Annex I, Part 2 §6ノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
23

(7) provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner;

Annex I, Part 2 §7ノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
24

(8) ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.

Annex I, Part 2 §8ノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
1Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks.Annex I, Part 1 §1ノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
16デジタル要素を含む製品の製造業者は、次のことを行わなければならない:Annex I - Part II-
Information and instruction to the users
身分証明書必要条件参考コメントチェック
1最低限、デジタル要素を含む製品を添付しなければならない:Annex II'-
2

1. the name, registered trade name or registered trademark of the manufacturer, and the postal address, the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted;

付属書II、§1Assessed by notified body, as part of the Technical Documentation
3

2. the single point of contact where information about vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found;

附属書II、§2Assessed by notified body, as part of the Technical Documentation
4

3. name and type and any additional information enabling the unique identification of the product with digital elements;

附属書II、§3Assessed by notified body, as part of the Technical Documentation
5

4.製造者が提供するセキュリティ環境、製品の必須機能、セキュリティ特性に関する情報を含む、デジタル要素を含む製品の意図された目的;

附属書II、§4Assessed by notified body, as part of the Technical Documentation
6

5.意図された目的に従って、または合理的に予見可能な誤用の条件下で、デジタル要素を含む製品を使用することに関連し、重大なサイバーセキュリティリスクにつながる可能性のある、既知または予見可能な状況;

附属書II、§5Assessed by notified body, as part of the Technical Documentation
7

6. 該当する場合、EU適合宣言にアクセスできるインターネットアドレス;

附属書II、§6Assessed by notified body, as part of the Technical Documentation
8

7. 製造者が提供するテクニカルセキュリティサポートの種類と、ユーザーが脆弱性への対応やセキュリティアップデートの提供を期待できるサポート期間の終了日;

Annex VI, §7Assessed by notified body, as part of the Technical Documentation
9

8. 詳細な指示、またはそのような詳細な指示や情報を参照するインターネットアドレス:

Annex II, §8Assessed by notified body, as part of the Technical Documentation
10

(a)最初の試運転時及びデジタル要素を含む製品の耐用期間を通じて、その安全な使用を確保するために必要な措置;

Annex II, §8 (a)Assessed by notified body, as part of the Technical Documentation
11

(b) デジタル要素を含む製品への変更が、データのセキュリティにどのような影響を与えるか;

Annex II, §8 (b)Assessed by notified body, as part of the Technical Documentation
12

(c) セキュリティ関連のアップデートをインストールする方法;

Annex II, §8 (c)Assessed by notified body, as part of the Technical Documentation
13

(d) ユーザーデータを安全に削除する方法に関する情報を含む、デジタル要素を含む製品の安全な廃棄;

Annex II, §8 (d)Assessed by notified body, as part of the Technical Documentation
14

(e) how the default setting enabling the automatic installation of security updates, as required by Part I, point (2)(c), of Annex I, can be turned off;

Annex II, §8 (e)Assessed by notified body, as part of the Technical Documentation
15

(f) where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential cybersecurity requirements set out in Annex I and the documentation requirements set out in Annex VII.

Annex II, §8 (f)Assessed by notified body, as part of the Technical Documentation
16

9.製造者がソフトウェアの部品表をユーザーに提供することを決定した場合、ソフトウェアの部品表にアクセスできる場所に関する情報。

附属書II、§9Not mandatory
49The user information and instructions as set out in Annex II (detailed above), shall be included in the Technical Documentation.Annex VII, §1 (d)'-
EU適合宣言
身分証明書必要条件参考コメントチェック
1第28条のEU適合宣言書には、以下のすべての情報を記載しなければならない:Annex VThe EU Declaration of conformity is self-written
2

(1) Name and type and any additional information enabling the unique identification of the product with digital elements

Annex V, §1-
3

(2) Name and address of the manufacturer or its authorised representative

Annex V, §2-
4

(3) A statement that the EU declaration of conformity is issued under the sole responsibility of the provider

Annex V, §3-
5

(4) Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate)

Annex V, §4-
6

(5) A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation

Annex V, §5-
8

(7) Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued

Annex V, §7mandatory
10簡易EU適合宣言書Annex VIOnly for SMEs and micro-enterprises
7

(6) References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared

Annex V, §6該当する場合
9

(8) Additional information:
Signed for and on behalf of:
(発行地と発行日):
(名前, 関数)
(署名):

Annex V, §8-
11The simplified EU declaration of conformity referred to in shall be provided as follows: Hereby, ... [name of manufacturer] declares that the product with digital elements type ... [designation of type of product with digital element] is in compliance with Regulation (EU) 2024/…+ . The full text of the EU declaration of conformity is available at the following internet address: …Annex VI自書
12The manufacturer shall draw up a written EU declaration of conformity for each product with digital elements and keep it together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The EU declaration of conformity shall identify the product with digital elements for which it has been drawn up. A copy of the EU declaration of conformity shall be made available to the relevant authorities upon request.Annex VIII, Part II, §10 and Part III, §3.2-
技術文書
身分証明書必要条件参考コメントチェック
1The technical documentation shall contain at least the following information, as applicable to the relevant product with digital elements:Annex VII'-
2

1. デジタル要素を含む製品の概要説明:

Annex VII, §1ノーティファイド・ボディによる評価
3

(a) その意図された目的;

Annex VII, §1 (a)ノーティファイド・ボディによる評価
4

(b) versions of software affecting compliance with essential cybersecurity requirements;

Annex VII, §1 (b)ノーティファイド・ボディによる評価
5

(c) デジタル要素を含む製品がハードウェア製品である場合、外観の特徴、マーキング、内部レイアウトを示す写真またはイラスト;

Annex VII, §1 (c)ノーティファイド・ボディによる評価
6

(d) 附属書IIに定める使用者情報および指示;

Annex VII, §1 (d)ノーティファイド・ボディによる評価
7

2. デジタル要素を含む製品の設計、開発、生産、および脆弱性処理プロセスに関する記述:

Annex VII, §2ノーティファイド・ボディによる評価
8

(a) デジタル要素を含む製品の設計と開発に関する必要な情報。該当する場合は、図面や回路図、およびソフトウェアコンポーネントがどのように互いの上に構築され、あるいは互いに連動し、全体的な処理に統合されるかを説明するシステムアーキテクチャの説明を含む;

Annex VII, §2 (a)ノーティファイド・ボディによる評価
9

(b) ソフトウェアの部品表、調整された脆弱性開示方針、脆弱性を報告するための連絡先が提供されている証拠、アップデートの安全な配布のために選択された技術的ソリューションの説明を含む、製造者によって実施された脆弱性処理プロセスの必要な情報および仕様;

Annex VII, §2 (b)ノーティファイド・ボディによる評価
10

(c)デジタル要素を含む製品の製造および監視プロセス、ならびにそれらのプロセスの検証に関する必要な情報および仕様;

Annex VII, §2 (c)self-Assessed by notified body
11

3. an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained pursuant to Article 13, including how the essential cybersecurity requirements set out in Part I of Annex I are applicable;

Annex VII, §3ノーティファイド・ボディによる評価
12

4. relevant information that was taken into account to determine the support period pursuant to Article 13(8) of the product with digital elements;

Annex VII, §4ノーティファイド・ボディによる評価
13

5. a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential cybersecurity requirements set out in Parts I and II of Annex I, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied;

Annex VII, §5ノーティファイド・ボディによる評価
14

6. reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential cybersecurity requirements as set out in Parts I and II of Annex I;

Annex VII, §6ノーティファイド・ボディによる評価
16

8. where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for that authority to be able to check compliance with the essential cybersecurity requirements set out in Annex I.

Annex VII, §8ノーティファイド・ボディによる評価
15

7. EU適合宣言書のコピー;

Annex VII, §7ノーティファイド・ボディによる評価
Reporting requirements​
身分証明書必要条件参考コメントチェック
1A manufacturer shall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16.Article 14(1) and 14(7)Mandatory Reporting
2第1項の届出のために、製造者は以下の書類を提出しなければならない:Article 14 (2)Mandatory Reporting
3

(a) 活発に悪用されている脆弱性について、過度の遅滞なく、いかなる場合でも製造者がそれを認識してから24時間以内に、早期警告通知を行うこと;

Article 14 (2) (a)Mandatory Reporting
4

(b) unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be;

Article 14 (2) (b)Mandatory Reporting
5

(c) 関連情報がすでに提供されている場合を除き、是正措置または緩和措置が利用可能になってから14日以内に、少なくとも以下を含む最終報告書を提出する:

Article 14 (2) (c)Mandatory Reporting
6

(i) 脆弱性の説明(その重大性と影響を含む);

Article 14 (2) (c) (i)Mandatory Reporting
7

(ii) 利用可能な場合、脆弱性を悪用した、または悪用している悪意のある行為者に関する情報;

Article 14 (2) (c) (ii)Mandatory Reporting
8

(iii) 脆弱性を是正するために提供されたセキュリティアップデートまたはその他の是正措置の詳細。

Article 14 (2) (c) (iII)Mandatory Reporting
9A manufacturer shall notify any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platformArticle 14 (3)Single platform is not yet established (Dec 2024)
10第3項の届出のために、製造者は以下を提出しなければならない:Article 14 (4)Mandatory Reporting
11

(a) an early warning notification of a severe incident having an impact on the security of the product with digital elements, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts, which shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;

Article 14 (4) (a)Mandatory Reporting
12

(b) unless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the incident, which shall provide general information, where available, about the nature of the incident, an initial assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be;

Article 14 (4) (b)Mandatory Reporting
13

(c) 関連情報が既に提供されている場合を除き、(b)に基づく事故通知書の提出後1ヶ月以内に、少なくとも以下を含む最終報告書を提出すること:

Article 14 (4) (c)Mandatory Reporting
14

(i)その重大性と影響を含む、事故の詳細な説明;

Article 14 (4) (c) (i)Mandatory Reporting
15

(ii) インシデントの引き金となったと思われる脅威の種類または根本原因;

Article 14 (4) (c) (ii)Mandatory Reporting
16

(iii) 適用済みおよび継続中の緩和策。

Article 14 (4) (c) (iii)Mandatory Reporting
17After becoming aware of an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements, the manufacturer shall inform the impacted users of the product with digital elements, and where appropriate all users, of that vulnerability or incident and, where necessary, of any risk mitigation and corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident, where appropriate in a structured, machine-readable format that is easily automatically processable. Where the manufacturer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRTs designated as coordinators may provide such information to the users when considered to be proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident.Article 14 (8)Mandatory Reporting
18製造業者だけでなく、その他の自然人または法人も、デジタル要素を含む製品に含まれる脆弱性、およびデジタル要素を含む製品のリスクプロファイルに影響を与える可能性のあるサイバー脅威を、コーディネーターとして指定されたCSIRTまたはENISAに任意で通知することができる。Article 15 (1)Voluntary Reporting
19製造者だけでなく、その他の自然人または法人も、デジタル要素を含む製品のセキュリティに影響を及ぼすインシデントや、そのようなインシデントにつながる可能性があったニアミスを、コーディネーターとして指定されたCSIRTまたはENISAに任意で通知することができる。Article 15 (2)Voluntary Reporting
認証申請
身分証明書必要条件参考コメントチェック
3The manufacturer shall lodge an application for assessment of its quality system with the notified body of its choice, for the products with digital elements concerned. The application shall include:Annex VIII, Part IV, §3.1 -
4

(a) the name and address of the manufacturer and, if the application is lodged by the authorised representative, the name and address of that authorised representative;

Annex VIII, Part IV, §3.1 (a)-
5

(b) the technical documentation for one model of each category of products with digital elements intended to be manufactured or developed. The technical documentation shall, wherever applicable, contain at least the elements as set out in Annex VII;

Annex VIII, Part IV, §3.1 (b)-
6

(c) the documentation concerning the quality system; and

Annex VIII, Part IV, §3.1 (c)-
7

(d) a written declaration that the same application has not been lodged with any other notified body.

Annex VIII, Part IV, §3.1 (d)-
8The quality system shall ensure compliance of the products with digital elements with the essential cybersecurity requirements set out in Part I of Annex I and compliance of the vulnerability handling processes put in place by the manufacturer with the requirements set out in Part II of Annex I. All the elements, requirements and provisions adopted by the manufacturer shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions. That quality system documentation shall permit a consistent interpretation of the quality programmes, plans, manuals and records. It shall, in particular, contain an adequate description of:Annex VIII, Part IV, §3.2-
9

(a) the quality objectives and the organisational structure, responsibilities and powers of the management with regard to design, development, product quality and vulnerability handling;

Annex VIII, Part IV, §3.2 (a)-
10

(b) the technical design and development specifications, including standards, that will be applied and, where the relevant harmonised standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential cybersecurity requirements set out in Part I of Annex I that apply to the products with digital elements will be met;

Annex VIII, Part IV, §3.2 (b)-
11

(c) the procedural specifications, including standards, that will be applied and, where the relevant harmonised standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential cybersecurity requirements set out in Part II of Annex I that apply to the manufacturer will be met;

Annex VIII, Part IV, §3.2 (c)-
12

(d) the design and development control, as well as design and development verification techniques, processes and systematic actions that will be used when designing and developing the products with digital elements pertaining to the product category covered;

Annex VIII, Part IV, §3.2 (d)-
13

(e) the corresponding production, quality control and quality assurance techniques, processes and systematic actions that will be used;

Annex VIII, Part IV, §3.2 (e)-
14

(f) the examinations and tests that will be carried out before, during and after production, and the frequency with which they will be carried out;

Annex VIII, Part IV, §3.2 (f)
15

(g) the quality records, such as inspection reports and test data, calibration data and qualification reports on the personnel concerned;

Annex VIII, Part IV, §3.2 (g)
16

(h) the means of monitoring the achievement of the required design and product quality and the effective operation of the quality system.

Annex VIII, Part IV, §3.2 (h)
17製造者は、承認された品質システムから生じる義務を履行し、それが適切かつ効率的であり続けるように維持することを約束するものとする。Annex VIII, Part IV, §3.4
18The manufacturer shall keep the notified body that has approved the quality system informed of any intended change to the quality system.Annex VIII, Part IV, §3.5
19Surveillance under the responsibility of the notified body: The manufacturer shall, for assessment purposes, allow the notified body access to the design, development, production, inspection, testing and storage sites, and shall provide it with all necessary information, in particular:Annex VIII, Part IV, §4.2
20

(a) the quality system documentation;.

Annex VIII, Part IV, §4.2 (a)
21

(b) the quality records as provided for by the design part of the quality system, such as results of analyses, calculations and tests;

Annex VIII, Part IV, §4.2 (b)
22

(c) the quality records as provided for by the manufacturing part of the quality system, such as inspection reports and test data, calibration data and qualification reports on the personnel concerned.

Annex VIII, Part IV, §4.2 (c)
1Conformity based on full quality assurance is the conformity assessment procedure whereby the manufacturer fulfils the obligations set out in points 2 and 5 of this Part, and ensures and declares on its sole responsibility that the products with digital elements or product categories concerned satisfy the essential cybersecurity requirements set out in Part I of Annex I and that the vulnerability handling processes put in place by the manufacturer meet the requirements set out in Part II of Annex I.Annex VIII, Part IV, §1
2製造者は、当該デジタル要素を含む製品の設計、開発、最終製品検査および試験、ならびに脆弱性の対応について、ポイント3に規定される承認された品質システムを運用し、サポート期間を通じてその有効性を維持し、ポイント4に規定されるサーベイランスを受けなければならない。Annex VIII, Part IV, §2
の開発者 非重要 ソフトウェア

ソフトウェア開発企業 ない クリティカル製品または重要製品クラスⅡに分類されるソフトウェアは、CRAの要求事項への適合性を自己評価することができる。.

を確認することができる。 附属書III 重要品目リストについては同規則を参照のこと。 附属書IV クリティカル製品のリストはこちら。

重要製品第一種に分類されるソフトウェアを開発する企業で、以下のいずれかに該当する企業 適合 十分に  調和された基準 または  適合 十分に  共通仕様 または  は欧州のサイバーセキュリティ認証を取得している、 また、CRAの要求事項への準拠を自己評価することもできる。

⚠️ Software developers of Important Products Class I who have not applied or have applied only in part harmonised standards, common specifications or European cybersecurity certification schemes マスト サードパーティのアセスメントを受ける(「重要なソフトウェア」タブを参照)

いずれにせよ、非重要製品のソフトウェア開発者は、重要製品および重要製品と同じ評価プロセスを選択することができる。 

重要なソフトウェアとクリティカルなソフトウェアをチェックする tab to read more on third-party assessment.

サイバーセキュリティ・リスク評価
身分証明書必要条件参考コメント
1Software developers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including in relation to the health and safety of users.article 13(2) self-written - to be reviewed by notified body for critical and important products
2The cybersecurity risk assessment shall be documented and updated as appropriate during a support period to be determined in accordance with paragraph 8 of this Article. That cybersecurity risk assessment shall comprise at least an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the conditions of use, of the product with digital elements, such as the operational environment or the assets to be protected, taking into account the length of time the product is expected to be in use. The cybersecurity risk assessment shall indicate whether and, if so in what manner, the security requirements set out in Part I, point (2), of Annex I are applicable to the relevant product with digital elements and how those requirements are implemented as informed by the cybersecurity risk assessment. It shall also indicate how the software developer is to apply Part I, point (1), of Annex I and the vulnerability handling requirements set out in Part II of Annex I.Article 13(3)self-written - to be reviewed by notified body for critical and important products
3When placing a product with digital elements on the market, the software developer shall include the cybersecurity risk assessment in the technical documentation. For products with digital elements which are also subject to other Union legal acts, the cybersecurity risk assessment may be part of the risk assessment required by those Union legal acts. Where certain essential cybersecurity requirements are not applicable to the product with digital elements, the software developer shall include a clear justification to that effect in that technical documentation.Article 13(4)self-written - to be reviewed by notified body for critical and important products
4The software developer shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the products with digital elements, including vulnerabilities of which they become aware and any relevant information provided by third parties, and shall, where applicable, update the cybersecurity risk assessment of the productsArticle 13(7)self-written - to be reviewed by notified body for critical and important products
一般要件
身分証明書必要条件参考コメントチェック
2On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall:Annex I, Part 1 §2'-
3

(a)悪用可能な既知の脆弱性がない状態で市場に提供されること;

Annex I, Part 1 §2a自己評価
4

(b) be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state;

Annex I, Part 1 §2b自己評価
5

(c) ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt- out mechanism, through the notification of available updates to users, and the option to temporarily postpone them;

Annex 1, Part 1 §2c 自己評価
6

(d) 認証、ID またはアクセス管理システムを含むがこれに限定されない、適切な管理メカニズ ムにより、不正アクセスからの保護を確保し、不正アクセスの可能性について報告する;

Annex I, Part 1 §2d自己評価
7

(e) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means;

Annex I, Part 1 §2e自己評価
8

(f)保存、送信、またはその他の方法で処理されたデータ、個人またはその他のデータ、コマンド、プログラム、および設定の完全性を、ユーザーによって許可されていない操作または変更から保護し、破損について報告すること;

Annex I, Part 1 §2f自己評価
9

(g) process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation);

Annex I, Part 1 §2g自己評価
10

(h) protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks;

Annex I, Part 1 §2h自己評価
11

(i)製品自体または接続デバイスが、他のデバイスまたはネットワークが提供するサービスの可用性に与える悪影響を最小限に抑えること;

Annex I, Part 1 §2i自己評価
12

(j) 外部インタフェースを含む攻撃面を制限するように設計、開発、製造されること;

Annex I, Part 1 §2j自己評価
13

(k)適切な搾取緩和の仕組みと技術を用いて、事故の影響を軽減するように設計、開発、製造されること;

Annex I, Part 1 §2k自己評価
14

(l) データ、サービスまたは機能へのアクセスまたは変更を含む、関連する内部活動を記録および監視することにより、セキュリティ関連情報を提供すること;

Annex I, Part 1 §2l自己評価
15

(m) 利用者がすべてのデータおよび設定を安全かつ容易に永続的に削除できる可能性を提供し、そのようなデータが他の製品またはシステムに転送される可能性がある場合、これが安全な方法で行われることを保証すること。

Annex I, Part 1 §2m自己評価
18

(2) デジタル要素を有する製品にもたらされるリスクに関連して、セキュリティ更新を提供することを含め、脆弱性に遅滞なく対処し、是正すること。技術的に可能な場合、新たなセキュリティ更新は、機能の更新とは別に提供すること;

Annex I, Part 2 §1自己評価
17

(1) デジタル要素を含む製品に含まれる脆弱性とコンポーネントを特定し、文書化する。これには、少なくとも製品のトップレベルの依存関係を網羅する、一般的に使用され機械で読み取り可能な形式のソフトウェア部品表を作成することが含まれる;

Annex I, Part 2 §2自己評価
19

(3) デジタル要素を含む製品のセキュリティについて、効果的かつ定期的なテストとレビューを適用する;

Annex I, Part 2 §3自己評価
20

(4) once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where software developers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch;

Annex I, Part 2 §4自己評価
21

(5) 協調的な脆弱性開示に関するポリシーを導入し、実施する;

Annex I, Part 2 §5自己評価
22

(6) take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements;

Annex I, Part 2 §6自己評価
23

(7) provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner;

Annex I, Part 2 §7自己評価
24

(8) ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between the software developer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.

Annex I, Part 2 §8自己評価
1Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks.Annex I, Part 1 §1自己評価
16Developers of software with digital elements shall:Annex I - Part II'-
Information and instructions to the user
身分証明書必要条件参考コメントチェック
1最低限、デジタル要素を含む製品を添付しなければならない:Annex II-
2

1. the name, registered trade name or registered trademark of the software developer, and the postal address, the email address or other digital contact as well as, where available, the website at which the software developer can be contacted;

付属書II、§1自書
3

2. the single point of contact where information about vulnerabilities of the product with digital elements can be reported and received, and where the software developer's policy on coordinated vulnerability disclosure can be found;

附属書II、§2自書
4

3. name and type and any additional information enabling the unique identification of the product with digital elements;

附属書II、§3自書
5

4. the intended purpose of the product with digital elements, including the security environment provided by the software developer , as well as the product’s essential functionalities and information about the security properties;

附属書II、§4自書
6

5.意図された目的に従って、または合理的に予見可能な誤用の条件下で、デジタル要素を含む製品を使用することに関連し、重大なサイバーセキュリティリスクにつながる可能性のある、既知または予見可能な状況;

附属書II、§5自書
7

6. 該当する場合、EU適合宣言にアクセスできるインターネットアドレス;

附属書II、§6自書
8

7. the type of technical security support offered by the software developer and the end-date of the support period during which users can expect vulnerabilities to be handled and to receive security updates;

Annex VI, §7自書
9

8. 詳細な指示、またはそのような詳細な指示や情報を参照するインターネットアドレス:

Annex II, §8自書
10

(a)最初の試運転時及びデジタル要素を含む製品の耐用期間を通じて、その安全な使用を確保するために必要な措置;

Annex II, §8 (a)自書
11

(b) デジタル要素を含む製品への変更が、データのセキュリティにどのような影響を与えるか;

Annex II, §8 (b)自書
12

(c) セキュリティ関連のアップデートをインストールする方法;

Annex II, §8 (c)自書
13

(d) ユーザーデータを安全に削除する方法に関する情報を含む、デジタル要素を含む製品の安全な廃棄;

Annex II, §8 (d)自書
14

(e) how the default setting enabling the automatic installation of security updates, as required by Part I, point (2)(c), of Annex I, can be turned off;

Annex II, §8 (e)自書
15

(f) where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential cybersecurity requirements set out in Annex I and the documentation requirements set out in Annex VII.

Annex II, §8 (f)自書
16

9. If the software developer decides to make available the software bill of materials to the user, information on where the software bill of materials can be accessed.

附属書II、§9Not mandatory
17The user information and instructions as set out in Annex II (detailed above), shall be included in the Technical Documentation.Annex VII, §1 (d)-
EU適合宣言
身分証明書必要条件参考コメントチェック
1第28条のEU適合宣言書には、以下のすべての情報を記載しなければならない:Annex VThe EU Declaration of conformity is self-written
2

(1) Name and type and any additional information enabling the unique identification of the product with digital elements

Annex V, §1'-
3

(2) Name and address of the software developer or its authorised representative

Annex V, §2'-
4

(3) A statement that the EU declaration of conformity is issued under the sole responsibility of the provider

Annex V, §3'-
5

(4) Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate)

Annex V, §4'-
6

(5) A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation

Annex V, §5'-
8

(7) Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued

Annex V, §7該当する場合
10簡易EU適合宣言書Annex VIOnly for SMEs and micro-enterprises
7

(6) References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared

Annex V, §6該当する場合
9

(8) Additional information:
Signed for and on behalf of:
(発行地と発行日):
(名前, 関数)
(署名):

Annex V, §8'-
11The simplified EU declaration of conformity referred to in shall be provided as follows: Hereby, ... [name of software developer ] declares that the product with digital elements type ... [designation of type of product with digital element] is in compliance with Regulation (EU) 2024/…+ . The full text of the EU declaration of conformity is available at the following internet address: …Annex VI自書
12The software developer shall draw up a written EU declaration of conformity for each product with digital elements in accordance with Article 28 and keep it together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The EU declaration of conformity shall identify the product with digital elements for which it has been drawn up. A copy of the EU declaration of conformity shall be made available to the relevant authorities upon request.Annex VIII, Part I, §4.2'-
技術文書
身分証明書必要条件参考コメントチェック
1The technical documentation shall contain at least the following information, as applicable to the relevant product with digital elements:Annex VII'-
2

1. デジタル要素を含む製品の概要説明:

Annex VII, §1自書
3

(a) その意図された目的;

Annex VII, §1 (a)自書
4

(b) versions of software affecting compliance with essential cybersecurity requirements;

Annex VII, §1 (b)自書
5

(c) デジタル要素を含む製品がハードウェア製品である場合、外観の特徴、マーキング、内部レイアウトを示す写真またはイラスト;

Annex VII, §1 (c)自書
6

(d) 附属書IIに定める使用者情報および指示;

Annex VII, §1 (d)自書
7

2. デジタル要素を含む製品の設計、開発、生産、および脆弱性処理プロセスに関する記述:

Annex VII, §2自書
8

(a) デジタル要素を含む製品の設計と開発に関する必要な情報。該当する場合は、図面や回路図、およびソフトウェアコンポーネントがどのように互いの上に構築され、あるいは互いに連動し、全体的な処理に統合されるかを説明するシステムアーキテクチャの説明を含む;

Annex VII, §2 (a)自書
9

(b) necessary information and specifications of the vulnerability handling processes put in place by the software developer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates;

Annex VII, §2 (b)自書
10

(c)デジタル要素を含む製品の製造および監視プロセス、ならびにそれらのプロセスの検証に関する必要な情報および仕様;

Annex VII, §2 (c)自書
11

3. an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained pursuant to Article 13, including how the essential cybersecurity requirements set out in Part I of Annex I are applicable;

Annex VII, §3自書
12

4. relevant information that was taken into account to determine the support period pursuant to Article 13(8) of the product with digital elements;

Annex VII, §4自書
13

5. a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential cybersecurity requirements set out in Parts I and II of Annex I, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied;

Annex VII, §5自書
14

6. reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential cybersecurity requirements as set out in Parts I and II of Annex I;

Annex VII, §6該当する場合
16

8. where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for that authority to be able to check compliance with the essential cybersecurity requirements set out in Annex I.

Annex VII, §8該当する場合
15

7. EU適合宣言書のコピー;

Annex VII, §7自書
報告要件
身分証明書必要条件参考コメントチェック
1A software developer shall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The software developer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16.Article 14(1) and 14(7)Mandatory Reporting
2For the purposes of the notification referred to in paragraph 1, the software developer shall submit:Article 14 (2)Mandatory Reporting
3

(a) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the software developer becoming aware of it, indicating, where applicable, the Member States on the territory of which the software developer is aware that their product with digital elements has been made available;

Article 14 (2) (a)Mandatory Reporting
4

(b) unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the software developer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the software developer considers the notified information to be;

Article 14 (2) (b)Mandatory Reporting
5

(c) 関連情報がすでに提供されている場合を除き、是正措置または緩和措置が利用可能になってから14日以内に、少なくとも以下を含む最終報告書を提出する:

Article 14 (2) (c)Mandatory Reporting
6

(i) 脆弱性の説明(その重大性と影響を含む);

Article 14 (2) (c) (i)Mandatory Reporting
7

(ii) 利用可能な場合、脆弱性を悪用した、または悪用している悪意のある行為者に関する情報;

Article 14 (2) (c) (ii)Mandatory Reporting
8

(iii) 脆弱性を是正するために提供されたセキュリティアップデートまたはその他の是正措置の詳細。

Article 14 (2) (c) (iII)Mandatory Reporting
9A software developer shall notify any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The software developer shall notify that incident via the single reporting platformArticle 14 (3)Single platform is not yet established (Dec 2024)
10For the purposes of the notification referred to in paragraph 3, the software developer shall submit:Article 14 (4)Mandatory Reporting
11

(a) an early warning notification of a severe incident having an impact on the security of the product with digital elements, without undue delay and in any event within 24 hours of the software developer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts, which shall also indicate, where applicable, the Member States on the territory of which the software developer is aware that their product with digital elements has been made available;

Article 14 (4) (a)Mandatory Reporting
12

(b) unless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the software developer becoming aware of the incident, which shall provide general information, where available, about the nature of the incident, an initial assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the software developer considers the notified information to be;

Article 14 (4) (b)Mandatory Reporting
13

(c) 関連情報が既に提供されている場合を除き、(b)に基づく事故通知書の提出後1ヶ月以内に、少なくとも以下を含む最終報告書を提出すること:

Article 14 (4) (c)Mandatory Reporting
14

(i)その重大性と影響を含む、事故の詳細な説明;

Article 14 (4) (c) (i)Mandatory Reporting
15

(ii) インシデントの引き金となったと思われる脅威の種類または根本原因;

Article 14 (4) (c) (ii)Mandatory Reporting
16

(iii) 適用済みおよび継続中の緩和策。

Article 14 (4) (c) (iii)Mandatory Reporting
17After becoming aware of an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements, the software developer shall inform the impacted users of the product with digital elements, and where appropriate all users, of that vulnerability or incident and, where necessary, of any risk mitigation and corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident, where appropriate in a structured, machine-readable format that is easily automatically processable. Where the software developer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRTs designated as coordinators may provide such information to the users when considered to be proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident.Article 14 (8)Mandatory Reporting
18Software developers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA.Article 15 (1)Voluntary Reporting
19Software developers as well as other natural or legal persons may notify any incident having an impact on the security of the product with digital elements as well as near misses that could have resulted in such an incident on a voluntary basis to a CSIRT designated as coordinator or ENISA.Article 15 (2)Voluntary Reporting
の開発者 重要 そして クリティカル ソフトウェアである。

Companies developing software products classified as Important Products Class I (if their software products do not 十分に conform to harmonized standards or common specification or have not been certified with a European Cybersecurity Certification), Important Products Class II and Critical Products マスト undergo an external assessment process conducted by a notified body responsible for verifying the compliance of the software products with the requirements of the CRA.

⚠️ As of November 2024, no notified body has been announced.

を確認することができます。 附属書III 重要品目リストについては、規則の項を参照のこと。

Additionally, companies developing software products classified as Critical Products が必要となる可能性がある。 今後  to obtain a European cybersecurity certificate at assurance level at least ‘substantial’ instead of undergoing the CRA’s dedicated assessment modules (see below); this is according to article 27(9). However, as of November 2024, the Commission has not yet adopted delegated acts that are required to determine which products are concerned and what certification scheme must be followed. In the absence of such delegated acts, manufacturers of Critical Products can follow the same certification procedures as Important Products.

⚠️ Once delegated acts are published and we know more about these certifications schemes, this web page will be updated.

を確認することができます。 附属書IV クリティカル・プロダクトのリストについては、規制の項を参照のこと。

 

What are the paths to third party assessment ?

Companies developing software products classified as Important and Critical Products can freely choose among two paths for the assessment of their software products: module B (or module B + module C) and module H.

Module H: Conformity Based on Full Quality Assurance
Module H is a comprehensive assessment path which requires the establishment and maintenance of a robust 品質システム. This quality system must include documented policies, procedures, and instructions meticulously outlining every stage of the product lifecycle, from design and development to production and vulnerability handling.
 
Module B: EU-Type Examination
While Module B doesn’t mandate a full-fledged quality system like Module H, manufacturers are still obligated to demonstrate that their technical design and development processes, along with vulnerability handling procedures, meet the CRA’s requirements. 
The primary focus of Module B, though, is the examination of a representative specimen of the product by a notified body. This examination aims to verify that the specimen aligns with the technical documentation and adheres to the relevant harmonized standards or technical specifications detailed in the documentation.
 
Important: The requirement for a specimen examination in Module B doesn’t automatically exclude software, as the CRA defines “specimen” as a combination of “production type and design type,” which could be interpreted to include representative samples of software code or functionalities.
 
Module B+ Module C
Once a software product type is certified under module B, other products of the same type can be certified through module C, which is a certification path that does not require for a new assessment by a notified body, providing that the new product is of the same type as the one certified via module A.

道を選ぶ

サイバーセキュリティ・リスク評価
身分証明書必要条件参考コメント
1Software developers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including in relation to the health and safety of users.article 13(2) self-written - to be reviewed by notified body for critical and important products
2The cybersecurity risk assessment shall be documented and updated as appropriate during a support period to be determined in accordance with paragraph 8 of this Article. That cybersecurity risk assessment shall comprise at least an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the conditions of use, of the product with digital elements, such as the operational environment or the assets to be protected, taking into account the length of time the product is expected to be in use. The cybersecurity risk assessment shall indicate whether and, if so in what manner, the security requirements set out in Part I, point (2), of Annex I are applicable to the relevant product with digital elements and how those requirements are implemented as informed by the cybersecurity risk assessment. It shall also indicate how the software developer is to apply Part I, point (1), of Annex I and the vulnerability handling requirements set out in Part II of Annex I.Article 13(3)self-written - to be reviewed by notified body for critical and important products
3When placing a product with digital elements on the market, the software developer shall include the cybersecurity risk assessment in the technical documentation. For products with digital elements which are also subject to other Union legal acts, the cybersecurity risk assessment may be part of the risk assessment required by those Union legal acts. Where certain essential cybersecurity requirements are not applicable to the product with digital elements, the software developer shall include a clear justification to that effect in that technical documentation.Article 13(4)self-written - to be reviewed by notified body for critical and important products
4The software developer shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the products with digital elements, including vulnerabilities of which they become aware and any relevant information provided by third parties, and shall, where applicable, update the cybersecurity risk assessment of the productsArticle 13(7)self-written - to be reviewed by notified body for critical and important products
一般要件
身分証明書必要条件参考コメントチェック
2On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall:Annex I, Part 1 §2-
3

(a)悪用可能な既知の脆弱性がない状態で市場に提供されること;

Annex I, Part 1 §2aノーティファイド・ボディによる評価
4

(b) be made available on the market with a secure by default configuration, unless otherwise agreed between the software developer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to itsoriginal state;

Annex I, Part 1 §2bノーティファイド・ボディによる評価
5

(c) ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt- out mechanism, through the notification of available updates to users, and the option to temporarily postpone them;

Annex 1, Part 1 §2c ノーティファイド・ボディによる評価
6

(d) 認証、ID またはアクセス管理システムを含むがこれに限定されない、適切な管理メカニズ ムにより、不正アクセスからの保護を確保し、不正アクセスの可能性について報告する;

Annex I, Part 1 §2dノーティファイド・ボディによる評価
7

(e) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means;

Annex I, Part 1 §2eノーティファイド・ボディによる評価
8

(f)保存、送信、またはその他の方法で処理されたデータ、個人またはその他のデータ、コマンド、プログラム、および設定の完全性を、ユーザーによって許可されていない操作または変更から保護し、破損について報告すること;

Annex I, Part 1 §2fノーティファイド・ボディによる評価
9

(g) process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation);

Annex I, Part 1 §2gノーティファイド・ボディによる評価
10

(h) protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks;

Annex I, Part 1 §2hノーティファイド・ボディによる評価
11

(i)製品自体または接続デバイスが、他のデバイスまたはネットワークが提供するサービスの可用性に与える悪影響を最小限に抑えること;

Annex I, Part 1 §2iノーティファイド・ボディによる評価
12

(j) 外部インタフェースを含む攻撃面を制限するように設計、開発、製造されること;

Annex I, Part 1 §2jノーティファイド・ボディによる評価
13

(k)適切な搾取緩和の仕組みと技術を用いて、事故の影響を軽減するように設計、開発、製造されること;

Annex I, Part 1 §2kノーティファイド・ボディによる評価
14

(l) データ、サービスまたは機能へのアクセスまたは変更を含む、関連する内部活動を記録および監視することにより、セキュリティ関連情報を提供すること;

Annex I, Part 1 §2lノーティファイド・ボディによる評価
15

(m) 利用者がすべてのデータおよび設定を安全かつ容易に永続的に削除できる可能性を提供し、そのようなデータが他の製品またはシステムに転送される可能性がある場合、これが安全な方法で行われることを保証すること。

Annex I, Part 1 §2mノーティファイド・ボディによる評価
18

(2) デジタル要素を有する製品にもたらされるリスクに関連して、セキュリティ更新を提供することを含め、脆弱性に遅滞なく対処し、是正すること。技術的に可能な場合、新たなセキュリティ更新は、機能の更新とは別に提供すること;

Annex I, Part 2 §1ノーティファイド・ボディによる評価
17

(1) デジタル要素を含む製品に含まれる脆弱性とコンポーネントを特定し、文書化する。これには、少なくとも製品のトップレベルの依存関係を網羅する、一般的に使用され機械で読み取り可能な形式のソフトウェア部品表を作成することが含まれる;

Annex I, Part 2 §2ノーティファイド・ボディによる評価
19

(3) デジタル要素を含む製品のセキュリティについて、効果的かつ定期的なテストとレビューを適用する;

Annex I, Part 2 §3ノーティファイド・ボディによる評価
20

(4) once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where software developers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch;

Annex I, Part 2 §4ノーティファイド・ボディによる評価
21

(5) 協調的な脆弱性開示に関するポリシーを導入し、実施する;

Annex I, Part 2 §5ノーティファイド・ボディによる評価
22

(6) take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements;

Annex I, Part 2 §6ノーティファイド・ボディによる評価
23

(7) provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner;

Annex I, Part 2 §7ノーティファイド・ボディによる評価
24

(8) ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a software developer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.

Annex I, Part 2 §8ノーティファイド・ボディによる評価
1Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks.Annex I, Part 1 §1ノーティファイド・ボディによる評価
16Software developers of products with digital elements shall:Annex I - Part II-
一般文書
身分証明書必要条件参考コメントチェック
1最低限、デジタル要素を含む製品を添付しなければならない:Annex II'-
2

1. the name, registered trade name or registered trademark of the manufacturer, and the postal address, the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted;

付属書II、§1Assessed by notified body, as part of the Technical Documentation
3

2. the single point of contact where information about vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found;

附属書II、§2Assessed by notified body, as part of the Technical Documentation
4

3. name and type and any additional information enabling the unique identification of the product with digital elements;

附属書II、§3Assessed by notified body, as part of the Technical Documentation
5

4.製造者が提供するセキュリティ環境、製品の必須機能、セキュリティ特性に関する情報を含む、デジタル要素を含む製品の意図された目的;

附属書II、§4Assessed by notified body, as part of the Technical Documentation
6

5.意図された目的に従って、または合理的に予見可能な誤用の条件下で、デジタル要素を含む製品を使用することに関連し、重大なサイバーセキュリティリスクにつながる可能性のある、既知または予見可能な状況;

附属書II、§5Assessed by notified body, as part of the Technical Documentation
7

6. 該当する場合、EU適合宣言にアクセスできるインターネットアドレス;

附属書II、§6Assessed by notified body, as part of the Technical Documentation
8

7. 製造者が提供するテクニカルセキュリティサポートの種類と、ユーザーが脆弱性への対応やセキュリティアップデートの提供を期待できるサポート期間の終了日;

Annex VI, §7Assessed by notified body, as part of the Technical Documentation
9

8. 詳細な指示、またはそのような詳細な指示や情報を参照するインターネットアドレス:

Annex II, §8Assessed by notified body, as part of the Technical Documentation
10

(a)最初の試運転時及びデジタル要素を含む製品の耐用期間を通じて、その安全な使用を確保するために必要な措置;

Annex II, §8 (a)Assessed by notified body, as part of the Technical Documentation
11

(b) デジタル要素を含む製品への変更が、データのセキュリティにどのような影響を与えるか;

Annex II, §8 (b)Assessed by notified body, as part of the Technical Documentation
12

(c) セキュリティ関連のアップデートをインストールする方法;

Annex II, §8 (c)Assessed by notified body, as part of the Technical Documentation
13

(d) ユーザーデータを安全に削除する方法に関する情報を含む、デジタル要素を含む製品の安全な廃棄;

Annex II, §8 (d)Assessed by notified body, as part of the Technical Documentation
14

(e) how the default setting enabling the automatic installation of security updates, as required by Part I, point (2)(c), of Annex I, can be turned off;

Annex II, §8 (e)Assessed by notified body, as part of the Technical Documentation
15

(f) where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential cybersecurity requirements set out in Annex I and the documentation requirements set out in Annex VII.

Annex II, §8 (f)Assessed by notified body, as part of the Technical Documentation
16

9.製造者がソフトウェアの部品表をユーザーに提供することを決定した場合、ソフトウェアの部品表にアクセスできる場所に関する情報。

附属書II、§9Not mandatory
49The user information and instructions as set out in Annex II (detailed above), shall be included in the Technical Documentation.Annex VII, §1 (d)'-
EU適合宣言
身分証明書必要条件参考コメントチェック
1第28条のEU適合宣言書には、以下のすべての情報を記載しなければならない:Annex VThe EU Declaration of conformity is self-written
2

(1) Name and type and any additional information enabling the unique identification of the product with digital elements

Annex V, §1-
3

(2) Name and address of the manufacturer or its authorised representative

Annex V, §2-
4

(3) A statement that the EU declaration of conformity is issued under the sole responsibility of the provider

Annex V, §3-
5

(4) Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate)

Annex V, §4-
6

(5) A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation

Annex V, §5-
8

(7) Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued

Annex V, §7該当する場合
10簡易EU適合宣言書Annex VIOnly for SMEs and micro-enterprises
7

(6) References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared

Annex V, §6該当する場合
9

(8) Additional information:
Signed for and on behalf of:
(発行地と発行日):
(名前, 関数)
(署名):

Annex V, §8-
11The simplified EU declaration of conformity referred to in shall be provided as follows: Hereby, ... [name of manufacturer] declares that the product with digital elements type ... [designation of type of product with digital element] is in compliance with Regulation (EU) 2024/…+ . The full text of the EU declaration of conformity is available at the following internet address: …Annex VI自書
12The manufacturer shall draw up a written EU declaration of conformity for each product with digital elements in accordance with Article 28 and keep it together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The EU declaration of conformity shall identify the product with digital elements for which it has been drawn up. A copy of the EU declaration of conformity shall be made available to the relevant authorities upon request.Annex VIII, Part I, §4.2-
技術文書
身分証明書必要条件参考コメントチェック
1The technical documentation shall contain at least the following information, as applicable to the relevant product with digital elements:Annex VII'-
2

1. デジタル要素を含む製品の概要説明:

Annex VII, §1ノーティファイド・ボディによる評価
3

(a) その意図された目的;

Annex VII, §1 (a)ノーティファイド・ボディによる評価
4

(b) versions of software affecting compliance with essential cybersecurity requirements;

Annex VII, §1 (b)ノーティファイド・ボディによる評価
5

(c) デジタル要素を含む製品がハードウェア製品である場合、外観の特徴、マーキング、内部レイアウトを示す写真またはイラスト;

Annex VII, §1 (c)ノーティファイド・ボディによる評価
6

(d) 附属書IIに定める使用者情報および指示;

Annex VII, §1 (d)ノーティファイド・ボディによる評価
7

2. デジタル要素を含む製品の設計、開発、生産、および脆弱性処理プロセスに関する記述:

Annex VII, §2ノーティファイド・ボディによる評価
8

(a) デジタル要素を含む製品の設計と開発に関する必要な情報。該当する場合は、図面や回路図、およびソフトウェアコンポーネントがどのように互いの上に構築され、あるいは互いに連動し、全体的な処理に統合されるかを説明するシステムアーキテクチャの説明を含む;

Annex VII, §2 (a)ノーティファイド・ボディによる評価
9

(b) ソフトウェアの部品表、調整された脆弱性開示方針、脆弱性を報告するための連絡先が提供されている証拠、アップデートの安全な配布のために選択された技術的ソリューションの説明を含む、製造者によって実施された脆弱性処理プロセスの必要な情報および仕様;

Annex VII, §2 (b)ノーティファイド・ボディによる評価
10

(c)デジタル要素を含む製品の製造および監視プロセス、ならびにそれらのプロセスの検証に関する必要な情報および仕様;

Annex VII, §2 (c)self-Assessed by notified body
11

3. an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained pursuant to Article 13, including how the essential cybersecurity requirements set out in Part I of Annex I are applicable;

Annex VII, §3ノーティファイド・ボディによる評価
12

4. relevant information that was taken into account to determine the support period pursuant to Article 13(8) of the product with digital elements;

Annex VII, §4ノーティファイド・ボディによる評価
13

5. a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential cybersecurity requirements set out in Parts I and II of Annex I, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied;

Annex VII, §5ノーティファイド・ボディによる評価
14

6. reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential cybersecurity requirements as set out in Parts I and II of Annex I;

Annex VII, §6ノーティファイド・ボディによる評価
16

8. where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for that authority to be able to check compliance with the essential cybersecurity requirements set out in Annex I.

Annex VII, §8ノーティファイド・ボディによる評価
15

7. EU適合宣言書のコピー;

Annex VII, §7ノーティファイド・ボディによる評価
当局とのコミュニケーション
身分証明書必要条件参考コメントチェック
1A manufacturer shall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16.Article 14(1) and 14(7)Mandatory Reporting
2第1項の届出のために、製造者は以下の書類を提出しなければならない:Article 14 (2)Mandatory Reporting
3

(a) 活発に悪用されている脆弱性について、過度の遅滞なく、いかなる場合でも製造者がそれを認識してから24時間以内に、早期警告通知を行うこと;

Article 14 (2) (a)Mandatory Reporting
4

(b) unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be;

Article 14 (2) (b)Mandatory Reporting
5

(c) 関連情報がすでに提供されている場合を除き、是正措置または緩和措置が利用可能になってから14日以内に、少なくとも以下を含む最終報告書を提出する:

Article 14 (2) (c)Mandatory Reporting
6

(i) 脆弱性の説明(その重大性と影響を含む);

Article 14 (2) (c) (i)Mandatory Reporting
7

(ii) 利用可能な場合、脆弱性を悪用した、または悪用している悪意のある行為者に関する情報;

Article 14 (2) (c) (ii)Mandatory Reporting
8

(iii) 脆弱性を是正するために提供されたセキュリティアップデートまたはその他の是正措置の詳細。

Article 14 (2) (c) (iII)Mandatory Reporting
9A manufacturer shall notify any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platformArticle 14 (3)Single platform is not yet established (Dec 2024)
10第3項の届出のために、製造者は以下を提出しなければならない:Article 14 (4)Mandatory Reporting
11

(a) an early warning notification of a severe incident having an impact on the security of the product with digital elements, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts, which shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;

Article 14 (4) (a)Mandatory Reporting
12

(b) unless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the incident, which shall provide general information, where available, about the nature of the incident, an initial assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be;

Article 14 (4) (b)Mandatory Reporting
13

(c) 関連情報が既に提供されている場合を除き、(b)に基づく事故通知書の提出後1ヶ月以内に、少なくとも以下を含む最終報告書を提出すること:

Article 14 (4) (c)Mandatory Reporting
14

(i)その重大性と影響を含む、事故の詳細な説明;

Article 14 (4) (c) (i)Mandatory Reporting
15

(ii) インシデントの引き金となったと思われる脅威の種類または根本原因;

Article 14 (4) (c) (ii)Mandatory Reporting
16

(iii) 適用済みおよび継続中の緩和策。

Article 14 (4) (c) (iii)Mandatory Reporting
17After becoming aware of an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements, the manufacturer shall inform the impacted users of the product with digital elements, and where appropriate all users, of that vulnerability or incident and, where necessary, of any risk mitigation and corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident, where appropriate in a structured, machine-readable format that is easily automatically processable. Where the manufacturer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRTs designated as coordinators may provide such information to the users when considered to be proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident.Article 14 (8)Mandatory Reporting
18製造業者だけでなく、その他の自然人または法人も、デジタル要素を含む製品に含まれる脆弱性、およびデジタル要素を含む製品のリスクプロファイルに影響を与える可能性のあるサイバー脅威を、コーディネーターとして指定されたCSIRTまたはENISAに任意で通知することができる。Article 15 (1)Voluntary Reporting
19製造者だけでなく、その他の自然人または法人も、デジタル要素を含む製品のセキュリティに影響を及ぼすインシデントや、そのようなインシデントにつながる可能性があったニアミスを、コーディネーターとして指定されたCSIRTまたはENISAに任意で通知することができる。Article 15 (2)Voluntary Reporting
認証申請書の提出
身分証明書必要条件参考コメントチェック
3The manufacturer shall lodge an application for assessment of its quality system with the notified body of its choice, for the products with digital elements concerned. The application shall include:Annex VIII, Part II, §3-
4

the name and address of the manufacturer and, if the application is lodged by the authorised representative, the name and address of that authorised representative;

Annex VIII, Part II, §3.1-
5

a written declaration that the same application has not been lodged with any other notified body;

Annex VIII, Part II, §3.2-
6

the technical documentation, which shall make it possible to assess the conformity of the product with digital elements with the applicable essential cybersecurity requirements as set out in Part I of Annex I and the manufacturer’s vulnerability handling processes set out in Part II of Annex I and shall include an adequate analysis and assessment of the risks. The technical documentation shall specify the applicable requirements and cover, as far as relevant for the assessment, the design, manufacture and operation of the product with digital elements. The technical documentation shall contain, wherever applicable, at least the elements set out in Annex VII;

Annex VIII, Part II, §3.3-
7

the supporting evidence for the adequacy of the technical design and development solutions and vulnerability handling processes. This supporting evidence shall mention any documents that have been used, in particular where the relevant harmonised standards or technical specifications have not been applied in full. The supporting evidence shall include, where necessary, the results of tests carried out by the appropriate laboratory of the manufacturer, or by another testing laboratory on its behalf and under its responsibility.

Annex VIII, Part II, §3.4-
8The manufacturer shall inform the notified body that holds the technical documentation relating to the EU-type examination certificate of all modifications to the approved type and the vulnerability handling processes that may affect the conformity with the essential cybersecurity requirements set out in Annex I, or the conditions for validity of the certificate. Such modifications shall require additional approval in the form of an addition to the original EU-type examination certificate.Annex VIII, Part II, §7-
9The manufacturer shall keep a copy of the EU-type examination certificate, its annexes and additions together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer.Annex VIII, Part II, §10-
1EU-type examination is the part of a conformity assessment procedure in which a notified body examines the technical design and development of a product with digital elements and the vulnerability handling processes put in place by the manufacturer, and attests that a product with digital elements meets the essential cybersecurity requirements set out in Part I of Annex I and that the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.Annex VIII, Part II, §1-
2EU-type examination shall be carried out by assessing the adequacy of the technical design and development of the product with digital elements through the examination of the technical documentation and supporting evidence referred to in point 3, and the examination of specimens of one or more critical parts of the product (combination of production type and design type).Annex VIII, Part II, §2-
サイバーセキュリティ・リスク評価
身分証明書必要条件参考コメントチェック
1Manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including in relation to the health and safety of users.article 13(2) self-written - to be reviewed by notified body for critical and important products
2The cybersecurity risk assessment shall be documented and updated as appropriate during a support period to be determined in accordance with paragraph 8 of this Article. That cybersecurity risk assessment shall comprise at least an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the conditions of use, of the product with digital elements, such as the operational environment or the assets to be protected, taking into account the length of time the product is expected to be in use. The cybersecurity risk assessment shall indicate whether and, if so in what manner, the security requirements set out in Part I, point (2), of Annex I are applicable to the relevant product with digital elements and how those requirements are implemented as informed by the cybersecurity risk assessment. It shall also indicate how the manufacturer is to apply Part I, point (1), of Annex I and the vulnerability handling requirements set out in Part II of Annex I.Article 13(3)self-written - to be reviewed by notified body for critical and important products
3When placing a product with digital elements on the market, the manufacturer shall include the cybersecurity risk assessment in the technical documentation. For products with digital elements which are also subject to other Union legal acts, the cybersecurity risk assessment may be part of the risk assessment required by those Union legal acts. Where certain essential cybersecurity requirements are not applicable to the product with digital elements, the manufacturer shall include a clear justification to that effect in that technical documentation.Article 13(4)self-written - to be reviewed by notified body for critical and important products
4The manufacturers shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the products with digital elements, including vulnerabilities of which they become aware and any relevant information provided by third parties, and shall, where applicable, update the cybersecurity risk assessment of the productsArticle 13(7)self-written - to be reviewed by notified body for critical and important products
一般要件
身分証明書必要条件参考コメントチェック
2On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall:Annex I, Part 1 §2-
3

(a)悪用可能な既知の脆弱性がない状態で市場に提供されること;

Annex I, Part 1 §2a同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
4

(b) be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state;

Annex I, Part 1 §2b同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
5

(c) ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt- out mechanism, through the notification of available updates to users, and the option to temporarily postpone them;

Annex 1, Part 1 §2c 同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
6

(d) 認証、ID またはアクセス管理システムを含むがこれに限定されない、適切な管理メカニズ ムにより、不正アクセスからの保護を確保し、不正アクセスの可能性について報告する;

Annex I, Part 1 §2d同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
7

(e) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means;

Annex I, Part 1 §2e同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
8

(f)保存、送信、またはその他の方法で処理されたデータ、個人またはその他のデータ、コマンド、プログラム、および設定の完全性を、ユーザーによって許可されていない操作または変更から保護し、破損について報告すること;

Annex I, Part 1 §2f同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
9

(g) process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation);

Annex I, Part 1 §2g同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
10

(h) protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks;

Annex I, Part 1 §2h同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
11

(i)製品自体または接続デバイスが、他のデバイスまたはネットワークが提供するサービスの可用性に与える悪影響を最小限に抑えること;

Annex I, Part 1 §2i同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
12

(j) 外部インタフェースを含む攻撃面を制限するように設計、開発、製造されること;

Annex I, Part 1 §2j同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
13

(k)適切な搾取緩和の仕組みと技術を用いて、事故の影響を軽減するように設計、開発、製造されること;

Annex I, Part 1 §2k同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
14

(l) データ、サービスまたは機能へのアクセスまたは変更を含む、関連する内部活動を記録および監視することにより、セキュリティ関連情報を提供すること;

Annex I, Part 1 §2l同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
15

(m) 利用者がすべてのデータおよび設定を安全かつ容易に永続的に削除できる可能性を提供し、そのようなデータが他の製品またはシステムに転送される可能性がある場合、これが安全な方法で行われることを保証すること。

Annex I, Part 1 §2m同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
18

(2) デジタル要素を有する製品にもたらされるリスクに関連して、セキュリティ更新を提供することを含め、脆弱性に遅滞なく対処し、是正すること。技術的に可能な場合、新たなセキュリティ更新は、機能の更新とは別に提供すること;

Annex I, Part 2 §1同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
17

(1) デジタル要素を含む製品に含まれる脆弱性とコンポーネントを特定し、文書化する。これには、少なくとも製品のトップレベルの依存関係を網羅する、一般的に使用され機械で読み取り可能な形式のソフトウェア部品表を作成することが含まれる;

Annex I, Part 2 §2同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
19

(3) デジタル要素を含む製品のセキュリティについて、効果的かつ定期的なテストとレビューを適用する;

Annex I, Part 2 §3同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
20

(4) セキュリティアップデートが利用可能になったら、修正された脆弱性に関する情報を共有し、公開する。これには、脆弱性の説明、影響を受けるデジタル要素を持つ製品をユーザーが特定できる情報、脆弱性の影響、深刻度、ユーザーが脆弱性を修正するのに役立つ明確かつアクセス可能な情報を含む;

Annex I, Part 2 §4同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
21

(5) 協調的な脆弱性開示に関するポリシーを導入し、実施する;

Annex I, Part 2 §5同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
22

(6) take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements;

Annex I, Part 2 §6同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
23

(7) provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner;

Annex I, Part 2 §7同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
24

(8) ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.

Annex I, Part 2 §8同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
1Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks.Annex I, Part 1 §1同種の製品について過去に取得したEU型審査証明書に基づく自己評価(モジュールB)
16デジタル要素を含む製品の製造業者は、次のことを行わなければならない:Annex I - Part II-
一般文書
身分証明書必要条件参考コメントチェック
1最低限、デジタル要素を含む製品を添付しなければならない:Annex II-
2

1. the name, registered trade name or registered trademark of the manufacturer, and the postal address, the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted;

付属書II、§1自書
3

2. the single point of contact where information about vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found;

附属書II、§2自書
4

3. name and type and any additional information enabling the unique identification of the product with digital elements;

附属書II、§3自書
5

4.製造者が提供するセキュリティ環境、製品の必須機能、セキュリティ特性に関する情報を含む、デジタル要素を含む製品の意図された目的;

附属書II、§4自書
6

5.意図された目的に従って、または合理的に予見可能な誤用の条件下で、デジタル要素を含む製品を使用することに関連し、重大なサイバーセキュリティリスクにつながる可能性のある、既知または予見可能な状況;

附属書II、§5自書
7

6. 該当する場合、EU適合宣言にアクセスできるインターネットアドレス;

附属書II、§6自書
8

7. 製造者が提供するテクニカルセキュリティサポートの種類と、ユーザーが脆弱性への対応やセキュリティアップデートの提供を期待できるサポート期間の終了日;

Annex VI, §7自書
9

8. 詳細な指示、またはそのような詳細な指示や情報を参照するインターネットアドレス:

Annex II, §8自書
10

(a)最初の試運転時及びデジタル要素を含む製品の耐用期間を通じて、その安全な使用を確保するために必要な措置;

Annex II, §8 (a)自書
11

(b) デジタル要素を含む製品への変更が、データのセキュリティにどのような影響を与えるか;

Annex II, §8 (b)自書
12

(c) セキュリティ関連のアップデートをインストールする方法;

Annex II, §8 (c)自書
13

(d) ユーザーデータを安全に削除する方法に関する情報を含む、デジタル要素を含む製品の安全な廃棄;

Annex II, §8 (d)自書
14

(e) how the default setting enabling the automatic installation of security updates, as required by Part I, point (2)(c), of Annex I, can be turned off;

Annex II, §8 (e)自書
15

(f) where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential cybersecurity requirements set out in Annex I and the documentation requirements set out in Annex VII.

Annex II, §8 (f)自書
16

9.製造者がソフトウェアの部品表をユーザーに提供することを決定した場合、ソフトウェアの部品表にアクセスできる場所に関する情報。

附属書II、§9Not mandatory
17The user information and instructions as set out in Annex II (detailed above), shall be included in the Technical Documentation.Annex VII, §1 (d)-
EU適合宣言
身分証明書必要条件参考コメントチェック
1第28条のEU適合宣言書には、以下のすべての情報を記載しなければならない:Annex VThe EU Declaration of conformity is self-written
2

(1) Name and type and any additional information enabling the unique identification of the product with digital elements

Annex V, §1-
3

(2) Name and address of the manufacturer or its authorised representative

Annex V, §2-
4

(3) A statement that the EU declaration of conformity is issued under the sole responsibility of the provider

Annex V, §3-
5

(4) Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate)

Annex V, §4-
6

(5) A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation

Annex V, §5-
8

(7) Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued

Annex V, §7mandatory
10簡易EU適合宣言書Annex VIOnly for SMEs and micro-enterprises
7

(6) References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared

Annex V, §6該当する場合
9

(8) Additional information:
Signed for and on behalf of:
(発行地と発行日):
(名前, 関数)
(署名):

Annex V, §8-
11The simplified EU declaration of conformity referred to in shall be provided as follows: Hereby, ... [name of manufacturer] declares that the product with digital elements type ... [designation of type of product with digital element] is in compliance with Regulation (EU) 2024/…+ . The full text of the EU declaration of conformity is available at the following internet address: …Annex VI自書
12The manufacturer shall draw up a written EU declaration of conformity for each product with digital elements and keep it together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The EU declaration of conformity shall identify the product with digital elements for which it has been drawn up. A copy of the EU declaration of conformity shall be made available to the relevant authorities upon request.Annex VIII, Part II, §10 and Part III, §3.2-
技術文書
身分証明書必要条件参考コメントチェック
1The technical documentation shall contain at least the following information, as applicable to the relevant product with digital elements:Annex VII-
2

1. デジタル要素を含む製品の概要説明:

Annex VII, §1自書
3

(a) その意図された目的;

Annex VII, §1 (a)自書
4

(b) versions of software affecting compliance with essential cybersecurity requirements;

Annex VII, §1 (b)自書
5

(c) デジタル要素を含む製品がハードウェア製品である場合、外観の特徴、マーキング、内部レイアウトを示す写真またはイラスト;

Annex VII, §1 (c)自書
6

(d) 附属書IIに定める使用者情報および指示;

Annex VII, §1 (d)自書
7

2. デジタル要素を含む製品の設計、開発、生産、および脆弱性処理プロセスに関する記述:

Annex VII, §2自書
8

(a) デジタル要素を含む製品の設計と開発に関する必要な情報。該当する場合は、図面や回路図、およびソフトウェアコンポーネントがどのように互いの上に構築され、あるいは互いに連動し、全体的な処理に統合されるかを説明するシステムアーキテクチャの説明を含む;

Annex VII, §2 (a)自書
9

(b) ソフトウェアの部品表、調整された脆弱性開示方針、脆弱性を報告するための連絡先が提供されている証拠、アップデートの安全な配布のために選択された技術的ソリューションの説明を含む、製造者によって実施された脆弱性処理プロセスの必要な情報および仕様;

Annex VII, §2 (b)自書
10

(c)デジタル要素を含む製品の製造および監視プロセス、ならびにそれらのプロセスの検証に関する必要な情報および仕様;

Annex VII, §2 (c)自書
11

3. an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained pursuant to Article 13, including how the essential cybersecurity requirements set out in Part I of Annex I are applicable;

Annex VII, §3自書
12

4. relevant information that was taken into account to determine the support period pursuant to Article 13(8) of the product with digital elements;

Annex VII, §4自書
13

5. a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential cybersecurity requirements set out in Parts I and II of Annex I, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied;

Annex VII, §5自書
14

6. reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential cybersecurity requirements as set out in Parts I and II of Annex I;

Annex VII, §6該当する場合
16

8. where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for that authority to be able to check compliance with the essential cybersecurity requirements set out in Annex I.

Annex VII, §8該当する場合
15

7. EU適合宣言書のコピー;

Annex VII, §7自書
当局とのコミュニケーション
身分証明書必要条件参考コメントチェック
1A manufacturer shall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16.Article 14(1) and 14(7)Mandatory Reporting
2第1項の届出のために、製造者は以下の書類を提出しなければならない:Article 14 (2)Mandatory Reporting
3

(a) 活発に悪用されている脆弱性について、過度の遅滞なく、いかなる場合でも製造者がそれを認識してから24時間以内に、早期警告通知を行うこと;

Article 14 (2) (a)Mandatory Reporting
4

(b) unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be;

Article 14 (2) (b)Mandatory Reporting
5

(c) 関連情報がすでに提供されている場合を除き、是正措置または緩和措置が利用可能になってから14日以内に、少なくとも以下を含む最終報告書を提出する:

Article 14 (2) (c)Mandatory Reporting
6

(i) 脆弱性の説明(その重大性と影響を含む);

Article 14 (2) (c) (i)Mandatory Reporting
7

(ii) 利用可能な場合、脆弱性を悪用した、または悪用している悪意のある行為者に関する情報;

Article 14 (2) (c) (ii)Mandatory Reporting
8

(iii) 脆弱性を是正するために提供されたセキュリティアップデートまたはその他の是正措置の詳細。

Article 14 (2) (c) (iII)Mandatory Reporting
9A manufacturer shall notify any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platformArticle 14 (3)Single platform is not yet established (Dec 2024)
10第3項の届出のために、製造者は以下を提出しなければならない:Article 14 (4)Mandatory Reporting
11

(a) an early warning notification of a severe incident having an impact on the security of the product with digital elements, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts, which shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;

Article 14 (4) (a)Mandatory Reporting
12

(b) unless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the incident, which shall provide general information, where available, about the nature of the incident, an initial assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be;

Article 14 (4) (b)Mandatory Reporting
13

(c) 関連情報が既に提供されている場合を除き、(b)に基づく事故通知書の提出後1ヶ月以内に、少なくとも以下を含む最終報告書を提出すること:

Article 14 (4) (c)Mandatory Reporting
14

(i)その重大性と影響を含む、事故の詳細な説明;

Article 14 (4) (c) (i)Mandatory Reporting
15

(ii) インシデントの引き金となったと思われる脅威の種類または根本原因;

Article 14 (4) (c) (ii)Mandatory Reporting
16

(iii) 適用済みおよび継続中の緩和策。

Article 14 (4) (c) (iii)Mandatory Reporting
17After becoming aware of an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements, the manufacturer shall inform the impacted users of the product with digital elements, and where appropriate all users, of that vulnerability or incident and, where necessary, of any risk mitigation and corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident, where appropriate in a structured, machine-readable format that is easily automatically processable. Where the manufacturer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRTs designated as coordinators may provide such information to the users when considered to be proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident.Article 14 (8)Mandatory Reporting
18製造業者だけでなく、その他の自然人または法人も、デジタル要素を含む製品に含まれる脆弱性、およびデジタル要素を含む製品のリスクプロファイルに影響を与える可能性のあるサイバー脅威を、コーディネーターとして指定されたCSIRTまたはENISAに任意で通知することができる。Article 15 (1)Voluntary Reporting
19製造者だけでなく、その他の自然人または法人も、デジタル要素を含む製品のセキュリティに影響を及ぼすインシデントや、そのようなインシデントにつながる可能性があったニアミスを、コーディネーターとして指定されたCSIRTまたはENISAに任意で通知することができる。Article 15 (2)Voluntary Reporting
サイバーセキュリティ・リスク評価
身分証明書必要条件参考コメントチェック
1Manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including in relation to the health and safety of users.article 13(2) self-written - to be reviewed by notified body for critical and important products
2The cybersecurity risk assessment shall be documented and updated as appropriate during a support period to be determined in accordance with paragraph 8 of this Article. That cybersecurity risk assessment shall comprise at least an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the conditions of use, of the product with digital elements, such as the operational environment or the assets to be protected, taking into account the length of time the product is expected to be in use. The cybersecurity risk assessment shall indicate whether and, if so in what manner, the security requirements set out in Part I, point (2), of Annex I are applicable to the relevant product with digital elements and how those requirements are implemented as informed by the cybersecurity risk assessment. It shall also indicate how the manufacturer is to apply Part I, point (1), of Annex I and the vulnerability handling requirements set out in Part II of Annex I.Article 13(3)self-written - to be reviewed by notified body for critical and important products
3When placing a product with digital elements on the market, the manufacturer shall include the cybersecurity risk assessment in the technical documentation. For products with digital elements which are also subject to other Union legal acts, the cybersecurity risk assessment may be part of the risk assessment required by those Union legal acts. Where certain essential cybersecurity requirements are not applicable to the product with digital elements, the manufacturer shall include a clear justification to that effect in that technical documentation.Article 13(4)self-written - to be reviewed by notified body for critical and important products
4The manufacturers shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the products with digital elements, including vulnerabilities of which they become aware and any relevant information provided by third parties, and shall, where applicable, update the cybersecurity risk assessment of the productsArticle 13(7)self-written - to be reviewed by notified body for critical and important products
一般要件
身分証明書必要条件参考コメントチェック
2On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall:Annex I, Part 1 §2-
3

(a)悪用可能な既知の脆弱性がない状態で市場に提供されること;

Annex I, Part 1 §2aノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
4

(b) be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state;

Annex I, Part 1 §2bノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
5

(c) ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt- out mechanism, through the notification of available updates to users, and the option to temporarily postpone them;

Annex 1, Part 1 §2c ノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
6

(d) 認証、ID またはアクセス管理システムを含むがこれに限定されない、適切な管理メカニズ ムにより、不正アクセスからの保護を確保し、不正アクセスの可能性について報告する;

Annex I, Part 1 §2dノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
7

(e) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means;

Annex I, Part 1 §2eノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
8

(f)保存、送信、またはその他の方法で処理されたデータ、個人またはその他のデータ、コマンド、プログラム、および設定の完全性を、ユーザーによって許可されていない操作または変更から保護し、破損について報告すること;

Annex I, Part 1 §2fノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
9

(g) process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation);

Annex I, Part 1 §2gノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
10

(h) protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks;

Annex I, Part 1 §2hノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
11

(i)製品自体または接続デバイスが、他のデバイスまたはネットワークが提供するサービスの可用性に与える悪影響を最小限に抑えること;

Annex I, Part 1 §2iノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
12

(j) 外部インタフェースを含む攻撃面を制限するように設計、開発、製造されること;

Annex I, Part 1 §2jノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
13

(k)適切な搾取緩和の仕組みと技術を用いて、事故の影響を軽減するように設計、開発、製造されること;

Annex I, Part 1 §2kノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
14

(l) データ、サービスまたは機能へのアクセスまたは変更を含む、関連する内部活動を記録および監視することにより、セキュリティ関連情報を提供すること;

Annex I, Part 1 §2lノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
15

(m) 利用者がすべてのデータおよび設定を安全かつ容易に永続的に削除できる可能性を提供し、そのようなデータが他の製品またはシステムに転送される可能性がある場合、これが安全な方法で行われることを保証すること。

Annex I, Part 1 §2mノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
18

(2) デジタル要素を有する製品にもたらされるリスクに関連して、セキュリティ更新を提供することを含め、脆弱性に遅滞なく対処し、是正すること。技術的に可能な場合、新たなセキュリティ更新は、機能の更新とは別に提供すること;

Annex I, Part 2 §1ノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
17

(1) デジタル要素を含む製品に含まれる脆弱性とコンポーネントを特定し、文書化する。これには、少なくとも製品のトップレベルの依存関係を網羅する、一般的に使用され機械で読み取り可能な形式のソフトウェア部品表を作成することが含まれる;

Annex I, Part 2 §2ノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
19

(3) デジタル要素を含む製品のセキュリティについて、効果的かつ定期的なテストとレビューを適用する;

Annex I, Part 2 §3Self-Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.assessment
20

(4) セキュリティアップデートが利用可能になったら、修正された脆弱性に関する情報を共有し、公開する。これには、脆弱性の説明、影響を受けるデジタル要素を持つ製品をユーザーが特定できる情報、脆弱性の影響、深刻度、ユーザーが脆弱性を修正するのに役立つ明確かつアクセス可能な情報を含む;

Annex I, Part 2 §4ノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
21

(5) 協調的な脆弱性開示に関するポリシーを導入し、実施する;

Annex I, Part 2 §5ノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
22

(6) take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements;

Annex I, Part 2 §6ノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
23

(7) provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner;

Annex I, Part 2 §7ノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
24

(8) ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.

Annex I, Part 2 §8ノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
1Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks.Annex I, Part 1 §1ノーティファイドボディによる評価 - 品質システムに関して、明確な文書化された方針、手順、指示によって正当化されなければならない。
16デジタル要素を含む製品の製造業者は、次のことを行わなければならない:Annex I - Part II-
一般文書
身分証明書必要条件参考コメントチェック
1最低限、デジタル要素を含む製品を添付しなければならない:Annex II'-
2

1. the name, registered trade name or registered trademark of the manufacturer, and the postal address, the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted;

付属書II、§1Assessed by notified body, as part of the Technical Documentation
3

2. the single point of contact where information about vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found;

附属書II、§2Assessed by notified body, as part of the Technical Documentation
4

3. name and type and any additional information enabling the unique identification of the product with digital elements;

附属書II、§3Assessed by notified body, as part of the Technical Documentation
5

4.製造者が提供するセキュリティ環境、製品の必須機能、セキュリティ特性に関する情報を含む、デジタル要素を含む製品の意図された目的;

附属書II、§4Assessed by notified body, as part of the Technical Documentation
6

5.意図された目的に従って、または合理的に予見可能な誤用の条件下で、デジタル要素を含む製品を使用することに関連し、重大なサイバーセキュリティリスクにつながる可能性のある、既知または予見可能な状況;

附属書II、§5Assessed by notified body, as part of the Technical Documentation
7

6. 該当する場合、EU適合宣言にアクセスできるインターネットアドレス;

附属書II、§6Assessed by notified body, as part of the Technical Documentation
8

7. 製造者が提供するテクニカルセキュリティサポートの種類と、ユーザーが脆弱性への対応やセキュリティアップデートの提供を期待できるサポート期間の終了日;

Annex VI, §7Assessed by notified body, as part of the Technical Documentation
9

8. 詳細な指示、またはそのような詳細な指示や情報を参照するインターネットアドレス:

Annex II, §8Assessed by notified body, as part of the Technical Documentation
10

(a)最初の試運転時及びデジタル要素を含む製品の耐用期間を通じて、その安全な使用を確保するために必要な措置;

Annex II, §8 (a)Assessed by notified body, as part of the Technical Documentation
11

(b) デジタル要素を含む製品への変更が、データのセキュリティにどのような影響を与えるか;

Annex II, §8 (b)Assessed by notified body, as part of the Technical Documentation
12

(c) セキュリティ関連のアップデートをインストールする方法;

Annex II, §8 (c)Assessed by notified body, as part of the Technical Documentation
13

(d) ユーザーデータを安全に削除する方法に関する情報を含む、デジタル要素を含む製品の安全な廃棄;

Annex II, §8 (d)Assessed by notified body, as part of the Technical Documentation
14

(e) how the default setting enabling the automatic installation of security updates, as required by Part I, point (2)(c), of Annex I, can be turned off;

Annex II, §8 (e)Assessed by notified body, as part of the Technical Documentation
15

(f) where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential cybersecurity requirements set out in Annex I and the documentation requirements set out in Annex VII.

Annex II, §8 (f)Assessed by notified body, as part of the Technical Documentation
16

9.製造者がソフトウェアの部品表をユーザーに提供することを決定した場合、ソフトウェアの部品表にアクセスできる場所に関する情報。

附属書II、§9Not mandatory
49The user information and instructions as set out in Annex II (detailed above), shall be included in the Technical Documentation.Annex VII, §1 (d)'-
EU適合宣言
身分証明書必要条件参考コメントチェック
1第28条のEU適合宣言書には、以下のすべての情報を記載しなければならない:Annex VThe EU Declaration of conformity is self-written
2

(1) Name and type and any additional information enabling the unique identification of the product with digital elements

Annex V, §1-
3

(2) Name and address of the software developer or its authorised representative

Annex V, §2-
4

(3) A statement that the EU declaration of conformity is issued under the sole responsibility of the provider

Annex V, §3-
5

(4) Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate)

Annex V, §4-
6

(5) A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation

Annex V, §5-
8

(7) Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued

Annex V, §7mandatory
10簡易EU適合宣言書Annex VIOnly for SMEs and micro-enterprises
7

(6) References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared

Annex V, §6該当する場合
9

(8) Additional information:
Signed for and on behalf of:
(発行地と発行日):
(名前, 関数)
(署名):

Annex V, §8-
11The simplified EU declaration of conformity referred to in shall be provided as follows: Hereby, ... [name of software developer] declares that the product with digital elements type ... [designation of type of product with digital element] is in compliance with Regulation (EU) 2024/…+ . The full text of the EU declaration of conformity is available at the following internet address: …Annex VI自書
12The software developer shall draw up a written declaration of conformity for each product model and keep it at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The declaration of conformity shall identify the product model for which it has been drawn up. A copy of the declaration of conformity shall be made available to the relevant authorities upon request.Annex VIII, Part IV, §5-
技術文書
身分証明書必要条件参考コメントチェック
1The technical documentation shall contain at least the following information, as applicable to the relevant product with digital elements:Annex VII'-
2

1. デジタル要素を含む製品の概要説明:

Annex VII, §1ノーティファイド・ボディによる評価
3

(a) その意図された目的;

Annex VII, §1 (a)ノーティファイド・ボディによる評価
4

(b) versions of software affecting compliance with essential cybersecurity requirements;

Annex VII, §1 (b)ノーティファイド・ボディによる評価
5

(c) デジタル要素を含む製品がハードウェア製品である場合、外観の特徴、マーキング、内部レイアウトを示す写真またはイラスト;

Annex VII, §1 (c)ノーティファイド・ボディによる評価
6

(d) 附属書IIに定める使用者情報および指示;

Annex VII, §1 (d)ノーティファイド・ボディによる評価
7

2. デジタル要素を含む製品の設計、開発、生産、および脆弱性処理プロセスに関する記述:

Annex VII, §2ノーティファイド・ボディによる評価
8

(a) デジタル要素を含む製品の設計と開発に関する必要な情報。該当する場合は、図面や回路図、およびソフトウェアコンポーネントがどのように互いの上に構築され、あるいは互いに連動し、全体的な処理に統合されるかを説明するシステムアーキテクチャの説明を含む;

Annex VII, §2 (a)ノーティファイド・ボディによる評価
9

(b) ソフトウェアの部品表、調整された脆弱性開示方針、脆弱性を報告するための連絡先が提供されている証拠、アップデートの安全な配布のために選択された技術的ソリューションの説明を含む、製造者によって実施された脆弱性処理プロセスの必要な情報および仕様;

Annex VII, §2 (b)ノーティファイド・ボディによる評価
10

(c)デジタル要素を含む製品の製造および監視プロセス、ならびにそれらのプロセスの検証に関する必要な情報および仕様;

Annex VII, §2 (c)self-Assessed by notified body
11

3. an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained pursuant to Article 13, including how the essential cybersecurity requirements set out in Part I of Annex I are applicable;

Annex VII, §3ノーティファイド・ボディによる評価
12

4. relevant information that was taken into account to determine the support period pursuant to Article 13(8) of the product with digital elements;

Annex VII, §4ノーティファイド・ボディによる評価
13

5. a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential cybersecurity requirements set out in Parts I and II of Annex I, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied;

Annex VII, §5ノーティファイド・ボディによる評価
14

6. reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential cybersecurity requirements as set out in Parts I and II of Annex I;

Annex VII, §6ノーティファイド・ボディによる評価
16

8. where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for that authority to be able to check compliance with the essential cybersecurity requirements set out in Annex I.

Annex VII, §8ノーティファイド・ボディによる評価
15

7. EU適合宣言書のコピー;

Annex VII, §7ノーティファイド・ボディによる評価
当局とのコミュニケーション
身分証明書必要条件参考コメントチェック
1A manufacturer shall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16.Article 14(1) and 14(7)Mandatory Reporting
2第1項の届出のために、製造者は以下の書類を提出しなければならない:Article 14 (2)Mandatory Reporting
3

(a) 活発に悪用されている脆弱性について、過度の遅滞なく、いかなる場合でも製造者がそれを認識してから24時間以内に、早期警告通知を行うこと;

Article 14 (2) (a)Mandatory Reporting
4

(b) unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be;

Article 14 (2) (b)Mandatory Reporting
5

(c) 関連情報がすでに提供されている場合を除き、是正措置または緩和措置が利用可能になってから14日以内に、少なくとも以下を含む最終報告書を提出する:

Article 14 (2) (c)Mandatory Reporting
6

(i) 脆弱性の説明(その重大性と影響を含む);

Article 14 (2) (c) (i)Mandatory Reporting
7

(ii) 利用可能な場合、脆弱性を悪用した、または悪用している悪意のある行為者に関する情報;

Article 14 (2) (c) (ii)Mandatory Reporting
8

(iii) 脆弱性を是正するために提供されたセキュリティアップデートまたはその他の是正措置の詳細。

Article 14 (2) (c) (iII)Mandatory Reporting
9A manufacturer shall notify any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platformArticle 14 (3)Single platform is not yet established (Dec 2024)
10第3項の届出のために、製造者は以下を提出しなければならない:Article 14 (4)Mandatory Reporting
11

(a) an early warning notification of a severe incident having an impact on the security of the product with digital elements, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts, which shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;

Article 14 (4) (a)Mandatory Reporting
12

(b) unless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the incident, which shall provide general information, where available, about the nature of the incident, an initial assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be;

Article 14 (4) (b)Mandatory Reporting
13

(c) 関連情報が既に提供されている場合を除き、(b)に基づく事故通知書の提出後1ヶ月以内に、少なくとも以下を含む最終報告書を提出すること:

Article 14 (4) (c)Mandatory Reporting
14

(i)その重大性と影響を含む、事故の詳細な説明;

Article 14 (4) (c) (i)Mandatory Reporting
15

(ii) インシデントの引き金となったと思われる脅威の種類または根本原因;

Article 14 (4) (c) (ii)Mandatory Reporting
16

(iii) 適用済みおよび継続中の緩和策。

Article 14 (4) (c) (iii)Mandatory Reporting
17After becoming aware of an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements, the manufacturer shall inform the impacted users of the product with digital elements, and where appropriate all users, of that vulnerability or incident and, where necessary, of any risk mitigation and corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident, where appropriate in a structured, machine-readable format that is easily automatically processable. Where the manufacturer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRTs designated as coordinators may provide such information to the users when considered to be proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident.Article 14 (8)Mandatory Reporting
18製造業者だけでなく、その他の自然人または法人も、デジタル要素を含む製品に含まれる脆弱性、およびデジタル要素を含む製品のリスクプロファイルに影響を与える可能性のあるサイバー脅威を、コーディネーターとして指定されたCSIRTまたはENISAに任意で通知することができる。Article 15 (1)Voluntary Reporting
19製造者だけでなく、その他の自然人または法人も、デジタル要素を含む製品のセキュリティに影響を及ぼすインシデントや、そのようなインシデントにつながる可能性があったニアミスを、コーディネーターとして指定されたCSIRTまたはENISAに任意で通知することができる。Article 15 (2)Voluntary Reporting
認証申請
身分証明書必要条件参考コメントチェック
3The manufacturer shall lodge an application for assessment of its quality system with the notified body of its choice, for the products with digital elements concerned. The application shall include:Annex VIII, Part IV, §3.1 -
4

(a) the name and address of the manufacturer and, if the application is lodged by the authorised representative, the name and address of that authorised representative;

Annex VIII, Part IV, §3.1 (a)-
5

(b) the technical documentation for one model of each category of products with digital elements intended to be manufactured or developed. The technical documentation shall, wherever applicable, contain at least the elements as set out in Annex VII;

Annex VIII, Part IV, §3.1 (b)-
6

(c) the documentation concerning the quality system; and

Annex VIII, Part IV, §3.1 (c)-
7

(d) a written declaration that the same application has not been lodged with any other notified body.

Annex VIII, Part IV, §3.1 (d)-
8The quality system shall ensure compliance of the products with digital elements with the essential cybersecurity requirements set out in Part I of Annex I and compliance of the vulnerability handling processes put in place by the manufacturer with the requirements set out in Part II of Annex I. All the elements, requirements and provisions adopted by the manufacturer shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions. That quality system documentation shall permit a consistent interpretation of the quality programmes, plans, manuals and records. It shall, in particular, contain an adequate description of:Annex VIII, Part IV, §3.2-
9

(a) the quality objectives and the organisational structure, responsibilities and powers of the management with regard to design, development, product quality and vulnerability handling;

Annex VIII, Part IV, §3.2 (a)-
10

(b) the technical design and development specifications, including standards, that will be applied and, where the relevant harmonised standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential cybersecurity requirements set out in Part I of Annex I that apply to the products with digital elements will be met;

Annex VIII, Part IV, §3.2 (b)-
11

(c) the procedural specifications, including standards, that will be applied and, where the relevant harmonised standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential cybersecurity requirements set out in Part II of Annex I that apply to the manufacturer will be met;

Annex VIII, Part IV, §3.2 (c)-
12

(d) the design and development control, as well as design and development verification techniques, processes and systematic actions that will be used when designing and developing the products with digital elements pertaining to the product category covered;

Annex VIII, Part IV, §3.2 (d)-
13

(e) the corresponding production, quality control and quality assurance techniques, processes and systematic actions that will be used;

Annex VIII, Part IV, §3.2 (e)-
14

(f) the examinations and tests that will be carried out before, during and after production, and the frequency with which they will be carried out;

Annex VIII, Part IV, §3.2 (f)
15

(g) the quality records, such as inspection reports and test data, calibration data and qualification reports on the personnel concerned;

Annex VIII, Part IV, §3.2 (g)
16

(h) the means of monitoring the achievement of the required design and product quality and the effective operation of the quality system.

Annex VIII, Part IV, §3.2 (h)
17製造者は、承認された品質システムから生じる義務を履行し、それが適切かつ効率的であり続けるように維持することを約束するものとする。Annex VIII, Part IV, §3.4
18The manufacturer shall keep the notified body that has approved the quality system informed of any intended change to the quality system.Annex VIII, Part IV, §3.5
19Surveillance under the responsibility of the notified body: The manufacturer shall, for assessment purposes, allow the notified body access to the design, development, production, inspection, testing and storage sites, and shall provide it with all necessary information, in particular:Annex VIII, Part IV, §4.2
20

(a) the quality system documentation;.

Annex VIII, Part IV, §4.2 (a)
21

(b) the quality records as provided for by the design part of the quality system, such as results of analyses, calculations and tests;

Annex VIII, Part IV, §4.2 (b)
22

(c) the quality records as provided for by the manufacturing part of the quality system, such as inspection reports and test data, calibration data and qualification reports on the personnel concerned.

Annex VIII, Part IV, §4.2 (c)
1Conformity based on full quality assurance is the conformity assessment procedure whereby the manufacturer fulfils the obligations set out in points 2 and 5 of this Part, and ensures and declares on its sole responsibility that the products with digital elements or product categories concerned satisfy the essential cybersecurity requirements set out in Part I of Annex I and that the vulnerability handling processes put in place by the manufacturer meet the requirements set out in Part II of Annex I.Annex VIII, Part IV, §1
2製造者は、当該デジタル要素を含む製品の設計、開発、最終製品検査および試験、ならびに脆弱性の対応について、ポイント3に規定される承認された品質システムを運用し、サポート期間を通じてその有効性を維持し、ポイント4に規定されるサーベイランスを受けなければならない。Annex VIII, Part IV, §2
の開発者 open source ソフトウェア

The Cyber Resilience Act defines “free and open-source software” as software whose source code is publicly accessible and distributed under a license that allows users to freely access, modify, use, and redistribute the software.

An open-source software steward is a legal entity, distinct from a manufacturer, that plays an ongoing, active role in supporting the development and maintenance of specific software products containing digital elements classified as free and open-source software. As such,  open-source software stewrds are not considered manufacturers unless they take on additional commercial functions like product marketing or distribution.

Additonnaly, open-source software stewards are subject to the CRA only when they support the development of products “intended for commercial activities.” These activities include integration into commercial services or monetized products. However, the primary focus of open-source software stewards is to support the development of free and open-source software, ensuring its continued evolution and availability. Unlike manufacturers, stewards do not market or brand the software as their own, nor do they derive significant revenue beyond what is necessary to provide free support and maintain the software. Their role is centered around community-driven development and the technical stewardship of the software project, rather than commercial interests.

一般要件
身分証明書必要条件参考コメントチェック
2オープンソースソフトウェアのスチュワードは、市場監視当局の要請に応じて、フリーソフ トウェアおよびオープンソースソフトウェアとして適格なデジタル要素を持つ製品 がもたらすサイバーセキュリティ上のリスクを軽減する目的で、市場監視当局に協力しなけ ればならない。市場監視当局からの合理的な要請があった場合、オープンソースソフトウェアのスチュワードは、同当局に対し、同当局が容易に理解できる言語で、紙または電子形式で、第1項で言及した文書を提供しなければならない。Article 24 §2-
1Open-source software stewards shall put in place and document in a verifiable manner a cybersecurity policy to foster the development of a secure product with digital elements as well as an effective handling of vulnerabilities by the developers of that product. That policy shall also foster the voluntary reporting of vulnerabilities as laid down in Article 15 by the developers of that product and take into account the specific nature of the open- source software steward and the legal and organisational arrangements to which it is subject. That policy shall, in particular, include aspects related to documenting, addressing and remediating vulnerabilities and promote the sharing of information concerning discovered vulnerabilities within the open-source communityArticle 24 §1-
Security attestation of free and open-source software
身分証明書必要条件参考コメントチェック
2

For the purpose of complying with paragraph 1, manufacturers shall exercise due diligence when integrating components sourced from third parties so that those components do not compromise the cybersecurity of the product with digital elements, including when integrating components of free and open-source software that have not been made available on the market in the course of a commercial activity.

Article 13 §5Requirement for manufacturers
1In order to facilitate the due diligence obligation set out in Article 13(5), in particular as regards manufacturers that integrate free and open-source software components in their products with digital elements, the Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation by establishing voluntary security attestation programmes allowing the developers or users of products with digital elements qualifying as free and open-source software as well as other third parties to assess the conformity of such products with all or certain essential cybersecurity requirements or other obligations laid down in this Regulation.Article 25As of 12.2024 - no delegated act has been published
当局とのコミュニケーション
身分証明書必要条件参考コメントチェック
7The obligations laid down in Article 14(3) and (8) shall apply to open-source software stewards to the extent that severe incidents having an impact on the security of products with digital elements affect network and information systems provided by the open-source software stewards for the development of such products.Article 24 §3-
1The obligations laid down in Article 14(1) shall apply to open-source software stewards to the extent that they are involved in the development of the products with digital elements.Article 24 §3-
2

A manufacturer shall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA.

Article 14 §1only applicable if the steward is involved in commercial product development
3

第1項の届出のために、製造者は以下の書類を提出しなければならない:

Article 14 §2only applicable if the steward is involved in commercial product development
4

(a) 活発に悪用されている脆弱性について、過度の遅滞なく、いかなる場合でも製造者がそれを認識してから24時間以内に、早期警告通知を行うこと;

Article 14 §2 (a)only applicable if the steward is involved in commercial product development
5

(b) unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be;

Article 14 §2 (b)only applicable if the steward is involved in commercial product development
6

(c) unless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following: (i) a description of the vulnerability, including its severity and impact; (ii) where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability; (iii) details about the security update or other corrective measures that have been made available to remedy the vulnerability.

Article 14 §2 (c)only applicable if the steward is involved in commercial product development
8

A manufacturer shall notify any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA.

Article 14 §3only applicable if the steward is involved in commercial product development
9

第3項の届出のために、製造者は以下を提出しなければならない:

Article 14 §4only applicable if the steward is involved in commercial product development
10

(a) an early warning notification of a severe incident having an impact on the security of the product with digital elements, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts, which shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;

Article 14 §4 (a)only applicable if the steward is involved in commercial product development
11

(b) unless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the incident, which shall provide general information, where available, about the nature of the incident, an initial assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be;

Article 14 §4 (b)only applicable if the steward is involved in commercial product development
12

(c) unless the relevant information has already been provided, a final report, within one month after the submission of the incident notification under point (b), including at least the following: (i) a detailed description of the incident, including its severity and impact; (ii) the type of threat or root cause that is likely to have triggered the incident; (iii) applied and ongoing mitigation measures.

Article 14 §4 (c)only applicable if the steward is involved in commercial product development
13

For the purposes of paragraph 3, an incident having an impact on the security of the product with digital elements shall be considered to be severe where:

Article 14 §5only applicable if the steward is involved in commercial product development
14

(a) it negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of sensitive or important data or functions; or

Article 14 §5 (a)only applicable if the steward is involved in commercial product development
15

(b) it has led or is capable of leading to the introduction or execution of malicious code in a product with digital elements or in the network and information systems of a user of the product with digital elements

Article 14 §5 (b)only applicable if the steward is involved in commercial product development
16

After becoming aware of an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements, the manufacturer shall inform the impacted users of the product with digital elements, and where appropriate all users, of that vulnerability or incident and, where necessary, of any risk mitigation and corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident, where appropriate in a structured, machine-readable format that is easily automatically processable. Where the manufacturer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRTs designated as coordinators may provide such information to the users when considered to be proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident.

Article 14 §8only applicable if the steward is involved in commercial product development
デジタル要素を含む製品の輸入業者

念のため付言しておくと、CRAはデジタル要素を含む製品の輸入者を「域外に設立された自然人または法人の名称または商標が付されたデジタル要素を含む製品を市場に出す、域内に設立された自然人または法人」と定義している。

Important: Importers who import products with digital elements under their own trademarks または substantially modify* existing products are to be considered to be a manufacturer for the purposes of the CRA and shall assume the full set of responsibilities and obligations outlined in Articles 13 and 14 for manufacturers, ensuring the product meets the CRA’s requirements:

  • Conducting risk assessments.
  • Determining the support period.
  • Handling vulnerabilities.
  • Notifying authorities about security incidents.
  • Drawing up technical documentation.
  • Affixing the CE marking.

 

* “Substantial modification” refers to changes that affect the product’s compliance with the essential cybersecurity requirements or alter its intended purpose.

⚠️ These importers should refer to the “hardware manufacturers” tab or “software developers” tab, whichever fits best.

一般要件
身分証明書必要条件参考チェック
1Importers shall place on the market only products with digital elements that comply with the essential cybersecurity requirements set out in Part I of Annex I and where the processes put in place by the manufacturer comply with the essential cybersecurity requirements set out in Part II of Annex I.article 19(1)
2Before placing a product with digital elements on the market, importers shall ensure that:article 19(2)
3

the appropriate conformity assessment procedures (modules A, B, C or H) have been carried out by the manufacturer;

article 19(2) (a)
4

the manufacturer has drawn up the technical documentation;

article 19(2) (b)
5

the product with digital elements bears the CE marking and is accompanied by the EU declaration of conformity and the information and instructions to the user in a language which can be easily understood by users and market surveillance authorities;

article 19(2) (c)
6

the manufacturer has complied with the requirements set out in Article 13(15 - product can be identified with a batch number or similar), (16 - manufacturers' contact information) and (19 - end of support period).

article 19(2) (d)
7Importers shall, for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer, keep a copy of the EU declaration of conformity at the disposal of the market surveillance authorities and ensure that the technical documentation can be made available to those authorities, upon request.article 19(6)
製品要件
身分証明書必要条件参考チェック
1Importers shall indicate their name, registered trade name or registered trademark, the postal address, email address or other digital contact as well as, where applicable, the website at which they can be contacted on the product with digital elements or on its packaging or in a document accompanying the product with digital elements. The contact details shall be in a language easily understood by users and market surveillance authorities.article 19 (4)
報告要件
身分証明書必要条件参考チェック
1Where the importer of a product with digital elements becomes aware that the manufacturer of that product has ceased its operations and, as result, is not able to comply with the obligations laid down in this Regulation, the importer shall inform the relevant market surveillance authorities about this situation, as well as, by any means available and to the extent possible, the users of the products with digital elements placed on the market.article 19(8)
2Importers shall, further to a reasoned request from a market surveillance authority, provide it with all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I as well as of the processes put in place by the manufacturer with the essential cybersecurity requirements set out in Part II of Annex I in a language that can be easily understood by that authority. They shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by a product with digital elements, which they have placed on the market.article 19(7)
4Importers who know or have reason to believe that a product with digital elements which they have placed on the market is not in conformity with this Regulation shall immediately take the corrective measures necessary to ensure that the product with digital elements is brought into conformity with this Regulation, or to withdraw or recall the product, if appropriate.
Upon becoming aware of a vulnerability in the product with digital elements, importers shall inform the manufacturer without undue delay about that vulnerability. Furthermore, where the product with digital elements presents a significant cybersecurity risk, importers shall immediately inform the market surveillance authorities of the Member States in which they have made the product with digital elements available on the market to that effect, giving details, in particular, of non-compliance and of any corrective measures taken.		article 19(5)
3Where an importer considers or has reason to believe that a product with digital elements or the processes put in place by the manufacturer are not in conformity with this Regulation, the importer shall not place the product on the market until that product or the processes put in place by the manufacturer have been brought into conformity with this Regulation. Furthermore, where the product with digital elements presents a significant cybersecurity risk, the importer shall inform the manufacturer and the market surveillance authorities to that effect.
Where an importer has reason to believe that a product with digital elements may present a significant cybersecurity risk in light of non-technical risk factors, the importer shall inform the market surveillance authorities to that effect. Upon receipt of such information, the market surveillance authorities shall follow the procedures referred to in Article 54(2).		article 19(3)
デジタル要素を含む製品の販売業者

念のため付言しておくと、CRAはデジタル要素を含む製品の販売業者を「製造業者または輸入業者以外のサプライチェーンに属する自然人または法人で、デジタル要素を含む製品をその特性に影響を与えることなく連合市場で入手可能にする者」と定義している(第3条(17))。

Important: Distribors who distribute products with digital elements under their own trademarks または substantially modify* existing products are to be considered to be a manufacturer for the purposes of the CRA and shall assume the full set of responsibilities and obligations outlined in Articles 13 and 14 for manufacturers, ensuring the product meets the CRA’s requirements:

  • Conducting risk assessments.
  • Determining the support period.
  • Handling vulnerabilities.
  • Notifying authorities about security incidents.
  • Drawing up technical documentation.
  • Affixing the CE marking.

 

* “Substantial modification” refers to changes that affect the product’s compliance with the essential cybersecurity requirements or alter its intended purpose.

⚠️ These distributors should refer to the “hardware manufacturers” tab or “software developers” tab, whichever fits best.

一般要件
身分証明書必要条件参考チェック
1デジタル要素を含む製品を市場に流通させる場合、販売業者は、本規則に規定される要件に関連して十分な注意を払って行動するものとする。article 20(1)
2Before making a product with digital elements available on the market, distributors shall verify that:article 20(2)
3

the product with digital elements bears the CE marking;

article 20(2) (a)
4

the manufacturer and the importer have complied with the obligations set out in Article 13(15 - product can be identified with a batch number or similar), (16 - manufacturers' contact information), (18 - products are sold will all required documentation), (19 - end of support period), and (20 - EU Declaration of Conformity) and Article19(4 - importer has provided their contact information on the product), and have provided all necessary documents to the distributor.

article 20(2) (b)
報告要件
身分証明書必要条件参考チェック
1Where a distributor considers or has reason to believe, on the basis of information in its possession, that a product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential cybersecurity requirements set out in Annex I, the distributor shall not make the product with digital elements available on the market until that product or the processes put in place by the manufacturer have been brought into conformity with this Regulation. Furthermore, where the product with digital elements poses a significant cybersecurity risk, the distributor shall inform, without undue delay, the manufacturer and the market surveillance authorities to that effect.article 20(3)
2Distributors who know or have reason to believe, on the basis of information in their possession, that a product with digital elements, which they have made available on the market, or the processes put in place by its manufacturer are not in conformity with this Regulation shall make sure that the corrective measures necessary to bring that product with digital elements or the processes put in place by its manufacturer into conformity, or to withdraw or recall the product, if appropriate, are taken.
デジタル要素を含む製品に脆弱性があることを知った場合、販売業者はその脆弱性について過度な遅滞なく製造業者に通知するものとする。さらに、デジタル要素付き製品が重大なサイバーセキュリティ・リスクをもたらす場合、販売業者は、デジタル要素付き製品を市場に提供している加盟国の市場監視当局に直ちにその旨を通知し、特に、コンプライアンス違反の詳細および講じられた是正措置について報告しなければならない。		article 20(4)
3Distributors shall, further to a reasoned request from a market surveillance authority, provide all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements and the processes put in place by its manufacturer with this Regulation in a language that can be easily understood by that authority. They shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by a product with digital elements which they have made available on the marketarticle 20(5)
4デジタル要素を有する製品の販売業者が、その保有する情報に基づき、当該製品の製造業者が操業を停止し、その結果、本規則に定める義務を遵守することができないことを認識した場合、当該販売業者は、当該市場監視当局に対し、過度の遅滞なく、当該状況を通知するとともに、利用可能なあらゆる手段により、かつ、可能な限り、市場に置かれたデジタル要素を有する製品の使用者にも通知しなければならない。article 20(6)
再販業者/その他の経済主体

CRAは「再販業者」という用語を直接定義しておらず、その代わりに「経済事業者」という用語の定義、特に定義の後半に注目する必要がある、 デジタル要素を含む製品の製造または本規則に従った製品の市販に関連して義務を負う自然人または法人第3条(12)。

Important: Resellers who resell products with digital elements under their own trademarks または substantially modify* existing products are to be considered to be a manufacturer for the purposes of the CRA and shall assume the full set of responsibilities and obligations outlined in Articles 13 and 14 for manufacturers, ensuring the product meets the CRA’s requirements:

  • Conducting risk assessments.
  • Determining the support period.
  • Handling vulnerabilities.
  • Notifying authorities about security incidents.
  • Drawing up technical documentation.
  • Affixing the CE marking.

 

* “Substantial modification” refers to changes that affect the product’s compliance with the essential cybersecurity requirements or alter its intended purpose.

⚠️ These resellers should refer to the “hardware manufacturers” tab or “software developers” tab, whichever fits best.

Case when an economic operator becomes a manufacturer
身分証明書必要条件参考チェック
1A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of a product with digital elements and makes that product available on the market, shall be considered to be a manufacturer for the purposes of this Regulation.article 22(1)
2The person referred to in paragraph 1 of this Article shall be subject to the obligations set out in Articles 13 (obligations of the manufacturer) and 14 (reporting obligations) for the part of the product with digital elements that is affected by the substantial modification or, if the substantial modification has an impact on the cybersecurity of the product with digital elements as a whole, for the entire product.article 22(2)
報告要件
身分証明書必要条件参考チェック
1Economic operators shall, on request, provide the market surveillance authorities with the following information:article 23(1)
2

the name and address of any economic operator who has supplied them with a product with digital elements;

article 23(1) (a)
3

where available, the name and address of any economic operator to whom they have supplied a product with digital elements.

article 23(1) (b)
4Economic operators shall be able to present the information referred to in paragraph 1 for 10 years after they have been supplied with the product with digital elements and for 10 years after they have supplied the product with digital elements.article 23(2)

CRAコンプライアンスコスト計算ツールを活用する →

コンプライアンス予算を確認する