1. IoT デバイスの輸入における CRA の前提条件
EU に IoT 製品を輸入する輸入業者は、サイバーレジリエンス法 (CRA) に準拠し、製品の安全性を確保するために、以下の前提条件を満たす必要があります。
2- 必須書類
EU 域内に IoT 製品を輸入するには、輸入業者は以下の必須書類を準備する必要があります。
3- CRA 報告義務
輸入者は、IoT 製品または実装されたプロセスが概説された必須要件に準拠していないのではないかと疑う場合、以下の措置を講じる必要があります。
IoT 製品にサイバーセキュリティのリスクがある場合は、詳細な通知を通じて以下の機関に通知する必要があります。
輸入者は、IoT 製品における脆弱性を発見した場合、速やかに製造者に通知する必要があります。
IoT 製品の製造業者が義務を履行できない場合、輸入業者は以下の機関に状況を報告する必要があります。
輸入業者は、上記に関するすべての文書を 10 年間保存する必要があります。
Importers shall place on the market only products with digital elements that comply with the essential cybersecurity requirements set out in Part I of Annex I and where the processes put in place by the manufacturer comply with the essential cybersecurity requirements set out in Part II of Annex I.
Before placing a product with digital elements on the market, importers shall ensure that:
(a) the appropriate conformity assessment procedures as referred to in Article 32 have been carried out by the manufacturer;
(b) 製造者が技術文書を作成したこと;
(c) the product with digital elements bears the CE marking referred to in Article 30 and is accompanied by the EU declaration of conformity referred to in Article 13(20) and the information and instructions to the user as set out in Annex II in a language which can be easily understood by users and market surveillance authorities;
(d) the manufacturer has complied with the requirements set out in Article 13(15), (16) and (19).
本項の目的のため、輸入者は本条に定める要件を満たしていることを証明する必要書類を提出できるものとする。
Where an importer considers or has reason to believe that a product with digital elements or the processes put in place by the manufacturer are not in conformity with this Regulation, the importer shall not place the product on the market until that product or the processes put in place by the manufacturer have been brought into conformity with this Regulation. Furthermore, where the product with digital elements presents a significant cybersecurity risk, the importer shall inform the manufacturer and the market surveillance authorities to that effect.
Where an importer has reason to believe that a product with digital elements may present a significant cybersecurity risk in light of non-technical risk factors, the importer shall inform the market surveillance authorities to that effect. Upon receipt of such information, the market surveillance authorities shall follow the procedures referred to in Article 54(2).
Importers shall indicate their name, registered trade name or registered trademark, the postal address, email address or other digital contact as well as, where applicable, the website at which they can be contacted on the product with digital elements or on its packaging or in a document accompanying the product with digital elements. The contact details shall be in a language easily understood by users and market surveillance authorities.
Importers who know or have reason to believe that a product with digital elements which they have placed on the market is not in conformity with this Regulation shall immediately take the corrective measures necessary to ensure that the product with digital elements is brought into conformity with this Regulation, or to withdraw or recall the product, if appropriate.
Upon becoming aware of a vulnerability in the product with digital elements, importers shall inform the manufacturer without undue delay about that vulnerability. Furthermore, where the product with digital elements presents a significant cybersecurity risk, importers shall immediately inform the market surveillance authorities of the Member States in which they have made the product with digital elements available on the market to that effect, giving details, in particular, of non-compliance and of any corrective measures taken.
Importers shall, for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer, keep a copy of the EU declaration of conformity at the disposal of the market surveillance authorities and ensure that the technical documentation can be made available to those authorities, upon request.
Importers shall, further to a reasoned request from a market surveillance authority, provide it with all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I as well as of the processes put in place by the manufacturer with the essential cybersecurity requirements set out in Part II of Annex I in a language that can be easily understood by that authority. They shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by a product with digital elements, which they have placed on the market.
Where the importer of a product with digital elements becomes aware that the manufacturer of that product has ceased its operations and, as result, is not able to comply with the obligations laid down in this Regulation, the importer shall inform the relevant market surveillance authorities about this situation, as well as, by any means available and to the extent possible, the users of the products with digital elements placed on the market.
1. IoT デバイス配布における CRA の前提条件
これらの前提条件を満たすことで、販売業者は、EU域内でデジタル要素を含む製品のCRA準拠、安全性、サイバーセキュリティを確保する上で重要な役割を果たします。具体的には、以下の点に注意する必要があります。
2- 必須書類
EU域内でデジタル要素を含む製品を販売する場合、販売業者はCRAに基づき以下の必須文書を保有する必要があります。
3- CRA 報告義務
EU市場に出荷するデジタル要素を含む製品を取り扱う販売業者には、製品のコンプライアンスとサイバーセキュリティのリスクに関していくつかの重要な責任があります。
販売業者は、EUの必須要件を満たしていない製品を市場に出荷してはなりません。製品またはそのプロセスに不適合が見つかった場合は、販売業者は速やかに是正措置を講じる必要があります。
製造業者が事業を停止した場合、販売業者は市場監視当局に通知し、可能であれば影響を受けるユーザーに通知する必要があります。 販売業者は、サイバーセキュリティのリスクを排除するために、市場監視当局と協力する必要があります。
デジタル要素を含む製品を市場に流通させる場合、販売業者は、本規則に規定される要件に関連して十分な注意を払って行動するものとする。
Before making a product with digital elements available on the market, distributors shall verify that:
(a) デジタル要素を含む製品にCEマーキングが付されていること;
(b) the manufacturer and the importer have complied with the obligations set out in Article 13(15), (16), (18), (19) and (20) and Article19(4), and have provided all necessary documents to the distributor.
Where a distributor considers or has reason to believe, on the basis of information in its possession, that a product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential cybersecurity requirements set out in Annex I, the distributor shall not make the product with digital elements available on the market until that product or the processes put in place by the manufacturer have been brought into conformity with this Regulation. Furthermore, where the product with digital elements poses a significant cybersecurity risk, the distributor shall inform, without undue delay, the manufacturer and the market surveillance authorities to that effect.
Distributors who know or have reason to believe, on the basis of information in their possession, that a product with digital elements, which they have made available on the market, or the processes put in place by its manufacturer are not in conformity with this Regulation shall make sure that the corrective measures necessary to bring that product with digital elements or the processes put in place by its manufacturer into conformity, or to withdraw or recall the product, if appropriate, are taken.
デジタル要素を含む製品に脆弱性があることを知った場合、販売業者はその脆弱性について過度な遅滞なく製造業者に通知するものとする。さらに、デジタル要素付き製品が重大なサイバーセキュリティ・リスクをもたらす場合、販売業者は、デジタル要素付き製品を市場に提供している加盟国の市場監視当局に直ちにその旨を通知し、特に、コンプライアンス違反の詳細および講じられた是正措置について報告しなければならない。
販売業者は、市場監視当局からの合理的な要請があった場合、当該当局が容易に理解できる言語により、デジ タル要素を有する製品及びその製造者が実施したプロセスが本規則に適合していることを証明するために必要 な全ての情報及び文書を、紙媒体又は電子媒体で提供しなければならない。製造者は、当該当局の要請に応じて、当該当局が市場に提供したデジタル要素を有する製品がもたらすサイバーセキュリティ上のリスクを排除するために講じた措置について、当該当局に協力しなければならない。
デジタル要素を有する製品の販売業者が、その保有する情報に基づき、当該製品の製造業者が操業を停止し、その結果、本規則に定める義務を遵守することができないことを認識した場合、当該販売業者は、当該市場監視当局に対し、過度の遅滞なく、当該状況を通知するとともに、利用可能なあらゆる手段により、かつ、可能な限り、市場に置かれたデジタル要素を有する製品の使用者にも通知しなければならない。
経済運営者は、接続デバイスに重大な変更を加える場合、サイバーセキュリティ法を遵守する責任を負います。
ただし、以下の場合は、この責任が適用されない場合があります。
これらの責任を遵守することで、経済運営者は接続デバイスのセキュリティを確保し、消費者の安全と信頼を守ることができます。
A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of a product with digital elements and makes that product available on the market, shall be considered to be a manufacturer for the purposes of this Regulation.
The person referred to in paragraph 1 of this Article shall be subject to the obligations set out in Articles 13 and 14 for the part of the product with digital elements that is affected by the substantial modification or, if the substantial modification has an impact on the cybersecurity of the product with digital elements as a whole, for the entire product.
