Part I Conformity assessment procedure based on internal control (based on module A)

1. Internal control is the conformity assessment procedure whereby the manufacturer fulfils the obligations set out in points 2, 3 and 4 of this Part, and ensures and declares on its sole responsibility that the products with digital elements satisfy all the essential cybersecurity requirements set out in Part I of Annex I and the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.

2.製造業者は，附属書 VII に記載された技術文書を作成しなければならない。

3. Design, development, production and vulnerability handling of products with digital elements The manufacturer shall take all measures necessary so that the design, development, production and vulnerability handling processes and their monitoring ensure compliance of the manufactured or developed products with digital elements and of the processes put in place by the manufacturer with the essential cybersecurity requirements set out in Parts I and II of Annex I.

4. Conformity marking and declaration of conformity

4.1. The manufacturer shall affix the CE marking to each individual product with digital elements that satisfies the applicable requirements set out in this Regulation.

4.2. The manufacturer shall draw up a written EU declaration of conformity for each product with digital elements in accordance with Article 28 and keep it together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The EU declaration of conformity shall identify the product with digital elements for which it has been drawn up. A copy of the EU declaration of conformity shall be made available to the relevant authorities upon request.

5.公認代理人

The manufacturer’s obligations set out in point 4 may be fulfilled by its authorised representative, on its behalf and under its responsibility, provided that the relevant obligations are specified in the mandate.

Part II EU-type examination (based on module B)

1. EU-type examination is the part of a conformity assessment procedure in which a notified body examines the technical design and development of a product with digital elements and the vulnerability handling processes put in place by the manufacturer, and attests that a product with digital elements meets the essential cybersecurity requirements set out in Part I of Annex I and that the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.

2. EU-type examination shall be carried out by assessing the adequacy of the technical design and development of the product with digital elements through the examination of the technical documentation and supporting evidence referred to in point 3, and the examination of specimens of one or more critical parts of the product (combination of production type and design type).

3.製造者は、選択した一つのノーティファイド機関にEU型式審査を申請しなければならない。

申請書には、以下の事項を記載しなければならない：

3.1 the name and address of the manufacturer and, if the application is lodged by the authorised representative, the name and address of that authorised representative;

3.2 同一の申請が他のいかなる届出機関にも提出されていないことの宣言書；

3.3 the technical documentation, which shall make it possible to assess the conformity of the product with digital elements with the applicable essential cybersecurity requirements as set out in Part I of Annex I and the manufacturer’s vulnerability handling processes set out in Part II of Annex I and shall include an adequate analysis and assessment of the risks. The technical documentation shall specify the applicable requirements and cover, as far as relevant for the assessment, the design, manufacture and operation of the product with digital elements. The technical documentation shall contain, wherever applicable, at least the elements set out in Annex VII;

3.4 技術的設計・開発ソリューション及び脆弱性処理プロセスの妥当性を裏付ける証拠。この裏付け証拠は、特に関連する整合規格又は技術仕様が完全に適用されていない場合に、使用された文書に言及しなければならない。裏付け証拠には、必要な場合、製造事業者の適切な試験所、又は製造事業者に代わり製造事業者の責任の下で他の試験所が実施した試験結果を含めなければならない。

4.通達された機関は、以下のことを行わなければならない：

4.1. examine the technical documentation and supporting evidence to assess the adequacy of the technical design and development of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I and of the vulnerability handling processes put in place by the manufacturer with the essential cybersecurity requirements set out in Part II of Annex I;

4.2. 試料が技術文書に準拠して開発又は製造されていることを検証し，整合規格又は技術仕様の適 用規定に従って設計及び開発された要素，並びにこれらの規格の関連規定を適用せずに設計及 び開発された要素を特定する；

4.3. 製造者が附属書Ⅰに定める要求事項に対して関連整合規格又は技術仕様の解決策を適用することを選択した場合、それらが正しく適用されていることを確認するために、適切な検査及び試験を実施する、又は実施させる；

4.4. carry out appropriate examinations and tests, or have them carried out, to check that, where the solutions in the relevant harmonised standards or technical specifications for the requirements set out in Annex I have not been applied, the solutions adopted by the manufacturer meet the corresponding essential cybersecurity requirements;

4.5. 検査および試験を実施する場所について製造者と合意する。

5. The notified body shall draw up an evaluation report that records the activities undertaken in accordance with point 4 and their outcomes. Without prejudice to its obligations vis-àvis the notifying authorities, the notified body shall release the content of that report, in full or in part, only with the agreement of the manufacturer.

6. Where the type and the vulnerability handling processes meet the essential cybersecurity requirements set out in Annex I, the notified body shall issue an EU-type examination certificate to the manufacturer. The certificate shall contain the name and address of the manufacturer, the conclusions of the examination, the conditions (if any) for its validity and the necessary data for identification of the approved type and vulnerability handling processes. The certificate may have one or more annexes attached.

The certificate and its annexes shall contain all relevant information to allow the conformity of manufactured or developed products with digital elements with the examined type and vulnerability handling processes to be evaluated and to allow for inservice control. Where the type and the vulnerability handling processes do not satisfy the applicable essential cybersecurity requirements set out in Annex I, the notified body shall refuse to issue an EU-type examination certificate and shall inform the applicant accordingly, giving detailed reasons for its refusal.

7. The notified body shall keep itself apprised of any changes in the generally acknowledged state of the art which indicate that the approved type and the vulnerability handling processes may no longer comply with the applicable essential cybersecurity requirements set out in Annex I, and shall determine whether such changes require further investigation. If so, the notified body shall inform the manufacturer accordingly.

The manufacturer shall inform the notified body that holds the technical documentation relating to the EU-type examination certificate of all modifications to the approved type and the vulnerability handling processes that may affect the conformity with the essential cybersecurity requirements set out in Annex I, or the conditions for validity of the certificate. Such modifications shall require additional approval in the form of an addition to the original EU-type examination certificate.

8. The notified body shall carry out periodic audits to ensure that the vulnerability handling processes as set out in Part II of Annex I are implemented adequately.

9.各通知機関は、発行または撤回したEU型式審査証明書およびその追加について、その通 知当局に報告するものとし、また、定期的に、または要請に応じて、拒否、一時停止、その他 制限された証明書およびその追加のリストを、その通知当局に提供するものとする。

Each notified body shall inform the other notified bodies concerning the EU-type examination certificates and any additions thereto which it has refused, withdrawn, suspended or otherwise restricted, and, upon request, concerning the certificates and additions  thereto which it has issued. The Commission, the Member States and the other notified bodies may, on request, obtain a copy of the EU-type examination certificates and any additions thereto. On request, the Commission and the Member States may obtain a copy of the technical documentation and the results of the examinations carried out by the notified body. The notified body shall keep a copy of the EU-type examination certificate, its annexes and additions, as well as the technical file including the documentation submitted by the manufacturer, until the expiry of the validity of the certificate.

10.製造者は、EU型式審査証明書、その附属書及び追補の写しを、技術文書とともに、デジタル要素を搭載した製品の上市後10年間、又はサポート期間のいずれか長い方の期間、国家当局の手元に保管しなければならない。

11. The manufacturer’s authorised representative may lodge the application referred to in point 3 and fulfil the obligations set out in points 7 and 10, provided that the relevant obligations
are specified in the mandate.

Part III Conformity to type based on internal production control (based on module C)

1. Conformity to type based on internal production control is the part of a conformity assessment procedure whereby the manufacturer fulfils the obligations set out in points 2
and 3 of this Part, and ensures and declares that the products with digital elements concerned are in conformity with the type described in the EU-type examination certificate
and satisfy the essential cybersecurity requirements set out in Part I of Annex I and that the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.

2.生産

The manufacturer shall take all measures necessary so that the production and its monitoring ensure conformity of the manufactured products with digital elements with the
approved type described in the EU-type examination certificate and with the essential cybersecurity requirements as set out in Part I of Annex I and ensures that the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.

3.適合マークおよび適合宣言書

3.1. The manufacturer shall affix the CE marking to each individual product with digital elements that is in conformity with the type described in the EU-type examination certificate and satisfies the applicable requirements set out in this Regulation.

3.2.製造事業者は，製品モデルの適合宣言書を作成し，デジタル要素を備えた製品が上市された後 10 年間又はサポート期間のいずれか長い方の期間，国家当局の手元に保管しなければならない。適合宣言書は，それが作成された製品モデルを特定しなければならない。適合宣言書の写しは、要請に応じて関係当局に提供されなければならない。

4.正規代理人

The manufacturer’s obligations set out in point 3 may be fulfilled by its authorised representative, on its behalf and under its responsibility, provided that the relevant obligations are specified in the mandate.

Part IV Conformity based on full quality assurance (based on module H)

1. Conformity based on full quality assurance is the conformity assessment procedure whereby the manufacturer fulfils the obligations set out in points 2 nd 5 of this Part, and ensures and declares on its sole responsibility that the products with digital elements or product categories concerned satisfy the essential cybersecurity requirements set out in Part I of Annex I and that the vulnerability handling processes put in place by the manufacturer meet the requirements set out in Part II of Annex I.

2.デジタル要素を含む製品の設計、開発、生産、脆弱性の処理

製造者は、当該デジタル要素を含む製品の設計、開発、最終製品検査および試験、ならびに脆弱性の対応について、ポイント3に規定される承認された品質システムを運用し、サポート期間を通じてその有効性を維持し、ポイント4に規定されるサーベイランスを受けなければならない。

3.品質システム

3.1.製造事業者は，その選択したノーティファイドボディに対し，当該デジタル要素を含む製品につい て，その品質システムの審査申請を行わなければならない。

申請書には、以下の事項を記載しなければならない：

(a) the name and address of the manufacturer and, if the application is lodged by the authorised representative, the name and address of that authorised representative;

(b) the technical documentation for one model of each category of products with digital elements intended to be manufactured or developed. The technical documentation shall, wherever applicable, contain at least the elements as set out in Annex VII;

(c) the documentation concerning the quality system; and

(d) a written declaration that the same application has not been lodged with any other notified body.

3.2. The quality system shall ensure compliance of the products with digital elements with the essential cybersecurity requirements set out in Part I of Annex I and compliance of the vulnerability handling processes put in place by the manufacturer with the requirements set out in Part II of Annex I.

製造者が採用するすべての要素、要求事項及び規定は、体系的かつ整然とした方法で、文書化された方針、手順書及び指示書の形で文書化されなければならない。品質システムの文書化は、品質プログラム、計画、マニュアル及び記録の一貫した解釈を可能にするものでなければならない。

特に、以下の事項が適切に記載されていなければならない：

(a) the quality objectives and the organisational structure, responsibilities and powers of the management with regard to design, development, product quality and vulnerability handling;

(b) the technical design and development specifications, including standards, that will be applied and, where the relevant harmonised standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential cybersecurity requirements set out in Part I of Annex I that apply to the products with digital elements will be met;

(c) the procedural specifications, including standards, that will be applied and, where the relevant harmonised standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential cybersecurity requirements set out in Part II of Annex I that apply to the manufacturer will be met;

(d) the design and development control, as well as design and development verification techniques, processes and systematic actions that will be used when designing and developing the products with digital elements pertaining to the product category covered;

(e) the corresponding production, quality control and quality assurance techniques, processes and systematic actions that will be used;

(f) the examinations and tests that will be carried out before, during and after production, and the frequency with which they will be carried out;

(g) the quality records, such as inspection reports and test data, calibration data and qualification reports on the personnel concerned;

(h) the means of monitoring the achievement of the required design and product quality and the effective operation of the quality system.

3.3. The notified body shall assess the quality system to determine whether it satisfies the requirements referred to in point 3.2. It shall presume conformity with those requirements in respect of the elements of the
quality system that comply with the corresponding specifications of the national
standard that implements the relevant harmonised standard or technical specification. In addition to experience in quality management systems, the auditing team shall
have at least one member experienced as an assessor in the relevant product field and
product technology concerned, and shall have knowledge of the applicable
requirements set out in this Regulation. The audit shall include an assessment visit to
the manufacturer’s premises, where such premises exist. The auditing team shall review the technical documentation referred to in point 3.1 (b), to verify the
manufacturer’s ability to identify the applicable requirements set out in this
Regulation and to carry out the necessary examinations with a view to ensuring
compliance of the product with digital elements with those requirements.

製造者またはその認定代理人は、決定を通知されるものとする。

The notification shall contain the conclusions of the audit and the reasoned
assessment decision.

3.4.製造者は，承認された品質システムから生じる義務を履行し，それが適切かつ効率的であり続けるように維持することを約束しなければならない。

3.5.製造者は、品質システムを承認したノーティファイドボディに、品質システムの意図的な変更について通知し続けなければならない。

The notified body shall evaluate any proposed changes and decide whether the modified quality system will continue to satisfy the requirements referred to in point 3.2 or whether a reassessment is necessary.It shall notify the manufacturer of its decision.

The notification shall contain the conclusions of the examination and the reasoned assessment decision.

4.ノーティファイド・ボディが責任を負うサーベイランス

4.1.サーベイランスの目的は、製造者が承認された品質システムから生じる義務を正式に履行していることを確認することである。

4.2.製造事業者は，審査目的のため，届出機関に対して，設計，開発，製造，検査，試験及び保管場所への立ち 入りを許可し，特にすべての必要な情報を提供しなければならない：

(a) the quality system documentation;

(b) the quality records as provided for by the design part of the quality system,
such as results of analyses, calculations and tests;

(c) the quality records as provided for by the manufacturing part of the quality system, such as inspection reports and test data, calibration data and
qualification reports on the personnel concerned.

4.3.届出機関は、製造業者が品質システムを維持し、適用していることを確認するために定期的な監査を実施し、製造業者に監査報告書を提供しなければならない。

5.適合マークおよび適合宣言書

5.1. The manufacturer shall affix the CE marking, and, under the responsibility of the notified body referred to in point 3.1, the latter’s identification number to each
individual product with digital elements that satisfies the requirements set out in Part I of Annex I.

5.2. The manufacturer shall draw up a written declaration of conformity for each product model and keep it at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support
period, whichever is longer.

The declaration of conformity shall identify the product
model for which it has been drawn up.

A copy of the declaration of conformity shall be made available to the relevant
authorities upon request.

6.製造者は、デジタル要素を含む製品が市場に出てから少なくとも10年間、又はサポート期間のいずれか長い方の期間、国家当局の裁量に委ねなければならない：

(a) the technical documentation referred to in point 3.1;

(b) the documentation concerning the quality system referred to in point 3.1;

(c) the change referred to in point 3.5, as approved;

(d) the decisions and reports of the notified body referred to in points 3.5 and 4.3.

7.各通知機関は，発行又は撤回された品質システム承認についてその通告当局に通知し，定期的に又は要求があれば，品質システム承認の拒否，一時停止又はその他の方法で制限された品質システム承認のリストをその通告当局に提供しなければならない。
Each notified body shall inform the other notified bodies of quality system approvals which it has refused, suspended or withdrawn, and, upon request, of quality system
approvals which it has issued.

8.正規代理人

The manufacturer’s obligations set out in points 3.1, 3.5, 5 and 6 may be fulfilled by its authorised representative, on its behalf and under its responsibility, provided that the relevant obligations are specified in the mandate.