Summary
The EU Cyber Resilience Act (CRA) provides various conformity assessment procedures for products with digital elements, depending on the level of risk associated with the product. These procedures ensure that products meet essential cybersecurity requirements before being placed on the market.
Relevant CRA Provisions
– Recital 90, Recital 91, Recital 100, Recital 101, Recital 102
– Article 32, Article 35, Article 36, Article 39
Detailed Explanation
The CRA mandates that manufacturers perform conformity assessments to verify that their products with digital elements meet essential cybersecurity requirements. The type of conformity assessment required depends on the classification of the product (non-important, important class I, important class II, or critical) and whether the manufacturer applies relevant harmonized standards, common specifications, or European cybersecurity certification schemes.
For non-important products, manufacturers can use an internal control procedure (module A) or opt for a stricter third-party assessment. For important class I products, if harmonized standards are not fully applied, a third-party assessment (modules B and C or module H) is required. Important class II products must always involve a third-party assessment. Critical products must use a European cybersecurity certification scheme or, if unavailable, follow the procedures for important class II products. Manufacturers of free and open-source software can use the internal control procedure if they make technical documentation public.
Obligations for Stakeholders
– Manufacturers: Must perform the appropriate conformity assessment based on the product classification and applicable standards.
– Conformity Assessment Bodies: Must meet specific requirements regarding independence, competence, and operational procedures. Subcontractors and subsidiaries must also fulfill these requirements.
– Member States: Must notify the Commission of authorized conformity assessment bodies and ensure a sufficient number by December 11, 2026.
– Notifying Authorities: Must designate and monitor conformity assessment bodies, ensuring they meet the necessary requirements.
Leave a Reply