Summary

The EU Cyber Resilience Act (CRA) mandates that manufacturers of products with digital elements maintain detailed technical documentation to ensure compliance with essential cybersecurity requirements. This documentation must be comprehensive, continuously updated, and accessible to market surveillance authorities upon request.

Relevant CRA Provisions

Detailed Explanation

The CRA requires manufacturers to prepare and maintain technical documentation that demonstrates how their products with digital elements comply with the essential cybersecurity requirements outlined in Annex I. This documentation must include a general description of the product, details of the design, development, and production processes, an assessment of cybersecurity risks, and information on the support period. It should also contain reports of tests verifying conformity with the requirements, a copy of the EU declaration of conformity, and, where applicable, the software bill of materials.

For microenterprises and small enterprises, the CRA provides a simplified technical documentation form to reduce administrative burdens while ensuring cybersecurity protection. This form allows these entities to provide the required information in a more concise manner.

Market surveillance authorities have the right to access this documentation upon a reasoned request to assess compliance with the CRA’s requirements. The documentation must be provided in a language easily understood by the authorities.

Obligations for Stakeholders

Manufacturers:

  • Prepare and maintain comprehensive technical documentation in accordance with Annex VII before placing the product on the market and update it as necessary.
  • Ensure the documentation is available in an official language of the Member State or a language acceptable to the notified body.
  • Provide market surveillance authorities with access to the documentation upon request.
  • Use a simplified technical documentation form if they are a microenterprise or small enterprise.
  • Keep the technical documentation and EU declaration of conformity available for at least 10 years after the product is placed on the market or for the support period, whichever is longer.

Market Surveillance Authorities:

  • Request and access technical documentation from manufacturers to assess compliance with the CRA.
  • Ensure that the documentation is provided in a language easily understood by them.

Member States:

  • Support microenterprises and small enterprises through awareness-raising, training, communication channels, and testing activities.
  • Establish cyber resilience regulatory sandboxes to facilitate the development and testing of innovative products.