Summary

The Cyber Resilience Act (CRA) emphasizes the critical role of third-party auditors in ensuring compliance with its provisions, particularly through conformity assessment procedures. This article outlines the importance of these auditors, their responsibilities, and considerations for stakeholders when selecting and working with them.

Relevant CRA Provisions

Recitals: Recital 98, Recital 102, Recital 101, Recital 95, Recital 91

Articles: Article 36, Article 12, Article 34

Detailed Explanation

Third-party auditors play a vital role in the enforcement of the CRA by independently assessing and certifying that products with digital elements meet the necessary cybersecurity requirements. Conformity assessment bodies must be notified by national authorities and comply with specific requirements, including independence, competence, and absence of conflicts of interest (Recital 98). These bodies may subcontract parts of their activities, but subcontractors and subsidiaries must meet the same standards (Recital 102). Accreditation is preferred to demonstrate technical competence, though national authorities may evaluate bodies themselves, provided they offer documentary evidence of compliance (Recital 101). Member States should ensure a sufficient number of notified bodies are available before the CRA’s application date, with potential support from the Commission (Recital 95). Manufacturers can conduct internal conformity assessments for certain products but must involve third parties for higher-risk products (Recital 91).

Obligations for Stakeholders

• Manufacturers: Must ensure products comply with cybersecurity requirements, either through internal control or third-party assessment, depending on the product’s risk classification. For high-risk AI systems, compliance with essential cybersecurity requirements and relevant conformity assessment procedures is mandatory (Article 12).
• Distributors and Importers: Should verify that products they place on the market have undergone appropriate conformity assessments and possess the necessary documentation.
• Open Source Software Stewards: May follow internal control procedures for conformity assessment, provided they make technical documentation publicly available (Recital 91).
• National Authorities: Responsible for designating notifying authorities, ensuring conformity assessment bodies meet required standards, and facilitating the availability of notified bodies (Article 36, Recital 95).
• Conformity Assessment Bodies: Must comply with notification requirements, maintain independence and competence, and ensure subcontractors and subsidiaries meet the same standards (Recitals 98, 102).