Summary

Non-EU manufacturers must adhere to specific steps and requirements to ensure their products comply with the EU Cyber Resilience Act (CRA). This includes conducting conformity assessments, appointing an EU-based representative, and ensuring ongoing compliance with cybersecurity standards.

Relevant CRA Provisions

Detailed Explanation

Non-EU manufacturers are required to ensure their products with digital elements meet the essential cybersecurity requirements outlined in the CRA. This involves conducting a thorough cybersecurity risk assessment, performing the appropriate conformity assessment procedures, and appointing an EU-based representative to act on their behalf. The representative will be responsible for ensuring compliance with the CRA and liaising with EU market surveillance authorities.

Obligations for Stakeholders

Non-EU Manufacturers:

  • Conduct a cybersecurity risk assessment in accordance with Article 13(2) and document it as per Article 13(3).
  • Perform conformity assessments using the procedures outlined in Article 32.
  • Appoint an EU-based representative to ensure compliance with the CRA and handle communications with EU authorities.
  • Ensure that the product with digital elements bears the CE marking and is accompanied by the EU declaration of conformity as per Article 28.
  • Maintain technical documentation and the EU declaration of conformity for at least 10 years after the product is placed on the market or for the support period, whichever is longer (Article 13(13)).
  • Cooperate with market surveillance authorities and provide necessary information and documentation upon request (Article 13(22)).

EU-Based Representatives:

  • Act on behalf of the non-EU manufacturer to ensure compliance with the CRA.
  • Liaise with EU market surveillance authorities and handle any compliance-related communications.
  • Ensure that the non-EU manufacturer’s products meet all CRA requirements before they are placed on the EU market.