Summary

The Cyber Resilience Act (CRA) emphasizes the importance of transparency and explainability in the context of cybersecurity for digital products. It mandates manufacturers to provide clear and accessible information about their products’ cybersecurity features, risk assessments, and vulnerability handling processes. This enhances trust and accountability among users and stakeholders.

Relevant CRA Provisions

• Recital (57)
• Recital (55)
• Article 53
• Article 63
• Article 31
• Annex I
• Annex VII

Detailed Explanation

The CRA introduces several provisions aimed at enhancing transparency and explainability in the cybersecurity practices of manufacturers. Recital (57) highlights the need for manufacturers to ensure that new security updates are provided separately from functionality updates where technically feasible. Recital (55) requires manufacturers to include a clear justification in the cybersecurity risk assessment if certain essential cybersecurity requirements are not applicable to a product. Article 53 grants market surveillance authorities access to necessary data and documentation to assess product conformity with cybersecurity requirements. Article 63 mandates confidentiality of sensitive information while allowing for necessary exchanges between authorities. Article 31 specifies the content of technical documentation, which must include detailed information on the product’s design, development, production, and vulnerability handling processes. Annex I outlines the essential cybersecurity requirements, and Annex VII details the content of the technical documentation.

Obligations for Stakeholders

Manufacturers: Must ensure transparency in their cybersecurity practices by providing clear and accessible information about their products’ cybersecurity features, risk assessments, and vulnerability handling processes. They must separate security updates from functionality updates where feasible, justify non-applicability of certain cybersecurity requirements, and maintain comprehensive technical documentation.

Market Surveillance Authorities: Have the right to access necessary data and documentation from manufacturers to assess product conformity with cybersecurity requirements, ensuring that manufacturers adhere to transparency and explainability obligations.