EU digital legislation
CRA-Update – Episode 8: The conformity assessment procedure
In order to demonstrate the conformity of products with digital elements with the requirements of the proposed Cyber Resilience Act (CRA-E), manufacturers must carry out a so-called conformity assessment procedure in accordance with Art. 24 (1) CRA-E.
For this purpose, the CRA-E basically provides for three different types of procedures, for each of which information can be found in Annex VI. The procedures mentioned there are based on Decision 768/2008/EC, which aims to establish a common framework for legislation harmonizing the conditions for the marketing of products and provides for conformity assessment procedures for this purpose.
According to Recital 45 CRA-E, the internal control procedure is the standard case for conformity assessment. However, the manufacturer may voluntarily choose a more stringent procedure involving a third party. If a critical product of class I (e.g., a browser or password manager) is the subject of the conformity assessment procedure, the manufacturer shall use cybersecurity certification schemes in accordance with Regulation (EU) 2019/881 and perform the conformity assessment under its own responsibility or, alternatively, complete the EU-type examination procedure with third-party involvement or a conformity assessment based on full quality assurance. The latter alternatives are mandatory when dealing with critical products of class II (e.g. operating systems or firewalls).
1. Internal control procedure, Art. 24 (1) (a) CRA-E
With the internal control procedure, the manufacturer can independently demonstrate that the products with digital elements and the measures it has taken to mitigate vulnerabilities comply with the requirements in Annex I. Likewise, this evidence also relates to the obligation to ensure an appropriate level of cybersecurity already in the design, development and manufacturing phases, in accordance with the risks. To this end, the manufacturer must carry out a general risk analysis of its product with digital elements in advance and must already document this accordingly for the creation of the technical documentation.
Furthermore, this internal conformity procedure proves that the manufacturer has created the technical documentation in accordance with Annex V. Finally, the manufacturer issues a written EU declaration of conformity within the meaning of Art. 20 CRA-E for the tested product with digital elements and affixes the CE marking to it. By issuing the EU declaration of conformity, the manufacturer assumes responsibility for the conformity of the product in accordance with Art. 20 (4) CRA-E.
2. EU-type examination procedure, Art. 24 (1) (b) CRA-E
The EU-type examination procedure is divided into two different procedural stages.
At first, a notified body examines the technical design and development of the product with digital elements and the procedures defined by the manufacturer for dealing with vulnerabilities, as well as their compatibility with the requirements of Annex I. This examination is carried out on the basis of the technical documentation and other evidence (e.g., test results from laboratories and samples of parts of the product). In the process, the product is technically examined, which can be carried out, for example, directly at the manufacturer's headquarters. Afterwards the test results are reported and an EU-type examination certificate is issued.
In the second procedural step (conformity to EU-type based on internal production control), the manufacturer verifies that the products concerned conform to the type described in the EU-type examination certificate and meet the requirements of Annex I, Section 1. If this is the case, the manufacturer issues a written declaration of conformity and affixes the CE marking to the product.
3. Conformity assessment based on full quality assurance, Art. 24 (1) (c) CRA-E
In this conformity assessment procedure, the manufacturer first implements a quality assurance system and applies to a notified body for the assessment of this system with regard to the products with digital elements concerned.
The quality assurance system shall demonstrate the conformity of the product with digital elements and the vulnerability handling processes with the requirements in Annex I.
This procedure is particularly appropriate for products that are mass-produced because the quality assurance system ensures the conformity of the product series with the requirements of the CRA-E. The quality system includes quality programs, plans, manuals and quality related records.
A special feature of this procedure is that the notified body continuously monitors the quality system through periodic audits and is informed by the manufacturer of any changes to the system and must approve them. The manufacturer must also allow the notified body access to the facilities for assessment purposes.
The manufacturer is responsible for issuing a written declaration of conformity and affixing a CE marking for each product model.
4. Exclusion from the obligation to carry out a conformity assessment procedure
However, there are also products with digital elements for which a conformity procedure need not to be carried out. According to Art. 18 (1) CRA-E, conformity with the CRA-E is presumed if a product with digital elements and the processes put in place by the manufacturer comply with harmonized standards published in the Official Journal of the European Union and also meet the requirements of those standards. According to Art. 18 (2) CRA-E, the same applies to products and processes which comply with the common specifications referred to in Art. 19 CRA-E.
Products with digital elements for which an EU declaration of conformity or a cybersecurity certificate has been issued under an European cybersecurity certification scheme adopted pursuant to Regulation (EU) 2019/881 shall also be presumed to conform to the requirements set out in Annex I. The European Commission may adopt implementing acts to determine which cybersecurity certification may be used as evidence and whether it then exempts manufacturers from the obligation under Art. 24 (2) and (3) CRA-E to conduct a third-party conformity assessment.
Practical recommendations:
Since further requirements for manufacturers have to be observed with the conformity assessment procedures, they should familiarize themselves with the requirements in Art. 24 CRA-E and Annex VI and already implement initial processes for implementation.
Since importers must also ensure that manufacturers have carried out the appropriate conformity assessment procedures according to Art. 24 CRA-E and even a distributor may not make such a product available on the market if there are doubts about conformity, we suggest that these economic operators also deal with the requirements of the regulation at an early stage.
In our CRA-Update series, we regularly present information on the proposed Cyber Resilience Act and keep you informed about changes in the ongoing legislative process. In each of our articles, we give you a brief overview of a specific topic, presenting the most important aspects and practical implications.
CRA-Update
CRA-Update – Episode 11: Final draft of the CRA – Overview on the most relevant amendments
On October 10, 2024, the Council of Ministers adopted the final draft of the Cyber Resilience Act (CRA). The regulation will soon be published in the Official Journal of the European Union and will then enter into force the following day.
We have taken a look at the current text of the regulation and compared it with the European Commission's original draft. We have listed the most important changes for you below.
CRA-Update – Episode 10: Penalties under the CRA-E
With the proposed Cyber Resilience Act (CRA-E), the European Commission has set itself the goal of strengthening the security of products with digital elements with horizontal legal requirements in order to better protect the European internal market from growing cyber threats. Concerning this matter, the regulation contains a large number of obligations that apply to all economic operators in a product supply chain, namely manufacturers, importers and distributors.
CRA-Update – Episode 9: Surveillance authorities
The Commission's draft for the Cyber Resilience Act (CRA-E) mentions different authorities with different tasks for monitoring and compliance with the standards of the regulation.
CRA-Update – Episode 8: The conformity assessment procedure
In order to demonstrate the conformity of products with digital elements with the requirements of the proposed Cyber Resilience Act (CRA-E), manufacturers must carry out a so-called conformity assessment procedure in accordance with Art. 24 (1) CRA-E. For this purpose, the CRA-E basically provides for three different types of procedures, for each of which information can be found in Annex VI. The procedures mentioned there are based on Decision 768/2008/EC, which aims to establish a common framework for legislation harmonizing the conditions for the marketing of products and provides for conformity assessment procedures for this purpose.
CRA-Update – Episode 7: What are vulnerability handling processes put in place by manufacturers and when are they compliant under the CRA?
According to Art. 1 (c) of the planned Cyber Resilience Act (CRA-E) this regulation should also include provisions for vulnerability handling processes put in place by manufacturers. The purpose of these processes is to ensure the cybersecurity of products with digital elements during the whole life cycle.
CRA-Update – Episode 6: When is a product with digital elements in conformity with the requirements of the CRA-E?
The planned Cyber Resilience Act (CRA-E) aims to establish uniform EU cybersecurity requirements for products with digital elements in order to handle the growing threat of cyberattacks. For this purpose, the regulation stipulates numerous obligations that primarily affect the manufacturers of such products.
CRA-Update – Episode 5: What are the obligations of the distributor under the CRA-E?
Being the last economic operator in the supply chain of products with digital elements, the distributor falls within the scope of the proposed Cyber Resilience Act (CRA-E) as well.
According to the definition in Art. 3 (21) CRA-E, a (legal) person can only fall under the term of the distributor if it makes a product with digital elements available on the Union market without affecting its properties and without being already qualified as a manufacturer or importer.
CRA-Update – Episode 4: What are the obligations of the importer under the CRA-E?
The role of the importer becomes relevant within the proposed Cyber Resilience Act (CRA-E) when he makes available a product with digital elements bearing the name or trademark of a (legal) person and being established outside the European Union on the Union market for the first time.
CRA-Update – Episode 3: What are the obligations of the manufacturer under the CRA-E?
In comparison to the other economic operators, the manufacturer is subject to the most comprehensive obligations of the proposed CRA (CRA-E). This is probably because the manufacturer significantly controls the development of the product with digital elements, determines its characteristics and can thus influence the inherent cybersecurity risks. The specific obligations for manufacturers are set out in Art. 10 and 11 of the proposed CRA.
CRA-Update – Episode 1: Which products fall within the scope of the proposed CRA?
The current proposal for a new European Cyber Resilience Act by the European Commission from 15th September 2022 (CRA) applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network (see recital 7 and Art. 2 (1) of the proposed CRA).