EU CRA checklist for manufacturers

Article 13: Obligations for manufacturers

• Product has been designed, developed and produced in accordance with the essential cybersecurity requirements

  This is a branching requirement, involving risk assessment, vulnerability handling

  Perform a risk assessment. (?)For the purpose of complying with paragraph 1, manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including in relation to the health and safety of users.

  Risk assessments need to be kept current with major changes to the product, and maintained during support period (minimum 10 years)

  Document the risk assessment,document how essential architectural requirements are satisfied
• Perform due diligence when integrating 3rd party and open source components

  Ensure that these components do not compromise the cybersecurity of the product. Think SBOM and vulnerability handling requirements
• Upon detecting vulnerabilities, report to the supplier or developer of the system. (?)Manufacturers shall, upon identifying a vulnerability in a component, including in an open source-component, which is integrated in the product with digital elements report the vulnerability to the person or entity manufacturing or maintaining the component, and address and remediate the vulnerability in accordance with the vulnerability handling requirements set out in Part II of Annex I. Where manufacturers have developed a software or hardware modification to address the vulnerability in that component, they shall share the relevant code or documentation with the person or entity manufacturing or maintaining the component.

  Where appropriate, share the documentation with the concerned manufacturer or software maintainer.
• Document relevant system aspects related to security, including vulnerabilities. Update the risk assessment when needed
• Vulnerability handling requirements are implemented as per Annex I part 2.

  Detailed vulnerability handling section to follow.
• Provide security updates which were made available during the supported period, for 10 years or longer. (?)Manufacturers shall ensure that each security update, as referred to in Part II, point (8), of Annex I, which has been made available to users during the support period, remains available after it has been issued for a minimum of 10 years or for the remainder of the support period, whichever is longer

  Detailed vulnerability handling section to follow.
• Product technical documentation as per article 31

  Will be detailed in separate chapter.
• Keep the technical documentation and the EU declaration of conformity at the disposal of the market surveillance authorities for 10 years, or longer if product remains in supported.
• Remain in conformity with CRA regulation during product life cycle, take into account design changes and changes to harmonized standards.
• Products with digital elements should bear a type, batch or serial number or other element allowing their identification. If unfeasable, provide information on packaging or other document.
• Provide point of contact for the users (?) Manufacturers shall indicate the name, registered trade name or registered trademark of the manufacturer, and the postal address, email address or other digital contact details, as well as, where applicable, the website where the manufacturer can be contacted, on the product with digital elements, on its packaging or in a document accompanying the product with digital elements. That information shall also be included in the information and instructions to the user set out in Annex II. The contact details shall be in a language which can be easily understood by users and market surveillance authorities.

  For the purposes of this Regulation, manufacturers shall designate a single point of contact to enable users to communicate directly and rapidly with them, including in order to facilitate reporting on vulnerabilities of the product with digital elements. The single point of contact shall allow users to choose their preferred means of communication and shall not limit such means to automated tools
• Provide instructions to the user, in paper or electronic forms.

  User-friendly and available online for at least 10 years after the product with digital elements has been placed on the market
• End of support date is specified at the time of purchase.

  At minimum year and month has to be specified.
• Provide EU declaration of conformity

  Where a simplified EU declaration of conformity is provided, it shall contain the exact internet address at which the full EU declaration of conformity can be accessed.
• Upon discovery of non-compliance to Essential requirements, manufacturer will immediately take corrective action, or withdraw/recall the product form the market.
• Upon request from market surveillance authority, manufacturer shall provide all the documentation and information necessary to demonstrate the conformity. Manufacturer shall cooperate with the authority to eliminate the cybersecurity risks posed by the product.
• Before cessation of activities, manufacturer shall inform relevant market authorities and users about the cessation of operations.
• SBOM

  The commission may specify a format and elements of Software Bill of Materials (SBOM). (?)The Commission may, by means of implementing acts taking into account European or international standards and best practices, specify the format and elements of the software bill of materials referred to in Part II, point (1), of Annex I. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

  Market surveillance authorities may request manufacturers of such categories of products with digital elements to provide the relevant software bills of materials

Essential Cybersecurity Requirements

Architecture

• Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks

  Risks should be identified in risk assessment.
• Product shall be made available on the market without known exploitable vulnerabilities.

  Prepare key points and updates beforehand
• Be made available on the market with a secure by default configuration, including a the possiblity to revert to default configuration.

  Unless otherwise agreed between manufacturer and business user in relation to a tailor-made product.
• Ensure that vulnerabilities can be addressed through security updates.

  Ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them.
• Access controls

  Ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access
• Data confidentiality

  Protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means.
• Data integrity

  Protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions.
• Data minimisation

  Process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements
• System availability

  Protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks.
• Minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks.
• Limit attack surfaces

  Be designed, developed and produced to limit attack surfaces, including external interfaces, open ports, APIs, endpoints.
• Be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques

  Concepts such as graceful failure, preserving vital functions in degraded mode, preserving safety functionality, limiting effects on other components.
• Security monitoring and logging

  Provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user.
• Data wipe, portability and transfer.

  Provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner.

Vulnerability handling

• Identify and document vulnerabilities and components in the products, including a SBOM

  Machine readable SBOM required covering at the very least the top-level dependencies.
• Apply effective and regular tests and reviews of the security of the product
• Address and remediate vulnerabilities without delay, including by providing security updates.

  Where technically feasible, new security updates shall be provided separately from functionality updates.
• Share and publicly disclose information about fixed vulnerabilities, once security update is made.

  Include a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch
• Put in place and enforce a policy on coordinated vulnerability disclosure
• Facilitate the sharing of information about potential vulnerabilities in the product amnd its third party components.

  Provide a contact address for the reporting of the vulnerabilities discovered in the product.
• Provide mechanisms to securely distribute updates.

  Ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner.
• Ensure that security updates are disseminated without delay.

  The updates are free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product.

Instructions to user

• Minimum instructions and documentation

  Name, or trademark of the manufacturer, postal address, email address or other digital contact, website if available.

  The website shall provide contact for the user.

  Single point of contact for vulnerability reporting and information, public policy on coordinated vulnerability disclosure.

  Name and type or other information to uniquely identify the product.

  Intended purpose, including security environment provided by the manufacturer, products essential functionalities and information about security properties.

  Any known or foreseeable circumstances related to intended use, which may lead to significant cybersecurity risks.

  Consider documenting possible misuse, incorrect set-up, disabling security functionality or using bad practices.

  Internet address where EU declaration of conformity can be found, if applicable.

  Consider documenting possible misuse, incorrect set-up, disabling security functionality or using bad practices.

  The type of technical security support offered by the manufacturer and the end date of the support period for vulnerability handling and security updates.
• Detailed instructions and documentation

  Necessary measures for secure use during initial comissioning and throughout product lifetime.

  How changes to the product can affect security of data.

  How security-relevant updates can be installed.

  Secure decommissioning of the product, including information how to remove user data.

  How the default setting enabling automatic installation of security updates can be turned off.

  As required by Part I, point (2)(c), of Annex I for automatic updates.

  Where product is intended for integration into other products, provide necessary information for the integrator to comply with essential cybersecurity requirements of Annex I and documentation requirements of Annex VII
• If manufacturer decides to make SBOM known to the user, provide information where it can be accessed.

  For example SBOM may be shipped within a product or maintained on a website.

Technical documentation

The below documentation should be produced if you are meeting Essential Requirements. While repetetive, these documents are meant for the relevant EU authorities. Make sure your processes are not only followed, but also produce the right artifacts.
The documentation shall contain at least the following information:

• General description of the product

  Its intended purpose

  Versions of software affecting compliance with essential cybersecurity requirements.

  For hardware products - photographs or illustrations showing external features, markings and internal layout.

  User information and instructions as set out in Annex II.
• Description of the design, development and production of the product and vulnerability handling processes including:

  Information on design, and development, where applicable, drawings and schemes, description of system architecture explaining how software components build on or feed into eac hother and integrate into the overall processing.

  Specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates

  Information of the production and monitoring processes of the product.
• An assessment of the cybersecurity risks against which the product is designed, developed, produced, delivered and maintained according to Article 13 (Obligations of Manufacturers), including how essential cybersecurity requirements are applicable.

  Part I of Annex I lists the essential requirements, also provided in detail in previous checklist.
• Relevant information that was taken into account to determine the support period.
• A list of harmosed standards applied in full or in part, which have been published in the Official Journal of the European Union or European cybersecurity certification schemes, descriptions of the solutions adopted to meet the essential cybersecurity requirements, including a list of other relevant technical specifications applied

  In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied.
• Reports of the tests carried out to verify conformity of the product, and vulnerability handling processes as per essential cybersecurity requirements.
• A copy of the EU declaration of conformity.
• Where applicable, SBOM, further to a reasoned request from a market surveillance authority provided that it is necessary in order for the authority to check compliance against essential cybersecurity requirements.