Under Article 6 of the CRA, products with digital elements must meet essential cybersecurity requirements, be properly installed, maintained, used in accordance with their intended purpose, and, where applicable, the necessary security updates must be installed.
You will find below a synthetic overview of the obligations that apply to the various economic operators along the supply chain.
3.1. Obligations of manufacturers
Manufacturers must ensure that products to be placed on the market are designed, developed and manufactured in accordance with the ‘essential requirements’.
In order to ensure that a product complies with the essential requirements, manufacturers have to:
- Carry out a cybersecurity risk assessment that has to be included in the technical documentation of the product;
- Subject the product to a conformity assessment procedure, issue a declaration of conformity and affix the CE marking.
According to the essential requirements, products with digital elements must notably (Annex I):
- be delivered with a secure default configuration, including the possibility to reset the product to its original state ;
- ensure protection against unauthorised access through appropriate control mechanisms such as authentication, identity or access management systems;
- protect the confidentiality and integrity of stored and processed data;
- work according to the principle of data minimisation;
- ensure to limit attack surfaces, including external interfaces;
- ensure a reduction of the impact of an incident using appropriate exploitation mitigation mechanisms and techniques;
- provide security related information by recording and/or monitoring relevant internal activity;
- ensure that vulnerabilities can be addressed through security updates.
The manufacturer also has to set up a procedure for the effective treatment of vulnerabilities.
If the manufacturer has reason to believe that the product does not comply with the essential requirements of the CRA, it must take corrective action and, if necessary, withdraw the product from the market or recall it.
If the manufacturer becomes aware of an actively exploited vulnerability, he must report it to the Computer Security Incident Response Team.
3.2. Obligations of importers
Importers are responsible for ensuring that manufacturers have fulfilled their obligations before placing products on the EU market. They must also report cybersecurity risks and vulnerabilities to manufacturers and relevant authorities and may be required to take action, such as recalling products if they fail to meet security standards.
3.3. Obligations of distributors
Distributors must verify that both manufacturers and importers have fulfilled their obligations to provide the technical information and instructions and the declaration of conformity. If a distributor becomes aware of non-compliance to the essential requirements, they are required to take corrective measures or withdraw/ recall the product from the market.