EU CRA checklist - NFHN Reader

Check your readiness with this quick checklist, which is based solely on primary document of EU CRA PE-CONS 100/1/23 REV 1.

Article 13: Obligations for manufacturers

Product has been designed, developed and produced in accordance with the essential cybersecurity requirements

Perform a risk assessment. (?)For the purpose of complying with paragraph 1, manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including in relation to the health and safety of users.

Document the risk assessment,document how essential architectural requirements are satisfied
Perform due diligence when integrating 3rd party and open source components
Upon detecting vulnerabilities, report to the supplier or developer of the system. (?)Manufacturers shall, upon identifying a vulnerability in a component, including in an open source-component, which is integrated in the product with digital elements report the vulnerability to the person or entity manufacturing or maintaining the component, and address and remediate the vulnerability in accordance with the vulnerability handling requirements set out in Part II of Annex I. Where manufacturers have developed a software or hardware modification to address the vulnerability in that component, they shall share the relevant code or documentation with the person or entity manufacturing or maintaining the component.
Document relevant system aspects related to security, including vulnerabilities. Update the risk assessment when needed
Vulnerability handling requirements are implemented as per Annex I part 2.
Provide security updates which were made available during the supported period, for 10 years or longer. (?)Manufacturers shall ensure that each security update, as referred to in Part II, point (8), of Annex I, which has been made available to users during the support period, remains available after it has been issued for a minimum of 10 years or for the remainder of the support period, whichever is longer
Product technical documentation as per article 31
Keep the technical documentation and the EU declaration of conformity at the disposal of the market surveillance authorities for 10 years, or longer if product remains in supported.
Remain in conformity with CRA regulation during product life cycle, take into account design changes and changes to harmonized standards.
Products with digital elements should bear a type, batch or serial number or other element allowing their identification. If unfeasable, provide information on packaging or other document.
Provide point of contact for the users (?) Manufacturers shall indicate the name, registered trade name or registered trademark of the manufacturer, and the postal address, email address or other digital contact details, as well as, where applicable, the website where the manufacturer can be contacted, on the product with digital elements, on its packaging or in a document accompanying the product with digital elements. That information shall also be included in the information and instructions to the user set out in Annex II. The contact details shall be in a language which can be easily understood by users and market surveillance authorities.
Provide instructions to the user, in paper or electronic forms.
End of support date is specified at the time of purchase.
Provide EU declaration of conformity
Upon discovery of non-compliance to Essential requirements, manufacturer will immediately take corrective action, or withdraw/recall the product form the market.
Upon request from market surveillance authority, manufacturer shall provide all the documentation and information necessary to demonstrate the conformity. Manufacturer shall cooperate with the authority to eliminate the cybersecurity risks posed by the product.
Before cessation of activities, manufacturer shall inform relevant market authorities and users about the cessation of operations.
SBOM

The commission may specify a format and elements of Software Bill of Materials (SBOM). (?)The Commission may, by means of implementing acts taking into account European or international standards and best practices, specify the format and elements of the software bill of materials referred to in Part II, point (1), of Annex I. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

Market surveillance authorities may request manufacturers of such categories of products with digital elements to provide the relevant software bills of materials

Essential Cybersecurity Requirements

Architecture

Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks
Product shall be made available on the market without known exploitable vulnerabilities.
Be made available on the market with a secure by default configuration, including a the possiblity to revert to default configuration.
Ensure that vulnerabilities can be addressed through security updates.
Minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks.
Be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques
Security monitoring and logging
Data wipe, portability and transfer.

Vulnerability handling

Identify and document vulnerabilities and components in the products, including a SBOM
Apply effective and regular tests and reviews of the security of the product
Address and remediate vulnerabilities without delay, including by providing security updates.
Share and publicly disclose information about fixed vulnerabilities, once security update is made.
Put in place and enforce a policy on coordinated vulnerability disclosure
Facilitate the sharing of information about potential vulnerabilities in the product amnd its third party components.
Provide mechanisms to securely distribute updates.
Ensure that security updates are disseminated without delay.

Technical documentation

The below documentation should be produced if you are meeting Essential Requirements. While repetetive, these documents are meant for the relevant EU authorities. Make sure your processes are not only followed, but also produce the right artifacts.
The documentation shall contain at least the following information:

General description of the product

Versions of software affecting compliance with essential cybersecurity requirements.

For hardware products - photographs or illustrations showing external features, markings and internal layout.

User information and instructions as set out in Annex II.
Description of the design, development and production of the product and vulnerability handling processes including:

Information on design, and development, where applicable, drawings and schemes, description of system architecture explaining how software components build on or feed into eac hother and integrate into the overall processing.

Specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates

Information of the production and monitoring processes of the product.
An assessment of the cybersecurity risks against which the product is designed, developed, produced, delivered and maintained according to Article 13 (Obligations of Manufacturers), including how essential cybersecurity requirements are applicable.
Relevant information that was taken into account to determine the support period.
A list of harmonised standards applied in full or in part, which have been published in the Official Journal of the European Union or European cybersecurity certification schemes, descriptions of the solutions adopted to meet the essential cybersecurity requirements, including a list of other relevant technical specifications applied
Reports of the tests carried out to verify conformity of the product, and vulnerability handling processes as per essential cybersecurity requirements.
A copy of the EU declaration of conformity.
Where applicable, SBOM, further to a reasoned request from a market surveillance authority provided that it is necessary in order for the authority to check compliance against essential cybersecurity requirements.