What does a manufacturer need to include regarding the cybersecurity risk assessment in the technical documentation to be kept at the disposal of market surveillance authorities?

Article 13(12) and Article 31 require the manufacturer to draw up technical documentation containing information to demonstrate the conformity of the product to the applicable requirements, regardless of the conformity assessment procedure. This documentation may be part of the quality system documentation where the manufacturer chooses a conformity assessment procedure based on a quality system, in line with article 32. This is the case for conformity based on full quality assurance based on module H (part IV of CRA Annex VIII). The technical documentation must be available when the product is placed on the market, whatever its geographical origin or location. In accordance with Article 13(4), when placing a product with digital elements on the market, the manufacturer shall include the cybersecurity risk assessment in the technical documentation required pursuant to Article 31 and Annex VII. After placement on the market the manufacturer shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the products with digital elements, including vulnerabilities of which they become aware and any relevant information provided by third parties, and shall, where applicable, update the cybersecurity risk assessment of the products. In particular, as part of the vulnerability handling requirement in Annex I, part 2(3), the manufacturer must update the risk assessment after the application of regular tests and reviews, wherever relevant information pertaining to the cybersecurity of the product emerges from such tests and reviews.

According to section 4.3 of the Blue Guide, in the case where a product has been subject to re-designs and re-assessments of the conformity, the technical documentation must reflect all versions of the product; describing the changes made, how the various versions of the product can be identified and information on the various conformity assessment.

In accordance with Article 53, where necessary to assess the conformity of products with digital elements and the processes put in place by their manufacturers with the essential cybersecurity requirements set out in Annex I, the market surveillance authorities shall, upon a reasoned request, be granted access to the data, in a language easily understood by them, required to assess the design, development, production and vulnerability handling of such products, including related internal documentation of the relevant economic operator.