In order to exercise due diligence, should a manufacturer only integrate components that bear the CE marking?
In line with Article 13(5), manufacturers can integrate various types of components, including components that have not been placed on the market or that have been placed on the market before the CRA applies, provided that it exercises due diligence to ensure that the component does not compromise the cybersecurity of its own product with digital elements.
The manufacturer does not need to bring such components into compliance with the essential requirements set out in Annex I, part I, before integrating them.[1]
Nonetheless, the manufacturer needs to ensure that its own products with digital elements are secure and meet the CRA essential requirements, and due diligence is a key obligation to meet those requirements. The manufacturer is also required to comply with the vulnerability handling obligations of Annex I, Part II, for the duration of the support period, for their products in their entirety.
Integration of components that bear the CE marking may simplify certain obligations (e.g. see entry 4.3.6 How should vulnerabilities in integrated components be addressed and remediated?) but is not required by the CRA.
Manufacturers of such components are required to ensure they are compliant with the CRA, if they place them on the market. ↩︎
Disclaimer
Disclaimer: This document is prepared by the Commission services and should not be considered as representative of the European Commission’s official position. The replies to the FAQs do not extend in any way the rights and obligations deriving from applicable legislation nor introduce any additional requirement. The expressed views are not authoritative and cannot prejudge any future actions the European Commission may take, including potential positions before the Court of Justice of the European Union, which is competent to authoritatively interpret Union law.