CRA FAQ

When placing a product with digital elements on the market, manufacturers shall ensure that it has been designed, developed and produced in accordance with the essential cybersecurity requirements set out in Part I of Annex I (Article 13(1))

For the purpose of complying with paragraph 1, manufacturers shall exercise due diligence when integrating components sourced from third parties so that those components do not compromise the cybersecurity of the product with digital elements, including when integrating components of free and open-source software that have not been made available on the market in the course of a commercial activity (Article 13(5))

When integrating components sourced from third parties in products with digital elements during the design and development phase, manufacturers should, in order to ensure that the products are designed, developed and produced in accordance with the essential cybersecurity requirements set out in this Regulation, exercise due diligence with regard to those components, including free and open-source software components that have not been made available on the market. The appropriate level of due diligence depends on the nature and the level of cybersecurity risk associated with a given component, and should, for that purpose, take into account one or more of the following actions: verifying, as applicable, that the manufacturer of a component has demonstrated conformity with this Regulation, including by checking if the component already bears the CE marking; verifying that a component receives regular security updates, such as by checking its security updates history; verifying that a component is free from vulnerabilities registered in the European vulnerability database established pursuant to Article 12(2) of Directive (EU) 2022/2555 or other publicly accessible vulnerability databases; or carrying out additional security tests […] (Recital 34)

Immediately after the transitional period for the application of this Regulation, a manufacturer of a product with digital elements that integrates one or several components sourced from third parties which are also subject to this Regulation may not be able to verify, as part of its due diligence obligation, that the manufacturers of those components have demonstrated conformity with this Regulation by checking, for instance, if the components already bear the CE marking. This may be the case where the components have been integrated before this Regulation becomes applicable to the manufacturers of those components. In such a case, a manufacturer integrating such components should exercise due diligence through other means (Recital 35)

In order to ensure that their product with digital elements meets the essential requirements of the CRA, manufacturers are to exercise due diligence when they integrate third-party components in their products.

Manufacturers can integrate different types of components, including those that do not bear the CE marking (e.g. free and open-source components that do not fall in the scope of the CRA, components placed on the market before the CRA applies, or components that have not been placed on the market), but they must ensure that such components do not compromise the cybersecurity of their products with digital elements.

When integrating components that bear the CE marking, manufacturers are able to rely on the component’s EU declaration of conformity and accompanying documentation to support their own compliance with the CRA.

The appropriate level of due diligence depends on the nature and level of cybersecurity risk of a given component – see also entry on 4.4.2 What is the appropriate level of due diligence?

The appropriate level of due diligence depends on the nature and level of cybersecurity risk of a given component and is aimed at ensuring that the components that are integrated do not compromise the cybersecurity of the manufacturer’s product with digital elements. The risk assessment of the product with digital elements also informs the appropriate level of due diligence. Where a component or a product is associated with more risks, the actions that a manufacturer should put in place while exercising due diligence should be more extensive than for a component or product associated with fewer risks. In line with Recital 34, examples of one or more actions that manufacturers may undertake include:

• checking if the component already bears the CE marking;
• verifying that a component receives regular security updates, such as by checking its security updates history;
• verifying in the European vulnerability database established pursuant to Article 12(2) of Directive (EU) 2022/2555 or other publicly accessible vulnerability databases the vulnerabilities applicable to a component and designing, developing and manufacturing the product with digital elements integrating the component in such a way that these vulnerabilities do not compromise the cybersecurity of the product with digital elements;
• carrying out additional security tests, such as fuzz testing, penetration testing, firmware analysis, side-channel analysis, red-team exercises, network traffic analysis, sensor spoofing.

Additional examples of actions that manufacturers may undertake include:

• performing software composition analysis on components;
• sandboxing or isolating highly-critical components;
• when available, reviewing the SBOM of that component;
• checking the support period of the component;
• verifying that the intended purpose of the component fits the integrating manufacturer’s use;
• assessing the security posture of the component’s manufacturer.

In line with Article 13(5), manufacturers can integrate various types of components, including components that have not been placed on the market or that have been placed on the market before the CRA applies, provided that it exercises due diligence to ensure that the component does not compromise the cybersecurity of its own product with digital elements.

The manufacturer does not need to bring such components into compliance with the essential requirements set out in Annex I, part I, before integrating them.^[1]

Nonetheless, the manufacturer needs to ensure that its own products with digital elements are secure and meet the CRA essential requirements, and due diligence is a key obligation to meet those requirements. The manufacturer is also required to comply with the vulnerability handling obligations of Annex I, Part II, for the duration of the support period, for their products in their entirety.

Integration of components that bear the CE marking may simplify certain obligations (e.g. see entry 4.3.6 How should vulnerabilities in integrated components be addressed and remediated?) but is not required by the CRA.

Manufacturers are allowed to integrate open-source components that are not in scope of the CRA (i.e. because they are not made available on the market in the course of a commercial activity), as well as open-source components that are published by an open-source software steward.

As explained in 4.4.2 What is the appropriate level of due diligence?, the appropriate level of due diligence is dependent on the nature and level of cybersecurity risk of a given open-source component.

The Commission is empowered to establish voluntary security attestations programmes that can be used to assess the conformity of free and open-source components with the CRA. Where available, such attestation programmes would facilitate manufacturers’ due diligence obligation.