CRA FAQ

Union harmonisation legislation related to products made available on the internal market and based on the New Legislative Framework (NLF)^[1] typically requires manufacturers to carry out a risk assessment, on the basis of which they need to implement the relevant essential requirements defined in the relevant legislation (see for instance section 4.1.1 of the Blue Guide). Those risk assessments are important documentation for the manufacturers to demonstrate (i.e. to market surveillance authorities) that they have implemented adequate requirements. Manufacturers may carry out a single risk assessment covering the needs of different legislations, or they may carry out individual risk assessments for each legislation separately. While it is up to the manufacturer to structure their risk assessment activities, they must be in a position to demonstrate compliance with each individual legislation. In accordance with the definition of product with digital elements (Article 3(1)), the manufacturer’s cybersecurity risk assessment needs to cover the entire product with digital elements, including remote data processing when in scope and any supporting functions that may form part of the product with digital elements to be placed on the market.

Article 13(2) requires manufacturers to undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including in relation to the health and safety of users. Thus, it is important to note that the cybersecurity risk assessment covers not only the initial stages of risk identification, risk analysis and risk evaluation during the design and development phases, but also the risk treatment measures implemented through the production, delivery and maintenance phases. Furthermore, this obligation applies to manufacturers of all products with digital elements within the meaning of the CRA, irrespective of whether the product with digital elements is in the “default category”, an important or a critical product.

In accordance with Article 13(3), the cybersecurity risk assessment shall indicate whether and, if so in what manner, the security requirements relating to the properties of products (set out in Part I, point (2), of Annex I) are applicable to the relevant product with digital elements, and how those requirements are implemented as informed by the cybersecurity risk assessment. It shall also indicate how the manufacturer has planned, designed, developed, produced, delivered and maintained the product with digital elements in such a way that they ensure an appropriate level of cybersecurity based on the risks (Part I, point (1), of Annex I) and the vulnerability handling requirements (set out in Part II of Annex I).

The CRA does not mandate a specific cybersecurity risk assessment methodology. The manufacturers can decide on the methodology they use to identify and treat the relevant risks. Manufacturers need to address all relevant risks emerging from the cybersecurity risk assessment, and the risk assessment methodology should therefore support manufacturers in documenting that this has been done (in accordance with Article 13(3)), allowing market surveillance authorities to verify how risks have been identified, evaluated and mitigated.

When modelling threat scenarios, manufacturers should ensure the use of a threat modelling methodology that appropriately reflects the threats and resulting risks associated to the product’s intended purpose and reasonably foreseeable use. For instance, whereas products intended for use in critical infrastructure may be required to treat risks related to nation-state actors and advanced persistent threats, products intended for private consumer use typically have a lower risk profile and may use a different threat model. In this way, manufacturers can cover all relevant risks to a product in their risk assessment.

Manufacturers need to comply with all essential cybersecurity requirements related to vulnerability handling (set out in Part II of Annex I) throughout the product’s support period. However, with regards to essential cybersecurity requirements related to the product properties (set out in Part I of Annex I), manufacturers need to determine on the basis of the cybersecurity risk assessment which of those requirements are relevant for the type of product with digital elements concerned. In accordance with Article 13(4), where certain essential cybersecurity requirements are not applicable to a product with digital elements, the manufacturer should include a clear justification in the

cybersecurity risk assessment included in the technical documentation. This could be the case where an essential cybersecurity requirement is incompatible with the nature of a product with digital elements (see recital 55), or where no risks exist that require a mitigation in relation to that essential requirement.

For example, a product might not need to incorporate any specific mitigation measures related to the protection of personal data if the product’s intended purpose and reasonably foreseeable use do not include the processing of any kind of personal data. In such cases, the product might still have the technical capability to process some kinds of personal data, but such use would not be included in the intended purpose and reasonably foreseeable use declared by the manufacturer. Where the product’s technical capability to process personal data may lead to significant cybersecurity risks in the case of reasonably foreseeable misuse, the information and instructions to the user may need to include this information, in accordance with point 5 of Annex II of the CRA.

For example, as stated in recital 55, the intended purpose of a product with digital elements may require the manufacturer to follow widely recognised interoperability standards even if its security features are no longer considered to be state of the art. Similarly, other Union law requires manufacturers to apply specific interoperability requirements. Where this is the case, having the effect that an essential cybersecurity requirement is not applicable to a product with digital elements, but the manufacturer has identified cybersecurity risks in relation to that essential cybersecurity requirement, it should take measures to address those risks by other means, for instance by limiting the intended purpose of the product to trusted environments and/or by informing the users about those risks.

In accordance with Article 13(2), the assessment of cybersecurity risks shall be carried out with a view to minimising such risks, preventing incidents and minimising their impact, including in relation to the health and safety of users. Furthermore, Article 13(3) clarifies that the analysis of cybersecurity risks shall consider at least the intended purpose and reasonably foreseeable use, as well as the conditions of use of the product with digital elements, such as the operational environment or the assets to be protected, taking into account the length of time the product is expected to be in use. As an example, manufacturers of hardware or software components used by many other products downstream may consider when the intended purpose and reasonably foreseeable use includes integration of those components. In those cases, the manufacturer must ensure relevant risks are duly treated (Article 13(1) and (2)), and

communicate to the users clear, understandable, intelligible and legible instructions that allow for the secure installation, operation and use of the product with digital elements (as per Article 13(8)).

Article 3(23) defines ‘intended purpose’ as the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation. Furthermore, ‘reasonably foreseeable use’ is defined in Article 3(24) as use that is not necessarily the intended purpose supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation, but which is likely to result from reasonably foreseeable human behaviour or technical operations or interactions.

Where relevant to the intended purpose and reasonably foreseeable use, the manufacturer should also consider how downstream integration and end-use can affect the cybersecurity risk assessment (i.e. the specific context and conditions of use). Furthermore, manufacturers should inform their users, be they integrators, professional owners, or operators, consumers or others, through the information and instructions to the user about any assumptions or requirements that are needed for the secure installation, operation and use of the product with digital elements, in accordance with Article 13(18).

As stated in section 2.8 of the Blue Guide, manufacturers have to consider the conditions of use which can be reasonably foreseen prior to placing a product on the market, notably when such use could result from lawful and readily predictable human behaviour. This means manufacturers have to look beyond what they consider the intended use of a product and place themselves in the position of the average user of a particular product and envisage in what way they would reasonably consider using the product. For instance, as stated in section 3.1 of the Blue Guide, a tool designed and intended to be used by professionals only (such as an industrial IoT sensor or virtual private network), might eventually also be used by non-professionals; consequently, the design and instructions accompanied must take this possibility into account. Similarly, information necessary for the secure installation should still be provided in a way which is clear, understandable, intelligible and legible given the intended audience who is expected to carry out the installation, in accordance with Article 13(18). If the product can be easily accessible and is likely to be used by consumers, the manufacturer should consider the needs and risks of those consumers, such as through appropriate information and instructions to the users, including instructions for the secure installation, operation and use of the product with digital elements).

However, as set out in section 2.8 of the Blue Guide, not all risks can be prevented by product design, so intended or foreseeable deployment conditions should also be

considered. Where relevant, the cybersecurity risk assessment should take into account other measures that may be put in place by intended or foreseeable category of user (e.g. professional). For instance, the supervision and assistance of the intended users should be considered as part of the conditions which can be reasonably foreseen for products to be installed and used within certain professional settings, such as an industrial plant. As another example, some professional machine tools are intended for use by averagely skilled and trained workers under the supervision of their employer; the responsibility of the manufacturer cannot be engaged if such machine tools are rented by a distributor or third-party service-provider for use by unskilled and untrained consumers. Furthermore, it may in some cases be reasonable for the manufacturer to allow through the design of the product that the user can alter the product’s configurations, removing security functionality or downgrading security measures to ensure legacy compatibility. In such cases, the manufacturer should include the relevant cybersecurity risks in their cybersecurity risk assessment, implement specific treatment measures covering those risks, and accompany those usage possibilities with appropriate information and instructions to the user to ensure secure deployment and that required security outcomes can be achieved. In addition, where this circumstance may lead to significant cybersecurity risks, the manufacturer should explicitly mention those risks in accordance with point 5 of Annex II of the CRA.

In accordance with Article 13(18), the manufacturer should provide information to the users regarding the expected conditions for secure deployment and integration of the product. On their part, user should take into consideration the lawful conditions of use of the product defined by the manufacturer, provided these are reasonable and appropriate to the intended purpose and reasonably foreseeable use, in particular where low-skilled or vulnerable users are concerned. Article 3(24) defines ‘reasonably foreseeable misuse’ as the use of a product with digital elements in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems. For instance, if the information and instructions to the user mentions that the product must be deployed on a secure network, deploying it on an insecure network might constitute a reasonably foreseeable misuse. Similarly, although some users might be hacking their devices for fun (or for security research), this use is not necessarily in line with the manufacturer’s

stated intended purpose and reasonably foreseeable use, and therefore would constitute a form of misuse.^[1]

Furthermore, manufacturers shall ensure that products with digital elements are accompanied by the information and instructions to the user set out in Annex II, including any known or foreseeable circumstance, related to the use of the product with digital elements in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to significant cybersecurity risks. Risks concerning reasonably foreseeable misuse must also be communicated in the information and instructions to the user. For instance, where the information and instructions to the user mentions that the product must be deployed on a secure network, this implies that the manufacturer may not have covered certain risks emerging from use on insecure networks. The manufacturer should therefore inform the user wherever such reasonably foreseeable misuse may still lead to significant cybersecurity risks.

For the purpose of ensuring the security of products with digital elements after their placing on the market, manufacturers should determine the support period, which should reflect the time the product with digital elements is expected to be in use. Thus, in accordance with Article 13(3), the analysis of cybersecurity risks by the manufacturer shall take into account the length of time the product is expected to be in use (Article 13(8)). The manufacturer should also consider the product’s lifetime in the design and development stage, and in particular should prepare the product to ensure that throughout the support period vulnerabilities of that product, including its components, are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I. Furthermore, according to Article 13(7) the risk assessment shall be documented and updated as appropriate during the product’s support period. Where the risk assessment relies on the information and instructions to the users to address certain risks, such information and instructions to the users should be updated accordingly.

As an example, the manufacturer may consider reasonable projections about changes in the threat landscape and how these might impact the risk assessment throughout the product lifetime.

As stated in the Blue Guide, harmonised standards do not replace legally binding essential requirements. A technical specification given in a harmonised standard is not an alternative to a relevant essential or other legal requirement but only a possible technical means to comply with it. In risk-related harmonisation legislation this means in particular that manufacturers always, even when using harmonised standards the references of which are published in the Official Journal of the European Union (“OJ”), remain fully responsible for assessing all the risks of their product in order to determine which essential (or other) requirements are relevant. After this assessment a manufacturer may then choose to apply technical specifications given in harmonised standards the references of which are published in the OJ to implement ‘risk reduction measures’ which are specified by harmonised standards. In risk-related harmonisation legislation, harmonised standards the references of which are published in the OJ most commonly provide certain means to reduce or remove risks, while manufacturers remain fully responsible for the risk assessment to identify relevant risks and to identify relevant essential requirements, in order to select suitable harmonised standards the references of which are published in the OJ or other specifications.

Thus, even where the manufacturer uses a harmonised standard (where its reference is published in the OJ and which aims to cover certain risks) to satisfy essential requirements, the cybersecurity risk assessment has to be carried out and they must check whether the harmonised standard covers all risks of the product. In accordance with Article 27, where a manufacturer correctly applies a harmonised standard the reference of which is published in the OJEU which covers all the risks relevant to the product with digital elements, the product benefits from the presumption of conformity.^[1]

As stated in Article 27(1) of CRA and section 4.1.2.2 of the Blue Guide, where a harmonised standard covers only part of the essential requirements identified as relevant by manufacturers or only certain aspects thereof, they additionally have to use other relevant technical specifications or develop solutions in accordance with general engineering or scientific knowledge laid down in engineering and scientific literature in order to meet the essential requirements of the CRA. In a similar way when manufacturers choose not to apply all the provisions given in a harmonised standard,

and which normally would provide presumption of conformity, they need, on the basis of their own cybersecurity risk assessment, to indicate in their technical documentation how the compliance is reached or that relevant essential requirements are not relevant for the product.

The CRA standardisation request requests the development of a set of harmonised standards that are intended to provide either horizontal or product-specific information to manufacturers to support their compliance with the CRA. See also 6.10 When will harmonised standards to support CRA compliance be ready?

Article 13(12) and Article 31 require the manufacturer to draw up technical documentation containing information to demonstrate the conformity of the product to the applicable requirements, regardless of the conformity assessment procedure. This documentation may be part of the quality system documentation where the manufacturer chooses a conformity assessment procedure based on a quality system, in line with article 32. This is the case for conformity based on full quality assurance based on module H (part IV of CRA Annex VIII). The technical documentation must be available when the product is placed on the market, whatever its geographical origin or location. In accordance with Article 13(4), when placing a product with digital elements on the market, the manufacturer shall include the cybersecurity risk assessment in the technical documentation required pursuant to Article 31 and Annex VII. After placement on the market the manufacturer shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the products with digital elements, including vulnerabilities of which they become aware and any relevant information provided by third parties, and shall, where applicable, update the cybersecurity risk assessment of the products. In particular, as part of the vulnerability handling requirement in Annex I, part 2(3), the manufacturer must update the risk assessment after the application of regular tests and reviews, wherever relevant information pertaining to the cybersecurity of the product emerges from such tests and reviews.

According to section 4.3 of the Blue Guide, in the case where a product has been subject to re-designs and re-assessments of the conformity, the technical documentation must reflect all versions of the product; describing the changes made, how the various versions of the product can be identified and information on the various conformity assessment.

In accordance with Article 53, where necessary to assess the conformity of products with digital elements and the processes put in place by their manufacturers with the essential cybersecurity requirements set out in Annex I, the market surveillance authorities shall, upon a reasoned request, be granted access to the data, in a language easily understood by them, required to assess the design, development, production and vulnerability handling of such products, including related internal documentation of the relevant economic operator.