1. Conformity assessments
Before placing a PDE on the market, manufacturers will be required to perform 'conformity assessments' of the PDE and the vulnerability handling processes it has put in place, to demonstrate conformity with a list of 'essential requirements'. The method and contents of the conformity assessment will depend on the PDE's respective cybersecurity requirements. For this purpose, the CRA distinguishes between Class I and Class II-type products, where PDE's in the latter category constitute a higher cyber security risk. Examples of Class I PDE's are network management systems, password managers and standalone and embedded software. Examples of Class II PDE's are general purpose microprocessors, as well as routers and modems intended for connection to the internet, and switches, intended for industrial use. Manufacturers of Class I products are allowed to perform the conformity assessments themselves, whereas manufacturers of Class II products must employ a third party (a 'notified body') to carry out the conformity assessment on their behalf.
2. EU declaration of conformity and CE-marking
Where compliance has been demonstrated by the conformity assessment procedure, manufacturers are required to draw up an EU declaration of conformity and affix the European Conformity (CE) mark in accordance with the provisions in the CRA.
3. Technical documentation
Manufacturers will need to draw up technical documentation before placing a PDE on the market. This documentation must contain all relevant data or details of the means used by the manufacturer to ensure that the PDE and the processes put in place by the manufacturer comply with applicable essential requirements. In addition, the technical documentation must be updated continuously, where appropriate, during the expected product lifetime or five years after placing the product on the market (whichever is shorter). Furthermore, manufacturers shall keep the technical documentation and the EU declaration of conformity, where relevant, at the disposal of the market surveillance authorities for ten years after the PDE has been placed on the market.
4. Information and instructions for use
Before placing a PDE on the market, the manufacturer will need to draw up and provide certain information and instructions for use in a language which can be easily understood by the users. For example, the point of contact where information about cybersecurity vulnerabilities of the PDE can be reported and received. Moreover, the intended use, including the security environment provided by the manufacturer, as well as the PDE's essential functionalities and information about the security properties.
5. Notification periods
Manufacturers must notify the EU Agency for Cybersecurity (ENISA) within 24 hours of becoming aware of any actively exploited vulnerability contained in a PDE. The notification shall include details concerning the vulnerability and, where applicable, any corrective or mitigating measures taken.
6. Market surveillance and enforcement
National market surveillance authorities are given powers to carry out surveillance in their respective member states and to impose administrative fines to enforce compliance with the CRA. According to the proposal, member states shall lay down the rules for administrative fines for non-compliance with the provisions. However, the CRA does establish maximum levels for these fines. In some cases, non-compliance can reach up to 15 000 000 EUR or, if the offender is an undertaking, up to 2.5 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.
7. Obligations for importers and distributors
Importers and distributors are required to ensure the existence of relevant documentation and CE-marking before placing or making a PDE available on the market. Furthermore, they are required to inform the manufacturer and the relevant market surveillance authorities where a product with digital elements presents a significant cybersecurity risk.