Draw up technical documentation on request
- 対象者
- Open-source steward
- 出典引用
- Art. 24(4)
- 製品クラス
- default, important-class-i, important-class-ii, critical
わかりやすい説明
Unlike manufacturers, you do not need to proactively prepare the full Annex VII technical documentation. However, if a market surveillance authority requests it, you must be able to produce technical documentation about your OSS component — covering its security properties, known vulnerabilities, and development practices. The lighter obligation for OSS stewards reflects the open-source model, but you still need the underlying information to be available.
Legal text
Article 24(4) of Regulation (EU) 2024/2847 provides that, upon the request of a market surveillance authority, open-source software stewards shall draw up and keep up-to-date the technical documentation referred to in Annex VII for the open-source software components they administer.
The documentation shall be made available to the market surveillance authority upon request and shall enable assessment of compliance with the applicable requirements of this Regulation.
Key requirements
- On-request obligation — unlike manufacturers, OSS stewards need not proactively maintain Annex VII documentation, but must produce it when asked
- Annex VII scope — documentation must be sufficient to allow assessment of compliance; covers security properties, development process, and vulnerability handling
- Keep up to date — once produced, the documentation must be maintained so it remains accurate
- Timely production — must be produced within a reasonable time following the request
Evidence you may need
- Inventory of OSS components you administer and their security-relevant properties
- Security architecture notes, threat models, or equivalent design documentation
- Vulnerability database or known-issues list for your components
- Records of secure development practices applied