法規(EU)2024/2847下的所有義務——可追溯至具體條款,附有通俗語言解釋和證據指導。
Manufacturers must design, develop, and produce products with digital elements so that they provide an appropriate level of cybersecurity based on the risks. Security must be addressed throughout the product's lifecycle — from design through decommissioning.
Before placing a product with digital elements on the market, manufacturers must carry out an assessment of the cybersecurity risks associated with the product. The risk assessment must inform the product's design, development, and production, and must be documented as part of the technical file.
Manufacturers must draw up technical documentation containing all information necessary to demonstrate that the product conforms to the CRA essential requirements. The documentation must be kept up to date and retained for ten years from placing on the market (or the product's expected lifetime if longer).
Manufacturers must demonstrate conformity using the procedure appropriate to their product class. Default products may self-certify (Module A). Important Class I products may self-certify if harmonised standards are applied; otherwise a notified body must be involved. Important Class II and Critical products always require a notified body.
Where a software component incorporated in a product with digital elements is not developed by the manufacturer, the manufacturer must exercise appropriate due diligence to ensure that the component does not compromise the product's security. A software bill of materials (SBOM) must be prepared and maintained as part of the technical documentation.
When placing a product with digital elements on the market, manufacturers must ensure the product does not contain any known exploitable vulnerabilities. This obligation applies at the time of distribution and to each subsequent update that is released.
Manufacturers must put in place a policy for coordinated vulnerability disclosure (CVD) and make it publicly accessible. The policy must provide a contact point for reporting vulnerabilities and describe how the manufacturer will handle reports, including acknowledgement timelines and the process for coordinating disclosure with researchers.
Manufacturers must declare the support period for their product and make that information available to users before purchase. The support period must be at least five years, unless the expected use period of the product is shorter. The support-period end date must appear in product documentation and at the point of sale.
Manufacturers must provide security updates free of charge for at least five years (or the expected use period if shorter). Updates must be delivered promptly, separately from functionality updates, and the support-period end date must be disclosed.
Manufacturers must have processes to identify, analyse, and address vulnerabilities in their products throughout the entire support period. Annex I Part II specifies detailed requirements including CVE assignment, CVSS scoring, coordinated disclosure, and timely remediation.
Manufacturers must draw up an EU Declaration of Conformity in accordance with Article 28 and Annex V, stating that the product meets all applicable CRA requirements. The EU DoC must be kept up to date and made available to market surveillance authorities and, where applicable, to users.
Manufacturers must affix the CE marking to their products before placing them on the EU market, as evidence that the product conforms to all applicable CRA requirements. The CE marking must be visible, legible, and indelible, and must not be affixed before the EU Declaration of Conformity is drawn up.
Manufacturers must ensure that each product with digital elements bears a type, batch number, serial number, or other element that allows its identification. For software-only products, the version number serves this purpose.
Manufacturers must indicate their name, registered trade name or trademark, and postal address on the product or its packaging. An electronic contact address (website or email) must also be indicated where available. This enables market surveillance authorities, importers, distributors, and users to contact the manufacturer.
Manufacturers must accompany the product with the information and instructions listed in Annex II, in a language easily understood by users. This includes the product identity, security capabilities, contact for reporting vulnerabilities, the support period end date, and guidance on secure use.
Where a manufacturer has reason to consider that a product placed on the market does not conform with CRA requirements, they must immediately take corrective measures — including withdrawal or recall if necessary. Manufacturers must also cooperate with market surveillance authorities and provide all requested information and documentation.
Manufacturers must report any actively exploited vulnerability in their product to ENISA via the single reporting platform within 24 hours (early warning) and 72 hours (notification). A final report is due within 14 days. This obligation applies from 11 September 2026.
Within 72 hours of becoming aware of an actively exploited vulnerability in a product, manufacturers must submit a detailed vulnerability notification to ENISA via the single reporting platform. This follows the 24-hour early warning (OBL-ART14-01) and must include technical details about the vulnerability and the product affected.
Within 14 days of becoming aware of an actively exploited vulnerability, manufacturers must submit a final report to ENISA containing a complete description of the vulnerability, the corrective measures taken, and whether the vulnerability has been publicly disclosed or a CVE has been assigned.
When a vulnerability is actively exploited, manufacturers must notify affected users without undue delay. The notification must include information sufficient for users to take protective action, including mitigating measures available before a patch is released.
Before placing a product with digital elements on the EU market, importers must verify that the manufacturer has carried out the appropriate conformity assessment, drawn up technical documentation, affixed the CE marking, and made the EU declaration of conformity or declaration of performance available.
Where an importer considers or has reason to believe that a product with digital elements is not in conformity with the essential cybersecurity requirements, the importer must not place the product on the market until conformity is achieved.
Importers must indicate their name, registered trade name or trademark, postal address, and where available their website or email address, on the product itself, on its packaging, or in a document accompanying the product.
While a product with digital elements is under the importer's responsibility, the importer must ensure that storage and transport conditions do not jeopardise its conformity with the essential cybersecurity requirements.
If an importer learns that a product they have placed on the market is not in conformity, they must immediately take corrective action — including withdrawal or recall if necessary. Where the product poses a significant cybersecurity risk, the importer must immediately notify the relevant national competent authority.
Importers must keep a copy of the EU declaration of conformity or declaration of performance for 10 years after the product is placed on the market, and ensure that technical documentation can be made available to market surveillance authorities upon request.
Upon a reasoned request from a competent authority, importers must provide all information and documentation — in paper or electronic form — necessary to demonstrate the conformity of a product with digital elements. They must also cooperate on any corrective action required.
When making a product with digital elements available on the market, distributors must act with due care and verify that the product bears the CE marking, is accompanied by the required documentation and information, and that the manufacturer and importer (if applicable) have complied with their labelling and identification obligations.
Where a distributor considers or has reason to believe that a product is not in conformity with the CRA's essential requirements, the distributor must not make the product available on the market until conformity is achieved, and must notify the manufacturer and, where applicable, the market surveillance authority.
Distributors must ensure that, while a product with digital elements is under their responsibility, storage and transport conditions do not jeopardise its conformity with the essential cybersecurity requirements.
If a distributor learns that a product they have made available on the market is not in conformity, they must immediately take corrective action including withdrawal or recall if necessary. Where the product poses a significant cybersecurity risk, they must immediately notify the relevant national market surveillance authority.
Upon a reasoned request from a competent authority, distributors must provide all information and documentation necessary to demonstrate the conformity of a product, and cooperate on any corrective action required by that authority.
Open-source software stewards must put in place and document a cybersecurity policy that fosters the development of a secure product and enables effective handling of vulnerabilities in the open-source software components they support.
Open-source software stewards must notify the relevant CSIRT (computer security incident response team) designated as coordinator without undue delay of any actively exploited vulnerability contained in their open-source software components, as well as any severe incident affecting the security of those components.
Open-source software stewards must cooperate with market surveillance authorities upon request and provide all information required for the performance of their regulatory tasks.
Upon request from market surveillance authorities, open-source software stewards must draw up and keep up-to-date technical documentation for the open-source software components they administer, sufficient to allow assessment of cybersecurity compliance.