Economic operators and their obligations under the Cyber Resilience Act (CRA)

Economic operators and their obligations under the Cyber Resilience Act (CRA)

In the first part of our series on the Cyber Resilience Act, we have already shown you the relevance of the CRA for medical device manufacturers, even if it is not directly applicable. However, if you are affected by the CRA, it is also important to familiarise yourself with the obligations and rights of the various economic operators, as these are not identical to the roles in the MDR / IVDR. These are defined in Chapter II of the CRA. So, make sure your organization has the right understanding of roles for all laws.

The new role: administrator of open-source software

In addition to the already-known economic operators, the CRA defines a new role, which we would like to address first: ” open-source software steward”.

“An open-source software steward means a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products.”

Stewards of open-source software include various foundations and organizations that develop and publish free and open-source software in the commercial sector, including non-profit organizations. Stewards of open-source software are subject to a simplified regulatory regime and are not permitted to affix CE labelling to the products. Their support includes the hosting of platforms, the management of source codes and the continuous development of the software.

Further obligations of the steward of open-source software:

• Auditable development and documentation of a cybersecurity strategy to ensure the development of a secure product with digital elements and the effective management of vulnerabilities by the developers of that product, which may include, for example
  • voluntary reporting of vulnerabilities (Article 15); in particular aspects related to documentation,
  • remediation and elimination of vulnerabilities; and
  • promoting the sharing of information on discovered vulnerabilities within the open-source community.
• Co-operation with market surveillance authorities (upon request) to mitigate cybersecurity risks.
• If the steward is involved in the development, it assumes some of the manufacturer’s obligations (Article 14(1), (3) and (8)). Any actively exploited vulnerability or serious security incident affecting the security of products, network and information systems made available for development by the steward must be reported via the standardised reporting platform set up. The steward shall inform the affected users and, if necessary, of any risk mitigation measures and corrective actions that the users can take.

The most important obligations of the manufacturer:

• Cybersecurity requirements: Manufacturers must ensure that products with digital elements are designed, developed and manufactured in accordance with the essential cybersecurity requirements (Annex I, Part I).
• Risk assessment as part of the technical documentation: A comprehensive assessment of cybersecurity risks must be carried out and taken into account in all phases (planning, development, production, delivery, maintenance) in order to minimise security incidents. The risk assessment must be documented and updated during a defined support period and includes the applicability and implementation of security requirements as well as the handling of vulnerabilities.
• Determination of the support period: The support period must be at least five years and reflect the time during which the product is expected to be in use, taking into account user expectations and relevant regulations. Information on the determination must be recorded in the technical documentation. The end date must be clearly indicated on the product, its packaging or by digital means in a way that is understandable to the user (at least month and year).
• Security updates: Security updates must be made available during the support period and remain available for at least ten years or the duration of the support period.
• Care with third-party components: Manufacturers must ensure that components sourced from third parties do not compromise the cybersecurity of the product.
• Reporting vulnerabilities: If vulnerabilities are discovered in integrated components, they must be reported immediately and handled in accordance with established requirements.
• Systematic documentation: All relevant cybersecurity aspects, including vulnerabilities and third-party information, must be systematically documented and the risk assessment updated as necessary.
• Conformity assessment and EU declaration of conformity: Before placing on the market, manufacturers must prepare the technical documentation and carry out the conformity assessment procedures. After a successful conformity assessment, manufacturers must draw up the EU declaration of conformity and affix the CE marking. A copy of the EU declaration of conformity must accompany the product. Conformity must also be guaranteed during series production.
• Retention obligation: The technical documentation and the EU declaration of conformity must be kept for at least ten years or for the duration of the support period if this is longer than 10 years.
• Labelling: The manufacturer must label the product in accordance with Article 13(15) and (16).
• Information and instructions for the user: The manufacturer must provide the user with all the information and instructions referred to in Annex II in paper or electronic form for at least 10 years or for the duration of the period of support (including online).
• Corrective actions: The manufacturer must take the necessary corrective action without delay as soon as he is aware or has reason to believe that the cybersecurity requirements are no longer met.
• Co-operation with market surveillance authorities: Upon reasoned request, the manufacturer shall provide the market surveillance authority with all information and documentation necessary to demonstrate conformity in paper or electronic form in an easily understandable language. The manufacturer shall cooperate with this authority on all measures taken to address cybersecurity risks. If the manufacturer ceases operations, the market surveillance authority and, where possible, users must be informed. The German Federal Office for Information Security (Bundesamt für Sicherheit und Informationstechnik, BSI) has applied to be the market surveillance authority in Germany but has not yet been officially appointed.

Obligations as importer

• Only products that meet the safety requirements of the CRA may be placed on the market
• Before placing on the market (“the first making available of a product with digital elements on the Union market”), the importer must ensure that:
  • the manufacturer has carried out the appropriate conformity assessment procedures and has drawn up the technical documentation,
  • the product bears the CE marking and the EU declaration of conformity and user information are available in an understandable language,
  • the manufacturer fulfils the other requirements of Article 13, i.e. his obligations.
• If there are doubts about conformity, an importer may only place the product on the market once conformity has been established. In the event of significant cybersecurity risks, the manufacturer and the market surveillance authority should be informed.
• Make the importer’s contact information available in plain language on the product or on the packaging or in the accompanying documentation.
• The importer must take corrective action if the product does not (or no longer) comply with the regulations. If the importer becomes aware of vulnerabilities, they must inform the manufacturer immediately. In the case of significant cybersecurity risks, the market surveillance authority must also be informed, including precise details of non-compliance and measures taken.
• Conformity documents must be kept for at least ten years from the date the product was placed on the market or for the support period, whichever is longer, and presented to the market surveillance authorities on request
• Providing information to the market surveillance authorities upon their reasoned request. All required information and documentation must be provided in paper or electronic form in an understandable language. In addition, importers must work closely with the authorities on measures to prevent cybersecurity risks.
• If the manufacturer ceases operations, it is up to the importer to inform the authorities and users.

Obligations of distributors

• There are duties of care when placing products on the market, including the duty to verify before placing them on the market whether
  • the product bears the CE marking,
  • the manufacturer and the importer have fulfilled their requirements and
  • whether the distributor has all the necessary documents
• If there are doubts about conformity, the product may only be made available on the market once conformity has been established. In the event of significant cybersecurity risks, the distributor should inform the manufacturer and the market surveillance authority.
• The distributor must take corrective action if the product does not (or no longer) comply with the regulations. The manufacturer must be informed immediately if vulnerabilities are identified. In the event of significant cybersecurity risks, the market surveillance authority must also be informed, including precise details of non-compliance and measures.
• Providing information to the market surveillance authorities at their justified request. All required information and documents must be submitted in paper form or electronically in an understandable language. In addition, distributors shall cooperate closely with the authorities on measures to prevent cybersecurity risks.

If the manufacturer ceases operations, it is up to the importer to inform the authorities and users.

Further special features of the CRA

• In addition to the obligations of economic operators already mentioned, further requirements similar to those in the MDR/IVDR must be observed: An importer or distributor becomes a manufacturer if he places a device on the market under his name or trademark or makes significant changes to a device already placed on the market.
• If a natural or legal person who is not the manufacturer, importer or distributor makes a significant change to a product and places it on the market, they are also considered to be the manufacturer. In this case, the manufacturer’s obligations described above must also be fulfilled, either for the part of the product affected by the change or, if the change affects the cybersecurity of the entire product, for the entire product.
• Economic operators are obliged to make available, at the request of the market surveillance authorities, the name and address of all economic operators from whom they have purchased products with digital elements. And, if available, the same information about those to whom they have passed on these products. Economic operators must be able to keep this information for ten years after the purchase of the product and for ten years after the distribution of the product and be able to provide it if required.
• In order to facilitate the due diligence obligations under Article 13(5), in particular for manufacturers who integrate free and open-source software into their products, Article 61 empowers the Commission to introduce voluntary security attestation programmes. These programmes shall help developers, users and other third parties to assess the conformity of products with digital elements – including open-source software – with the cybersecurity requirements and other obligations of the Regulation.
• The Commission is publishing guidelines to facilitate the implementation of the CRA Regulation and to make it comprehensible and coherent for all economic operators, in particular small and medium-sized enterprises and micro-enterprises. These guidelines are intended to clarify, among other things, the scope of the regulation, support periods for certain products, guidelines for manufacturers that are also subject to other EU legislation and the concept of substantial change. In addition, the Commission will make available an easily accessible list of relevant legal acts. When drawing up the guidelines, the Commission will take into account the opinions of important interest groups. Existing ones are available via the BSI:

https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/TR-nach-Thema-sortiert/tr03183/TR-03183_node.html

Please note that all details and listings do not claim to be complete, are without guarantee and are for information purposes only.