Conformity assessment objectives
Before launching a new product on the market – or if there is a substantial update of the product -, device makers must conduct a conformity assessment to validate that the Cyber Resilience Act requirements have been taken into account and that the product does not present any known and exploitable vulnerability.
Manufacturers carry the responsibility for conducting these assessments under their own supervision. However, they have the flexibility to engage third-party entities for evaluation if necessary. Given the heightened cybersecurity risks associated with critical Class II devices, third-party intervention is essential during the conformity assessment process.
Note that the list of organizations authorized to help you with your conformity assessment is defined by the country you are living in. Consult your government page to know more.
What is a substantial update of the product?
Therefore, not all updates lead to a substantial modification of the product!
Conformity assessment procedures
There are three primary procedures for conformity assessment:
- Internal control procedure: The manufacturer assumes responsibility for ensuring product compliance with all essential requirements and processes. This includes establishing technical documentation, ensuring adherence to design, development, production, and vulnerability management processes, affixing the CE marking on compliant products, and providing a written EU declaration of conformity for each product.
- EU type examination: In this procedure, a notified body examines the technical aspects of the product’s design, development, and vulnerability management processes to ensure compliance with essential requirements. The manufacturer submits documentation and evidence of compliance to a single notified body (the ANSSI in France for instance), which then evaluates the product and issues an EU type examination certificate if requirements of the article 39 are met.
- Conformity based on internal production control: Here, the manufacturer ensures that production processes guarantee conformity with the approved type and essential requirements. This involves affixing the CE marking on compliant products, establishing a written declaration of conformity for each product model, and maintaining technical documentation for ten years after market placement.
CE marking
Once the assessment is done, device makers can submit an EU conformity declaration. Once validated they will be able to put the CE marking on their product.
The CE marking is a crucial indication of product compliance to the Cyber Resilience Act (CRA). It is the visible result of the comprehensive process of conformity assessment and allows products free movement within the internal European market. The CE marking must be affixed in a visible, legible, and indelible manner on the product, its packaging, its EU Declaration of Conformity, and/or on the product’s website. Its height can be less than 5 mm, as long as it remains visible and legible. The CE marking is affixed before the product is placed on the market and is followed by the identification number of the notified body, when this body participates in the conformity assessment procedure based on full quality assurance.
Get help from external providers
Equipment manufacturers may appoint mandates to help them perform certain tasks:
- Maintain the EU declaration of conformity and technical documentation for ten years from the product’s market placement, making it available to market surveillance authorities.
- Cooperate with market surveillance authorities upon request regarding any measures taken to eliminate risks posed by a product.
