Cyber Resilience Act Regulation (EU) 2024/2847

Part IV

Conformity based on full quality assurance (based on module H)

  1. 1. Conformity based on full quality assurance is the conformity assessment procedure whereby the manufacturer fulfils the obligations set out in points 2 and 5 of this Part, and ensures and declares on its sole responsibility that the products with digital elements or product categories concerned satisfy the essential cybersecurity requirements set out in Part I of Annex I and that the vulnerability handling processes put in place by the manufacturer meet the requirements set out in Part II of Annex I.
  2. 2. Design, development, production and vulnerability handling of products with digital elements
    The manufacturer shall operate an approved quality system as specified in point 3 for the design, development and final product inspection and testing of the products with digital elements concerned and for handling vulnerabilities, maintain its effectiveness throughout the support period, and shall be subject to surveillance as specified in point 4.
  3. 3. Quality system
    3.1. The manufacturer shall lodge an application for assessment of its quality system with the notified body of its choice, for the products with digital elements concerned.
    The application shall include:
    1. the name and address of the manufacturer and, if the application is lodged by the authorised representative, the name and address of that authorised representative;
    2. the technical documentation for one model of each category of products with digital elements intended to be manufactured or developed. The technical documentation shall, wherever applicable, contain at least the elements as set out in Annex VII;
    3. the documentation concerning the quality system; and
    4. a written declaration that the same application has not been lodged with any other notified body.
    3.2. The quality system shall ensure compliance of the products with digital elements with the essential cybersecurity requirements set out in Part I of Annex I and compliance of the vulnerability handling processes put in place by the manufacturer with the requirements set out in Part II of Annex I.
    All the elements, requirements and provisions adopted by the manufacturer shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions. That quality system documentation shall permit a consistent interpretation of the quality programmes, plans, manuals and records.
    It shall, in particular, contain an adequate description of:
    1. the quality objectives and the organisational structure, responsibilities and powers of the management with regard to design, development, product quality and vulnerability handling;
    2. the technical design and development specifications, including standards, that will be applied and, where the relevant harmonised standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential cybersecurity requirements set out in Part I of Annex I that apply to the products with digital elements will be met;
    3. the procedural specifications, including standards, that will be applied and, where the relevant harmonised standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential cybersecurity requirements set out in Part II of Annex I that apply to the manufacturer will be met;
    4. the design and development control, as well as design and development verification techniques, processes and systematic actions that will be used when designing and developing the products with digital elements pertaining to the product category covered;
    5. the corresponding production, quality control and quality assurance techniques, processes and systematic actions that will be used;
    6. the examinations and tests that will be carried out before, during and after production, and the frequency with which they will be carried out;
    7. the quality records, such as inspection reports and test data, calibration data and qualification reports on the personnel concerned;
    8. the means of monitoring the achievement of the required design and product quality and the effective operation of the quality system.
    3.3. The notified body shall assess the quality system to determine whether it satisfies the requirements referred to in point 3.2.
    It shall presume conformity with those requirements in respect of the elements of the quality system that comply with the corresponding specifications of the national standard that implements the relevant harmonised standard or technical specification.
    In addition to experience in quality management systems, the auditing team shall have at least one member experienced as an assessor in the relevant product field and product technology concerned, and shall have knowledge of the applicable requirements set out in this Regulation. The audit shall include an assessment visit to the manufacturer’s premises, where such premises exist. The auditing team shall review the technical documentation referred to in point 3.1 (b), to verify the manufacturer’s ability to identify the applicable requirements set out in this Regulation and to carry out the necessary examinations with a view to ensuring compliance of the product with digital elements with those requirements.
    The manufacturer or its authorised representative shall be notified of the decision.
    The notification shall contain the conclusions of the audit and the reasoned assessment decision.
    3.4. The manufacturer shall undertake to fulfil the obligations arising out of the quality system as approved and to maintain it so that it remains adequate and efficient.
    3.5. The manufacturer shall keep the notified body that has approved the quality system informed of any intended change to the quality system.
    The notified body shall evaluate any proposed changes and decide whether the modified quality system will continue to satisfy the requirements referred to in point 3.2 or whether a reassessment is necessary.
    It shall notify the manufacturer of its decision. The notification shall contain the conclusions of the examination and the reasoned assessment decision.
  4. 4. Surveillance under the responsibility of the notified body
    4.1. The purpose of surveillance is to make sure that the manufacturer duly fulfils the obligations arising out of the approved quality system.
    4.2. The manufacturer shall, for assessment purposes, allow the notified body access to the design, development, production, inspection, testing and storage sites, and shall provide it with all necessary information, in particular:
    1. the quality system documentation;
    2. the quality records as provided for by the design part of the quality system, such as results of analyses, calculations and tests;
    3. the quality records as provided for by the manufacturing part of the quality system, such as inspection reports and test data, calibration data and qualification reports on the personnel concerned.
    4.3. The notified body shall carry out periodic audits to make sure that the manufacturer maintains and applies the quality system and shall provide the manufacturer with an audit report.
  5. 5. Conformity marking and declaration of conformity
    5.1. The manufacturer shall affix the CE marking, and, under the responsibility of the notified body referred to in point 3.1, the latter’s identification number to each individual product with digital elements that satisfies the requirements set out in Part I of Annex I.
    5.2. The manufacturer shall draw up a written declaration of conformity for each product model and keep it at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The declaration of conformity shall identify the product model for which it has been drawn up.
    A copy of the declaration of conformity shall be made available to the relevant authorities upon request.
  6. 6. The manufacturer shall, for a period ending at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer, keep at the disposal of the national authorities:
    1. the technical documentation referred to in point 3.1;
    2. the documentation concerning the quality system referred to in point 3.1;
    3. the change referred to in point 3.5, as approved;
    4. the decisions and reports of the notified body referred to in points 3.5 and 4.3.
  7. 7. Each notified body shall inform its notifying authorities of quality system approvals issued or withdrawn, and shall, periodically or upon request, make available to its notifying authorities the list of quality system approvals refused, suspended or otherwise restricted.
    Each notified body shall inform the other notified bodies of quality system approvals which it has refused, suspended or withdrawn, and, upon request, of quality system approvals which it has issued.
  8. 8. Authorised representative
    The manufacturer’s obligations set out in points 3.1, 3.5, 5 and 6 may be fulfilled by its authorised representative, on its behalf and under its responsibility, provided that the relevant obligations are specified in the mandate.