diff --git a/backend/library/libraries/cra-proposal-annexes.yaml b/backend/library/libraries/cra-proposal-annexes.yaml deleted file mode 100644 index d15f4463e..000000000 --- a/backend/library/libraries/cra-proposal-annexes.yaml +++ /dev/null @@ -1,1572 +0,0 @@ -urn: urn:intuitem:risk:library:cra-proposal-annexes -locale: en -ref_id: CRA-proposal-annexes -name: Cyber Resilience Act -description: 'ANNEXES to the PROPOSAL FOR A REGULATION OF THE EUROPEAN PARLIAMENT - AND OF THE COUNCIL on horizontal cybersecurity requirements for products with digital - elements and amending Regulation (EU) 2019/1020 - - https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52022PC0454' -copyright: European Union law -version: 1 -publication_date: 2024-04-11 -provider: EU -packager: intuitem -objects: - framework: - urn: urn:intuitem:risk:framework:cra-proposal-annexes - ref_id: CRA-proposal-annexes - name: Cyber Resilience Act - description: ANNEXES to the PROPOSAL FOR A REGULATION OF THE EUROPEAN PARLIAMENT - AND OF THE COUNCIL on horizontal cybersecurity requirements for products with - digital elements and amending Regulation (EU) 2019/1020 - requirement_nodes: - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1 - assessable: false - depth: 1 - ref_id: '1' - name: ANNEX I - description: ESSENTIAL CYBERSECURITY REQUIREMENTS - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1 - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1 - ref_id: '1.1' - name: Security requirements relating to the properties of products with digital - elements - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.1 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1 - ref_id: 1.1.1 - description: Products with digital elements shall be designed, developed and - produced in such a way that they ensure an appropriate level of cybersecurity - based on the risks; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.2 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1 - ref_id: 1.1.2 - description: Products with digital elements shall be delivered without any known - exploitable vulnerabilities; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1 - ref_id: 1.1.3 - description: 'On the basis of the risk assessment referred to in Article 10(2) - and where applicable, products with digital elements shall:' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.a - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3 - ref_id: 1.1.3.a - description: be delivered with a secure by default configuration, including - the possibility to reset the product to its original state; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.b - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3 - ref_id: 1.1.3.b - description: ensure protection from unauthorised access by appropriate control - mechanisms, including but not limited to authentication, identity or access - management systems; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.c - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3 - ref_id: 1.1.3.c - description: protect the confidentiality of stored, transmitted or otherwise - processed data, personal or other, such as by encrypting relevant data at - rest or in transit by state of the art mechanisms; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.d - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3 - ref_id: 1.1.3.d - description: protect the integrity of stored, transmitted or otherwise processed - data, personal or other, commands, programs and configuration against any - manipulation or modification not authorised by the user, as well as report - on corruptions; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.e - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3 - ref_id: 1.1.3.e - description: "process only data, personal or other, that are adequate, relevant\ - \ and limited to what is necessary in relation to the intended use of the\ - \ product (\u2018minimisation of data\u2019); " - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.f - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3 - ref_id: 1.1.3.f - description: protect the availability of essential functions, including the - resilience against and mitigation of denial of service attacks; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.g - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3 - ref_id: 1.1.3.g - description: minimise their own negative impact on the availability of services - provided by other devices or networks; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.h - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3 - ref_id: 1.1.3.h - description: be designed, developed and produced to limit attack surfaces, including - external interfaces; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.i - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3 - ref_id: 1.1.3.i - description: be designed, developed and produced to reduce the impact of an - incident using appropriate exploitation mitigation mechanisms and techniques; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.j - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3 - ref_id: 1.1.3.j - description: provide security related information by recording and/or monitoring - relevant internal activity, including the access to or modification of data, - services or functions; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.k - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3 - ref_id: 1.1.3.k - description: ensure that vulnerabilities can be addressed through security updates, - including, where applicable, through automatic updates and the notification - of available updates to users. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2 - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1 - ref_id: '1.2' - name: "Vulnerability\_handling\_requirements" - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19 - assessable: false - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2 - description: 'Manufacturers of the products with digital elements shall:' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2.1 - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19 - ref_id: 1.2.1 - description: identify and document vulnerabilities and components contained - in the product, including by drawing up a software bill of materials in a - commonly used and machine-readable format covering at the very least the top-level - dependencies of the product; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2.2 - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19 - ref_id: 1.2.2 - description: in relation to the risks posed to the products with digital elements, - address and remediate vulnerabilities without delay, including by providing - security updates; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2.3 - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19 - ref_id: 1.2.3 - description: apply effective and regular tests and reviews of the security of - the product with digital elements; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2.4 - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19 - ref_id: 1.2.4 - description: once a security update has been made available, publically disclose - information about fixed vulnerabilities, including a description of the vulnerabilities, - information allowing users to identify the product with digital elements affected, - the impacts of the vulnerabilities, their severity and information helping - users to remediate the vulnerabilities; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2.5 - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19 - ref_id: 1.2.5 - description: put in place and enforce a policy on coordinated vulnerability - disclosure; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2.6 - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19 - ref_id: 1.2.6 - description: take measures to facilitate the sharing of information about potential - vulnerabilities in their product with digital elements as well as in third - party components contained in that product, including by providing a contact - address for the reporting of the vulnerabilities discovered in the product - with digital elements; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2.7 - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19 - ref_id: 1.2.7 - description: provide for mechanisms to securely distribute updates for products - with digital elements to ensure that exploitable vulnerabilities are fixed - or mitigated in a timely manner; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2.8 - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19 - ref_id: 1.2.8 - description: ensure that, where security patches or updates are available to - address identified security issues, they are disseminated without delay and - free of charge, accompanied by advisory messages providing users with the - relevant information, including on potential action to be taken. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2 - assessable: false - depth: 1 - ref_id: '2' - name: ANNEX II - description: INFORMATION AND INSTRUCTIONS TO THE USER - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29 - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2 - description: 'As a minimum, the product with digital elements shall be accompanied - by:' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.1 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29 - ref_id: '2.1' - description: the name, registered trade name or registered trade mark of the - manufacturer, and the postal address and the email address at which the manufacturer - can be contacted, on the product or, where that is not possible, on its packaging - or in a document accompanying the product; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.2 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29 - ref_id: '2.2' - description: the point of contact where information about cybersecurity vulnerabilities - of the product can be reported and received; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.3 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29 - ref_id: '2.3' - description: the correct identification of the type, batch, version or serial - number or other element allowing the identification of the product and the - corresponding instructions and user information; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.4 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29 - ref_id: '2.4' - description: "the intended use, including the security environment provided\ - \ by the manufacturer, as well as the product\u2019s essential functionalities\ - \ and information about the security properties;" - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.5 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29 - ref_id: '2.5' - description: 'any known or foreseeable circumstance, related to the use of the - product with digital elements in accordance with its intended purpose or under - conditions of reasonably foreseeable misuse, which may lead to significant - cybersecurity risks; ' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.6 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29 - ref_id: '2.6' - description: if and, where applicable, where the software bill of materials - can be accessed; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.7 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29 - ref_id: '2.7' - description: 'where applicable, the internet address at which the EU declaration - of conformity can be accessed; ' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.8 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29 - ref_id: '2.8' - description: 'the type of technical security support offered by the manufacturer - and until when it will be provided, at the very least until when users can - expect to receive security updates; ' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29 - ref_id: '2.9' - description: 'detailed instructions or an internet address referring to such - detailed instructions and information on:' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9.a - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9 - ref_id: 2.9.a - description: the necessary measures during initial commissioning and throughout - the lifetime of the product to ensure its secure use; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9.b - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9 - ref_id: 2.9.b - description: how changes to the product can affect the security of data; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9.c - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9 - ref_id: 2.9.c - description: how security-relevant updates can be installed; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9.d - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9 - ref_id: 2.9.d - description: the secure decommissioning of the product, including information - on how user data can be securely removed. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3 - assessable: false - depth: 1 - ref_id: '3' - name: ANNEX III - description: CRITICAL PRODUCTS WITH DIGITAL ELEMENTS - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3 - ref_id: '3.1' - name: Class I - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.1 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 - ref_id: 3.1.1 - description: Identity management systems software and privileged access management - software; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.2 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 - ref_id: 3.1.2 - description: Standalone and embedded browsers; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.3 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 - ref_id: 3.1.3 - description: Password managers; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.4 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 - ref_id: 3.1.4 - description: Software that searches for, removes, or quarantines malicious software; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.5 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 - ref_id: 3.1.5 - description: Products with digital elements with the function of virtual private - network (VPN); - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.6 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 - ref_id: 3.1.6 - description: Network management systems; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.7 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 - ref_id: 3.1.7 - description: Network configuration management tools; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.8 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 - ref_id: 3.1.8 - description: Network traffic monitoring systems; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.9 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 - ref_id: 3.1.9 - description: Management of network resources; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.10 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 - ref_id: 3.1.10 - description: Security information and event management (SIEM) systems; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.11 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 - ref_id: 3.1.11 - description: Update/patch management, including boot managers; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.12 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 - ref_id: 3.1.12 - description: Application configuration management systems; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.13 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 - ref_id: 3.1.13 - description: Remote access/sharing software; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.14 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 - ref_id: 3.1.14 - description: Mobile device management software; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.15 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 - ref_id: 3.1.15 - description: Physical network interfaces; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.16 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 - ref_id: 3.1.16 - description: Operating systems not covered by class II; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.17 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 - ref_id: 3.1.17 - description: Firewalls, intrusion detection and/or prevention systems not covered - by class II; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.18 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 - ref_id: 3.1.18 - description: Routers, modems intended for the connection to the internet, and - switches, not covered by class II; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.19 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 - ref_id: 3.1.19 - description: Microprocessors not covered by class II; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.20 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 - ref_id: 3.1.20 - description: Microcontrollers; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.21 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 - ref_id: 3.1.21 - description: Application specific integrated circuits (ASIC) and field-programmable - gate arrays (FPGA) intended for the use by essential entities of the type - referred to in [Annex I to the Directive XXX/XXXX (NIS2)]; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.22 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 - ref_id: 3.1.22 - description: Industrial Automation & Control Systems (IACS) not covered by class - II, such as programmable logic controllers (PLC), distributed control systems - (DCS), computerised numeric controllers for machine tools (CNC) and supervisory - control and data acquisition systems (SCADA); - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.23 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 - ref_id: 3.1.23 - description: Industrial Internet of Things not covered by class II. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3 - ref_id: '3.2' - name: Class II - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.1 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 - ref_id: 3.2.1 - description: Operating systems for servers, desktops, and mobile devices; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.2 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 - ref_id: 3.2.2 - description: Hypervisors and container runtime systems that support virtualised - execution of operating systems and similar environments; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.3 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 - ref_id: 3.2.3 - description: Public key infrastructure and digital certificate issuers; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.4 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 - ref_id: 3.2.4 - description: Firewalls, intrusion detection and/or prevention systems intended - for industrial use; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.5 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 - ref_id: 3.2.5 - description: General purpose microprocessors; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.6 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 - ref_id: 3.2.6 - description: Microprocessors intended for integration in programmable logic - controllers and secure elements; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.7 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 - ref_id: 3.2.7 - description: Routers, modems intended for the connection to the internet, and - switches, intended for industrial use; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.8 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 - ref_id: 3.2.8 - description: Secure elements; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.9 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 - ref_id: 3.2.9 - description: Hardware Security Modules (HSMs); - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.10 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 - ref_id: 3.2.10 - description: Secure cryptoprocessors; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.11 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 - ref_id: 3.2.11 - description: Smartcards, smartcard readers and tokens; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.12 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 - ref_id: 3.2.12 - description: Industrial Automation & Control Systems (IACS) intended for the - use by essential entities of the type referred to in [Annex I to the Directive - XXX/XXXX (NIS2)], such as programmable logic controllers (PLC), distributed - control systems (DCS), computerised numeric controllers for machine tools - (CNC) and supervisory control and data acquisition systems (SCADA); - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.13 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 - ref_id: 3.2.13 - description: Industrial Internet of Things devices intended for the use by essential - entities of the type referred to in [Annex I to the Directive XXX/XXXX (NIS2)]; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.14 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 - ref_id: 3.2.14 - description: Robot sensing and actuator components and robot controllers; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.15 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 - ref_id: 3.2.15 - description: Smart meters. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4 - assessable: false - depth: 1 - ref_id: '4' - name: ANNEX IV - description: EU DECLARATION OF CONFORMITY - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85 - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4 - description: 'The EU declaration of conformity referred to in Article 20, shall - contain all of the following information:' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4.1 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85 - ref_id: '4.1' - description: Name and type and any additional information enabling the unique - identification of the product with digital elements; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4.2 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85 - ref_id: '4.2' - description: 'Name and address of the manufacturer or his authorised representative; ' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4.3 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85 - ref_id: '4.3' - description: 'A statement that the EU declaration of conformity is issued under - the sole responsibility of the provider; ' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4.4 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85 - ref_id: '4.4' - description: 'Object of the declaration (identification of the product allowing - traceability. It may include a photograph, where appropriate); ' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4.5 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85 - ref_id: '4.5' - description: A statement that the object of the declaration described above - is in conformity with the relevant Union harmonisation legislation; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4.6 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85 - ref_id: '4.6' - description: 'References to any relevant harmonised standards used or any other - common specification or cybersecurity certification in relation to which conformity - is declared; ' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4.7 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85 - ref_id: '4.7' - description: 'Where applicable, the name and number of the notified body, a - description of the conformity assessment procedure performed and identification - of the certificate issued; ' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4.8 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85 - ref_id: '4.8' - description: "Additional information: \nSigned for and on behalf of: \n(place\ - \ and date of issue): \n(name, function) (signature):" - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5 - assessable: false - depth: 1 - ref_id: '5' - name: ANNEX V - description: CONTENTS OF THE TECHNICAL DOCUMENTATION - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node95 - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5 - description: 'The technical documentation referred to in Article 23 shall contain - at least the following information, as applicable to the relevant product - with digital elements:' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node95 - ref_id: '5.1' - description: 'a general description of the product with digital elements, including: ' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1.a - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1 - ref_id: 5.1.a - description: 'its intended purpose; ' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1.b - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1 - ref_id: 5.1.b - description: 'versions of software affecting compliance with essential requirements; ' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1.c - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1 - ref_id: 5.1.c - description: 'where the product with digital elements is a hardware product, - photographs or illustrations showing external features, marking and internal - layout; ' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1.d - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1 - ref_id: 5.1.d - description: user information and instructions as set out in Annex II; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.2 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node95 - ref_id: '5.2' - description: 'a description of the design, development and production of the - product and vulnerability handling processes, including: ' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.2.a - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.2 - ref_id: 5.2.a - description: complete information on the design and development of the product - with digital elements, including, where applicable, drawings and schemes and/or - a description of the system architecture explaining how software components - build on or feed into each other and integrate into the overall processing; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.2.b - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.2 - ref_id: 5.2.b - description: 'complete information and specifications of the vulnerability handling - processes put in place by the manufacturer, including the software bill of - materials, the coordinated vulnerability disclosure policy, evidence of the - provision of a contact address for the reporting of the vulnerabilities and - a description of the technical solutions chosen for the secure distribution - of updates; ' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.2.c - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.2 - ref_id: 5.2.c - description: 'complete information and specifications of the production and - monitoring processes of the product with digital elements and the validation - of these processes. ' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.3 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node95 - ref_id: '5.3' - description: 'an assessment of the cybersecurity risks against which the product - with digital elements is designed, developed, produced, delivered and maintained - as laid down in Article 10 of this Regulation; ' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.4 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node95 - ref_id: '5.4' - description: 'a list of the harmonised standards applied in full or in part - the references of which have been published in the Official Journal of the - European Union, common specifications as set out in Article 19 of this Regulation - or cybersecurity certification schemes under Regulation (EU) 2019/881 pursuant - to Article 18(3), and, where those harmonised standards, common specifications - or cybersecurity certification schemes have not been applied, descriptions - of the solutions adopted to meet the essential requirements set out in Sections - 1 and 2 of Annex I, including a list of other relevant technical specifications - applied. In the event of partly applied harmonised standards, common specifications - or cybersecurity certifications, the technical documentation shall specify - the parts which have been applied; ' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.5 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node95 - ref_id: '5.5' - description: reports of the tests carried out to verify the conformity of the - product and of the vulnerability handling processes with the applicable essential - requirements as set out in Sections 1 and 2 of Annex I; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.6 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node95 - ref_id: '5.6' - description: a copy of the EU declaration of conformity; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.7 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node95 - ref_id: '5.7' - description: 'where applicable, the software bill of materials as defined in - Article 3, point (36), further to a reasoned request from a market surveillance - authority provided that it is necessary in order for this authority to be - able to check compliance with the essential requirements set out in Annex - I. ' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6 - assessable: false - depth: 1 - ref_id: '6' - name: ANNEX VI - description: CONFORMITY ASSESSMENT PROCEDURES - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6 - ref_id: 6.A - name: Conformity Assessment procedure based on internal control (based on Module - A) - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.1 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a - ref_id: 6.A.1 - description: Internal control is the conformity assessment procedure whereby - the manufacturer fulfils the obligations laid down in points 2, 3 and 4, and - ensures and declares on its sole responsibility that the products with digital - elements satisfy all the essential requirements set out in Section 1 of Annex - I and the manufacturer meets the essential requirements set out in Section - 2 of Annex I. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.2 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a - ref_id: 6.A.2 - description: 'The manufacturer shall draw up the technical documentation described - in Annex V. ' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.3 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a - ref_id: 6.A.3 - name: Design, development, production and vulnerability handling of products - with digital elements - description: 'The manufacturer shall take all measures necessary so that the - design, development, production and vulnerability handling processes and their - monitoring ensure compliance of the manufactured or developed products with - digital elements and of the processes put in place by the manufacturer with - the essential requirements set out in sections 1 and 2 of Annex I. ' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.4 - assessable: false - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a - ref_id: 6.A.4 - name: Conformity marking and declaration of conformity - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.4.1 - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.4 - ref_id: 6.A.4.1 - description: The manufacturer shall affix the CE to each individual product - with digital elements that satisfies the applicable requirements of this Regulation. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.4.2 - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.4 - ref_id: 6.A.4.2 - description: 'The manufacturer shall draw up a written EU declaration of conformity - for each product with digital elements in accordance with Article 20 and keep - it together with the technical documentation at the disposal of the national - authorities for 10 years after the product with digital elements has been - placed on the market. The EU declaration of conformity shall identify the - product with digital elements for which it has been drawn up. A copy of the - EU declaration of conformity shall be made available to the relevant authorities - upon request. ' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.5 - assessable: true - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.4.2 - ref_id: 6.A.5 - name: Authorised representatives - description: "The manufacturer\u2019s obligations set out in point 4 may be\ - \ fulfilled by his authorised representative, on his behalf and under his\ - \ responsibility, provided that they are specified in the mandate." - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6 - ref_id: 6.B - name: EU-type examination (based on Module B) - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.1 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b - ref_id: 6.B.1 - description: EU-type examination is the part of a conformity assessment procedure - in which a notified body examines the technical design and development of - a product and the vulnerability handling processes put in place by the manufacturer, - and attests that a product with digital elements meets the essential requirements - set out in Section 1 of Annex I and that the manufacturer meets the essential - requirements set out in Section 2 of Annex I. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.2 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b - ref_id: 6.B.2 - description: EU-type examination shall be carried out by assessment of the adequacy - of the technical design and development of the product through examination - of the technical documentation and supporting evidence referred to in point - 3, plus examination of specimens of one or more critical parts of the product - (combination of production type and design type). - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.3 - assessable: false - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b - ref_id: 6.B.3 - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node123 - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.3 - description: The manufacturer shall lodge an application for EU-type examination - with a single notified body of his choice. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node124 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.3 - description: 'The application shall include:' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node125 - assessable: true - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node124 - description: '- the name and address of the manufacturer and, if the application - is lodged by the authorised representative, his name and address as well;' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node126 - assessable: true - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node124 - description: '- a written declaration that the same application has not been - lodged with any other notified body; ' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node127 - assessable: true - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node124 - description: '- the technical documentation, which shall make it possible to - assess the product''s conformity with the applicable essential requirements - as set out in Section 1 of Annex I and the manufacturer''s vulnerability handling - processes set out in Section 2 of Annex I, and shall include an adequate analysis - and assessment of the risk(s). The technical documentation shall specify the - applicable requirements and cover, as far as relevant for the assessment, - the design, manufacture and operation of the product. The technical documentation - shall contain, wherever applicable, at least the elements set out in Annex - V; ' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node128 - assessable: true - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node124 - description: '- the supporting evidence for the adequacy of the technical design - and development solutions and vulnerability handling processes. This supporting - evidence shall mention any documents that have been used, in particular where - the relevant harmonised standards and/or technical specifications have not - been applied in full. The supporting evidence shall include, where necessary, - the results of tests carried out by the appropriate laboratory of the manufacturer, - or by another testing laboratory on his behalf and under his responsibility.' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4 - assessable: false - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b - ref_id: 6.B.4 - description: 'The notified body shall: ' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4.1 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4 - ref_id: 6.B.4.1 - description: examine the technical documentation and supporting evidence to - assess the adequacy of the technical design and development of the product - with the essential requirements set out in Section 1 of Annex I and of the - vulnerability handling processes put in place by the manufacturer with the - essential requirements set out in Section 2 of Annex I; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4.2 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4 - ref_id: 6.B.4.2 - description: verify that the specimen(s) have been developed or manufactured - in conformity with the technical documentation, and identify the elements - which have been designed and developed in accordance with the applicable provisions - of the relevant harmonised standards and/or technical specifications, as well - as the elements which have been designed and developed without applying the - relevant provisions of those standards; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4.3 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4 - ref_id: 6.B.4.3 - description: carry out appropriate examinations and tests, or have them carried - out, to check whether, where the manufacturer has chosen to apply the solutions - in the relevant harmonised standards and/or technical specifications for the - requirements set out in Annex I, these have been applied correctly; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4.4 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4 - ref_id: 6.B.4.4 - description: carry out appropriate examinations and tests, or have them carried - out, to check whether, where the solutions in the relevant harmonised standards - and/or technical specifications for the requirements set out in Annex I have - not been applied, the solutions adopted by the manufacturer meet the corresponding - essential requirements; - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4.5 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4 - ref_id: 6.B.4.5 - description: agree with the manufacturer on a location where the examinations - and tests will be carried out. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.5 - assessable: false - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b - ref_id: 6.B.5 - description: "The notified body shall draw up an evaluation report that records\ - \ the activities undertaken in accordance with point 4 and their outcomes.\ - \ Without prejudice to its obligations vis-\xE0-vis the notifying authorities,\ - \ the notified body shall release the content of that report, in full or in\ - \ part, only with the agreement of the manufacturer." - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.6 - assessable: false - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b - ref_id: 6.B.6 - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node137 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.6 - description: Where the type and the vulnerability handling processes meet the - essential requirements set out in Annex I, the notified body shall issue an - EU-type examination certificate to the manufacturer. The certificate shall - contain the name and address of the manufacturer, the conclusions of the examination, - the conditions (if any) for its validity and the necessary data for identification - of the approved type and vulnerability handling processes. The certificate - may have one or more annexes attached. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node138 - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.6 - description: The certificate and its annexes shall contain all relevant information - to allow the conformity of manufactured or developed products with the examined - type and vulnerability handling processes to be evaluated and to allow for - in-service control. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node139 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.6 - description: Where the type and the vulnerability handling processes do not - satisfy the applicable essential requirements set out in Annex I, the notified - body shall refuse to issue an EU-type examination certificate and shall inform - the applicant accordingly, giving detailed reasons for its refusal. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.7 - assessable: false - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b - ref_id: 6.B.7 - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node141 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.7 - description: The notified body shall keep itself apprised of any changes in - the generally acknowledged state of the art which indicate that the approved - type and the vulnerability handling processes may no longer comply with the - applicable essential requirements set out in Annex I to this Regulation, and - shall determine whether such changes require further investigation. If so, - the notified body shall inform the manufacturer accordingly. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node142 - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.7 - description: The manufacturer shall inform the notified body that holds the - technical documentation relating to the EU-type examination certificate of - all modifications to the approved type and the vulnerability handling processes - that may affect the conformity with the essential requirements set out in - Annex I, or the conditions for validity of the certificate. Such modifications - shall require additional approval in the form of an addition to the original - EU-type examination certificate. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.8 - assessable: false - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b - ref_id: 6.B.8 - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node144 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.8 - description: Each notified body shall inform its notifying authorities concerning - the EU-type examination certificates and/or any additions thereto which it - has issued or withdrawn, and shall, periodically or upon request, make available - to its notifying authorities the list of certificates and/or any additions - thereto refused, suspended or otherwise restricted. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node145 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.8 - description: Each notified body shall inform the other notified bodies concerning - the EU-type examination certificates and/or any additions thereto which it - has refused, withdrawn, suspended or otherwise restricted, and, upon request, - concerning the certificates and/or additions thereto which it has issued. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node146 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.8 - description: The Commission, the Member States and the other notified bodies - may, on request, obtain a copy of the EU-type examination certificates and/or - additions thereto. On request, the Commission and the Member States may obtain - a copy of the technical documentation and the results of the examinations - carried out by the notified body. The notified body shall keep a copy of the - EU-type examination certificate, its annexes and additions, as well as the - technical file including the documentation submitted by the manufacturer, - until the expiry of the validity of the certificate. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.9 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b - ref_id: 6.B.9 - description: The manufacturer shall keep a copy of the EU-type examination certificate, - its annexes and additions together with the technical documentation at the - disposal of the national authorities for 10 years after the product has been - placed on the market. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.10 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b - ref_id: 6.B.10 - description: The manufacturer's authorised representative may lodge the application - referred to in point 3 and fulfil the obligations set out in points 7 and - 9, provided that they are specified in the mandate. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6 - ref_id: 6.C - name: Conformity to type based on internal production control (based on Module - C) - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.1 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c - ref_id: 6.C.1 - description: Conformity to type based on internal production control is the - part of a conformity assessment procedure whereby the manufacturer fulfils - the obligations laid down in points 2 and 3, and ensures and declares that - the products concerned are in conformity with the type described in the EU-type - examination certificate and satisfy the essential requirements set out in - Section 1 of Annex I. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.2 - assessable: false - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c - ref_id: 6.C.2 - name: Production - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.2.1 - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.2 - ref_id: 6.C.2.1 - description: 'The manufacturer shall take all measures necessary so that the - production and its monitoring ensure conformity of the manufactured products - with the approved type described in the EU-type examination certificate and - with the essential requirements as set out in Section 1 of Annex I. ' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.3 - assessable: false - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c - ref_id: 6.C.3 - name: Conformity marking and declaration of conformity - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.3.1 - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.3 - ref_id: 6.C.3.1 - description: The manufacturer shall affix the CE marking to each individual - product that is in conformity with the type described in the EU-type examination - certificate and satisfies the applicable requirements of the legislative instrument. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.3.2 - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.3 - ref_id: 6.C.3.2 - description: The manufacturer shall draw up a written declaration of conformity - for a product model and keep it at the disposal of the national authorities - for 10 years after the product has been placed on the market. The declaration - of conformity shall identify the product model for which it has been drawn - up. A copy of the declaration of conformity shall be made available to the - relevant authorities upon request. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.4 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c - ref_id: 6.C.4 - name: Authorised representative - description: The manufacturer's obligations set out in point 3 may be fulfilled - by his authorised representative, on his behalf and under his responsibility, - provided that they are specified in the mandate. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6 - ref_id: 6.H - name: Conformity based on full quality assurance (based on Module H) - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.1 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h - ref_id: 6.H.1 - description: Conformity based on full quality assurance is the conformity assessment - procedure whereby the manufacturer fulfils the obligations laid down in points - 2 and 5, and ensures and declares on his sole responsibility that the products - (or product categories) concerned satisfy the essential requirements set out - in Section 1 of Annex I, and that the vulnerability handling processes put - in place by the manufacturer meet the requirements set out in Section 2 of - Annex I. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.2 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h - ref_id: 6.H.2 - name: Design, development, production and vulnerability handling of products - with digital elements - description: The manufacturer shall operate an approved quality system as specified - in point 3 for the design, development, and production of the products concerned - and for handling vulnerabilities, maintain its effectiveness throughout the - lifecycle of the products concerned, and shall be subject to surveillance - as specified in point 4. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3 - assessable: false - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h - ref_id: 6.H.3 - name: Quality system - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.1 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3 - ref_id: 6.H.3.1 - name: Surveillance under the responsibility of the notified body - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node162 - assessable: true - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.1 - name: Conformity marking and declaration of conformity - description: The manufacturer shall lodge an application for assessment of his - quality system with the notified body of his choice, for the products concerned. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node163 - assessable: false - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.1 - description: 'The application shall include:' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node164 - assessable: true - depth: 6 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node163 - description: '- the name and address of the manufacturer and, if the application - is lodged by the authorised representative, his name and address as well;' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node165 - assessable: true - depth: 6 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node163 - description: '- the technical documentation for one model of each category of - products intended to be manufactured or developed. The technical documentation - shall, wherever applicable, contain at least the elements as set out in Annex - V;' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node166 - assessable: true - depth: 6 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node163 - description: '- the documentation concerning the quality system; and' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node167 - assessable: true - depth: 6 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node163 - description: '- a written declaration that the same application has not been - lodged with any other notified body.' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.2 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3 - ref_id: 6.H.3.2 - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node169 - assessable: true - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.2 - description: The quality system shall ensure compliance of the products with - the essential requirements set out in Section 1 of Annex I and compliance - of the vulnerability handling processes put in place by the manufacturer with - the requirements set out in Section 2 of Annex I. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node170 - assessable: true - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.2 - description: All the elements, requirements and provisions adopted by the manufacturer - shall be documented in a systematic and orderly manner in the form of written - policies, procedures and instructions. That quality system documentation shall - permit a consistent interpretation of the quality programmes, plans, manuals - and records. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171 - assessable: false - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.2 - description: 'It shall, in particular, contain an adequate description of:' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node172 - assessable: true - depth: 6 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171 - description: '- the quality objectives and the organisational structure, responsibilities - and powers of the management with regard to design, development, product quality - and vulnerability handling;' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node173 - assessable: true - depth: 6 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171 - description: '- the technical design and development specifications, including - standards, that will be applied and, where the relevant harmonised standards - and/or technical specifications will not be applied in full, the means that - will be used to ensure that the essential requirements set out in Section - 1 of Annex I that apply to the products will be met;' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node174 - assessable: true - depth: 6 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171 - description: '- the procedural specifications, including standards, that will - be applied and, where the relevant harmonised standards and/or technical specifications - will not be applied in full, the means that will be used to ensure that the - essential requirements set out in Section 2 of Annex I that apply to the manufacturer - will be met;' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node175 - assessable: true - depth: 6 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171 - description: '- the design and development control, as well as design and development - verification techniques, processes and systematic actions that will be used - when designing and developing the products pertaining to the product category - covered;' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node176 - assessable: true - depth: 6 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171 - description: '- the corresponding production, quality control and quality assurance - techniques, processes and systematic actions that will be used;' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node177 - assessable: true - depth: 6 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171 - description: '- the examinations and tests that will be carried out before, - during and after production, and the frequency with which they will be carried - out;' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node178 - assessable: true - depth: 6 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171 - description: '- the quality records, such as inspection reports and test data, - calibration data, qualification reports on the personnel concerned, etc;' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node179 - assessable: true - depth: 6 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171 - description: '- the means of monitoring the achievement of the required design - and product quality and the effective operation of the quality system.' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.3 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3 - ref_id: 6.H.3.3 - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node181 - assessable: true - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.3 - description: The notified body shall assess the quality system to determine - whether it satisfies the requirements referred to in point 3.2. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node182 - assessable: true - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.3 - description: It shall presume conformity with those requirements in respect - of the elements of the quality system that comply with the corresponding specifications - of the national standard that implements the relevant harmonised standard - and/or technical specification. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node183 - assessable: true - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.3 - description: In addition to experience in quality management systems, the auditing - team shall have at least one member experienced as an assessor in the relevant - product field and product technology concerned, and knowledge of the applicable - requirements of this Regulation. The audit shall include an assessment visit - to the manufacturer's premises, where such premises exist. The auditing team - shall review the technical documentation referred to in point 3.1, second - indent, to verify the manufacturer's ability to identify the applicable requirements - of this Regulation and to carry out the necessary examinations with a view - to ensuring compliance of the product with those requirements. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node184 - assessable: true - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.3 - description: The manufacturer or his authorised representative shall be notified - of the decision. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node185 - assessable: true - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.3 - description: The notification shall contain the conclusions of the audit and - the reasoned assessment decision. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.4 - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3 - ref_id: 6.H.3.4 - description: The manufacturer shall undertake to fulfil the obligations arising - out of the quality system as approved and to maintain it so that it remains - adequate and efficient. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.5 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3 - ref_id: 6.H.3.5 - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node188 - assessable: true - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.5 - description: The manufacturer shall keep the notified body that has approved - the quality system informed of any intended change to the quality system. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node189 - assessable: true - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.5 - description: The notified body shall evaluate any proposed changes and decide - whether the modified quality system will continue to satisfy the requirements - referred to in point 3.2 or whether a reassessment is necessary. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node190 - assessable: true - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.5 - description: It shall notify the manufacturer of its decision. The notification - shall contain the conclusions of the examination and the reasoned assessment - decision. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4 - assessable: false - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h - ref_id: 6.H.4 - name: Surveillance under the responsibility of the notified body - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4.1 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4 - ref_id: 6.H.4.1 - description: The purpose of surveillance is to make sure that the manufacturer - duly fulfils the obligations arising out of the approved quality system. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4.2 - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4 - ref_id: 6.H.4.2 - description: 'The manufacturer shall, for assessment purposes, allow the notified - body access to the design, development, production, inspection, testing and - storage sites, and shall provide it with all necessary information, in particular:' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node194 - assessable: true - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4.2 - description: '- the quality system documentation;' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node195 - assessable: true - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4.2 - description: '- the quality records as provided for by the design part of the - quality system, such as results of analyses, calculations, tests, etc.;' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node196 - assessable: true - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4.2 - description: '- the quality records as provided for by the manufacturing part - of the quality system, such as inspection reports and test data, calibration - data, qualification reports on the personnel concerned, etc.' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4.3 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4 - ref_id: 6.H.4.3 - description: The notified body shall carry out periodic audits to make sure - that the manufacturer maintains and applies the quality system and shall provide - the manufacturer with an audit report. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.5 - assessable: false - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h - ref_id: 6.H.5 - name: Conformity marking and declaration of conformity - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.5.1 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.5 - ref_id: 6.H.5.1 - description: The manufacturer shall affix the CE marking, and, under the responsibility - of the notified body referred to in point 3.1, the latter's identification - number to each individual product that satisfies the requirements set out - in Section 1 of Annex I to this Regulation. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.5.2 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.5 - ref_id: 6.H.5.2 - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node201 - assessable: true - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.5.2 - description: The manufacturer shall draw up a written declaration of conformity - for each product model and keep it at the disposal of the national authorities - for 10 years after the product has been placed on the market. The declaration - of conformity shall identify the product model for which it has been drawn - up. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node202 - assessable: true - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.5.2 - description: A copy of the declaration of conformity shall be made available - to the relevant authorities upon request. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.6 - assessable: false - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h - ref_id: 6.H.6 - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node204 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.6 - description: 'The manufacturer shall, for a period ending at least 10 years - after the product has been placed on the market, keep at the disposal of the - national authorities:' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node205 - assessable: true - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node204 - description: '- the technical documentation referred to in point 3.1;' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node206 - assessable: true - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node204 - description: '- the documentation concerning the quality system referred to - in point 3.1;' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node207 - assessable: true - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node204 - description: '- the change referred to in point 3.5, as approved;' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node208 - assessable: true - depth: 5 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node204 - description: '- the decisions and reports of the notified body referred to in - points 3.5, 4.3 and 4.4.' - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.7 - assessable: false - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h - ref_id: 6.H.7 - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node210 - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.7 - description: Each notified body shall inform its notifying authorities of quality - system approvals issued or withdrawn, and shall, periodically or upon request, - make available to its notifying authorities the list of quality system approvals - refused, suspended or otherwise restricted. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node211 - assessable: true - depth: 4 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.7 - description: Each notified body shall inform the other notified bodies of quality - system approvals which it has refused, suspended or withdrawn, and, upon request, - of quality system approvals which it has issued. - - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.8 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h - ref_id: 6.H.8 - name: Authorised representative - description: The manufacturer's obligations set out in points 3.1, 3.5, 5 and - 6 may be fulfilled by his authorised representative, on his behalf and under - his responsibility, provided that they are specified in the mandate. diff --git a/backend/library/libraries/cra-resolution-annexes.yaml b/backend/library/libraries/cra-regulation-annexes.yaml similarity index 98% rename from backend/library/libraries/cra-resolution-annexes.yaml rename to backend/library/libraries/cra-regulation-annexes.yaml index ceab3685c..6234bef45 100644 --- a/backend/library/libraries/cra-resolution-annexes.yaml +++ b/backend/library/libraries/cra-regulation-annexes.yaml @@ -1,13 +1,13 @@ urn: urn:intuitem:risk:library:cra-resolution-annexes locale: en ref_id: CRA-resolution-annexes -name: Cyber Resilience Act -description: "European Parliament legislative resolution of 12 March 2024 on the proposal\ - \ for a regulation of the European Parliament and of the Council on horizontal cybersecurity\ - \ requirements for products with digital elements and amending Regulation (EU) 2019/1020\ - \ (COM(2022)0454 \u2013 C9-0308/2022 \u2013 2022/0272(COD))\nhttps://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf" +name: Cyber Resilience Act - Annexes (CRA) +description: Annexes to the REGULATION (EU) 2024/2847 OF THE EUROPEAN PARLIAMENT AND + OF THE COUNCIL of 23 October 2024 on horizontal cybersecurity requirements for products + with digital elements and amending Regulations (EU) No 168/2013 and (EU) No 2019/1020 + and Directive (EU) 2020/1828 (Cyber Resilience Act) copyright: European Union law -version: 2 +version: 3 publication_date: 2024-06-25 provider: EU packager: intuitem @@ -15,12 +15,11 @@ objects: framework: urn: urn:intuitem:risk:framework:cra-resolution-annexes ref_id: CRA-resolution-annexes - name: Cyber Resilience Act - description: "European Parliament legislative resolution of 12 March 2024 on the\ - \ proposal for a regulation of the European Parliament and of the Council on\ - \ horizontal cybersecurity requirements for products with digital elements and\ - \ amending Regulation (EU) 2019/1020 (COM(2022)0454 \u2013 C9-0308/2022 \u2013\ - \ 2022/0272(COD))\nhttps://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf" + name: Cyber Resilience Act - Annexes (CRA) + description: Annexes to the REGULATION (EU) 2024/2847 OF THE EUROPEAN PARLIAMENT + AND OF THE COUNCIL of 23 October 2024 on horizontal cybersecurity requirements + for products with digital elements and amending Regulations (EU) No 168/2013 + and (EU) No 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) requirement_nodes: - urn: urn:intuitem:risk:req_node:cra-resolution-annexes:1 assessable: false diff --git a/tools/cra/CRA-regulation-annexes.xlsx b/tools/cra/CRA-regulation-annexes.xlsx new file mode 100644 index 000000000..0dad37c6d Binary files /dev/null and b/tools/cra/CRA-regulation-annexes.xlsx differ diff --git a/tools/cra/CRA-resolution-annexes.xlsx b/tools/cra/CRA-resolution-annexes.xlsx deleted file mode 100644 index 55b3a3872..000000000 Binary files a/tools/cra/CRA-resolution-annexes.xlsx and /dev/null differ diff --git a/tools/cra/cra-proposal-annexes.xlsx b/tools/cra/cra-proposal-annexes.xlsx deleted file mode 100644 index de79bd357..000000000 Binary files a/tools/cra/cra-proposal-annexes.xlsx and /dev/null differ