ANNEX VIII
CONFORMITY ASSESSMENT PROCEDURES
Part I Conformity assessment procedure based on internal control (based on Module A)
1."Internal control"meansthe conformity assessment procedure whereby the manufacturer fulfills the obligations laid down in points 2, 3, and 4 of this Part and, under its sole responsibility, ensures and declares that the products with digital elements comply with all the essential cybersecurity requirements set out in Part I of Annex I and that the manufacturer complies with the essential cybersecurity requirements set out in Part II of Annex I.
2.Themanufacturer shall draw up the technical documentation described in Annex VII.
3.Design, development, production, and response to vulnerabilities of products with digital elements
The manufacturer shall take all necessary measures to ensure that the design, development, production, and procedures for responding to vulnerabilities and monitoring them ensure that the manufactured or developed products with digital elements and the processes established by the manufacturer comply with the essential cybersecurity requirements set out in Parts I and II of Annex I.
4.Conformity markingand declaration of conformity
4.1.Themanufacturer shall affix the CE marking to each individual product with digital elements that complies with the applicable requirements of this Regulation.
4.2.Themanufacturer shall draw up a written EU declaration of conformity in accordance with Article 28 for each product with digital elements and shall keep that declaration, together with the technical documentation, at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The EU declaration of conformity shall identify the digital product for which it has been drawn up. A copy of the EU declaration of conformity shall be made available to the relevant authorities upon request.
5.Authorizedrepresentatives
The manufacturer's obligations set out in point 4 may be fulfilled on behalf of and under the responsibility of the manufacturer by the manufacturer's authorized representative, provided that the relevant obligations are specified in the mandate.
Part II EU type examination (based on module B)
1."EU-type examination" means that part of a conformity assessment procedure in which a notified body examines the technical design and development of a product with digital elements and the procedures established by the manufacturer for responding to vulnerabilities, and declares that a product with digital elements meets the essential cybersecurity requirements of Part I of Annex I and that the manufacturer meets the essentialessential cybersecurity requirements set out in Part II of Annex I.
2.TheEU-type examination shall be carried out by assessing the adequacy of the technical design and development of the product with digital elements through the examination of the technical documentation and supporting evidence referred to in point 3, and the examination of samples of one or more critical parts of the product (combination of production type and design type).
3.Themanufacturer shall submit an application for EU-type examination to a notified body of his choice.
The application includes:
name and address of the manufacturer and, if the application is submitted by the manufacturer's authorized representative, the name and address of that authorized representative;
a written declaration that the same application has not been submitted to another notified body;
the technical documentation that allows for the assessment of whether the product with digital elements complies with the applicable essential cybersecurity requirements of Part I of Annex I and the vulnerability response procedures of the manufacturer of Part II of Annex I, and which includes an adequate analysis and assessment of the risks. The technical documentation shall specify the applicable requirements and cover, as far as relevant for the assessment, the design, manufacture, and operation of the product with digital elements. The technical documentation shall, where applicable, contain at least the elements specified in Annex VII;
the evidence for the adequacy of the technical design and development solutions and the procedures for responding to vulnerabilities. The evidence shall include all documents used, in particular where the relevant harmonized standards or technical specifications have not been applied in full. Where necessary, the results of tests carried out by a suitable laboratory of the manufacturer or by another laboratory on behalf of and under the responsibility of the manufacturer shall also be included.
4.Thenotified body:
examines the technical documentation and supporting evidence to assess whether the technical design and development of the product with digital elements complies with the essential cybersecurity requirements set out in Part I of Annex I and whether the procedures established by the manufacturer for responding to vulnerabilities comply with the essential cybersecurity requirements set out in Part II of Annex I;
verifies that the samples have been developed or manufactured in accordance with the technical documentation, and identifies the elements that have been designed and developed in accordance with the applicable provisions of the relevant harmonized standards or technical specifications, as well as the elements that have been designed and developed without applying the relevant provisions of those standards;
carry out the necessary examinations and tests, or have them carried out, in order to verify, where the manufacturer has chosen to apply the solutions in the relevant harmonized standards or technical specifications for the requirements of Annex I, that these have been applied correctly;
carry out the necessary examinations and tests, or have them carried out, to verify that, where the solutions in the relevant harmonized standards or technical specifications for the cybersecurity requirements set out in Annex I have not been applied, the solutions chosen by the manufacturer meet the relevant essential cybersecurity requirements;
determines, in consultation with the manufacturer, the location where the examinations and tests will be carried out.
5.Thenotified body shall draw up an evaluation report on the activities carried out in accordance with point 4 and their results. Without prejudice to its obligations towards the notifying authorities, the notified body shall release the content of that report, in full or in part, only with the agreement of the manufacturer.
6.Wherethe type and procedures for responding to vulnerabilities comply with the essential cybersecurity requirements set out in Annex I, the notified body shall issue an EU-type examination certificate to the manufacturer. The certificate shall contain the name and address of the manufacturer, the conclusions of the examination, any conditions for its validity, and the necessary data for the identification of the approved type and the approved vulnerability response procedures. One or more annexes may be attached to the certificate.
The certificate and its annexes contain all relevant information to enable the conformity of the manufactured or developed products with digital elements with the examined type and the examined procedures regarding the response to vulnerabilities to be evaluated and to enable control during use.
Where the type and procedures for responding to vulnerabilities do not comply with the applicable essential cybersecurity requirements set out in Annex I, the notified body shall refuse to issue an EU-type examination certificate and shall inform the applicant accordingly, giving detailed reasons for its refusal.
7.Thenotified body shall keep itself informed of any changes in the generally recognized state of the art that indicate that the approved type and the approved procedures for responding to vulnerabilities may no longer comply with the applicable essential cybersecurity requirements set out in Annex I, and shall determine whether such changes require further investigation. If so, the notified body shall inform the manufacturer accordingly.
The manufacturer shall inform the notified body that holds the technical documentation relating to the EU-type examination certificate of all modifications to the approved type and the approved procedures for responding to vulnerabilities that may affect compliance with the essential cybersecurity requirements set out in Annex I or the conditions for validity of the certificate. Such changes shall require additional approval in the form of an addendum to the original EU type examination certificate.
8.Thenotified body shall carry out periodic audits to ensure that the vulnerability response procedures described in Part II of Annex I are being adequately implemented.
9.Eachnotified body shall inform its notifying authorities of the EU-type examination certificates and any additions thereto which it has issued or withdrawn, and shall, periodically or upon request, make available to its notifying authorities the list of certificates and any additions thereto refused, suspended, or otherwise restricted.
Each notified body shall inform the other notified bodies of the EU type-examination certificates and any additions thereto which it has refused, withdrawn, suspended, or otherwise restricted, and, upon request, of the certificates and additions thereto which it has issued.
The Commission, the Member States, and the other notified bodies may, on request, obtain a copy of the EU-type examination certificates and any additions thereto. The Commission and the Member States may, on request, obtain a copy of the technical documentation and the results of the examination carried out by the notified body. The notified body shall keep a copy of the EU-type examination certificate, its annexes and additions, as well as the technical file, including the documentation provided by the manufacturer, until the end of the validity of the certificate.
10.Themanufacturer shall, for a period of 10 years after the digital product has been placed on the market or during the support period, whichever is longer, keep a copy of the EU-type examination certificate and its annexes and attachments, together with the technical documentation, at the disposal of the national authorities.
11.Themanufacturer's authorized representative may submit the application referred to in point 3 and fulfill the obligations set out in points 7 and 10, provided that the relevant obligations are specified in the mandate.
Part III Conformity to type based on internal production control (based on module C)
1."Conformity to type based on internal production control"meansthe part of a conformity assessment procedure in which the manufacturer fulfills the obligations laid down in points 2 and 3, and ensures and declares that the products concerned with digital elements are in conformity with the type described in the EU type examination certificate and that the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.type examination certificate and meet the essential cybersecurity requirements set out in Part I of Annex I, and that the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.
2.Production
The manufacturer shall take all measures necessary to ensure that the manufacturing process and its monitoring ensure that the manufactured products with digital elements are in conformity with the approved type described in the EU-type examination certificate and with the essential cybersecurity requirements set out in Part I of Annex I, and shall ensure that the manufacturer complies with the essential cybersecurity requirements set out in Part II of Annex I.
3.Conformity markingand declaration of conformity
The manufacturer shall affix the CE marking to each individual product with digital elements that is in conformity with the type described in the EU-type examination certificate and satisfies the applicable requirements of this Regulation.
The manufacturer shall draw up a written declaration of conformity for each product model and keep it at the disposal of the national authorities for 10 years after the product has been placed on the market with digital elements or for the support period, whichever is longer. The declaration of conformity shall identify the product model for which it has been drawn up. A copy of the declaration of conformity shall be made available to the relevant authorities upon request.
4.Authorizedrepresentative
The manufacturer's obligations set out in point 3 may be fulfilled on behalf of and under the responsibility of the manufacturer by the manufacturer's authorized representative, provided that the relevant obligations are specified in the mandate.
Part IV Conformity based on full quality assurance (based on module H)
1."Conformity based on full quality assurance" means the conformity assessment procedure whereby the manufacturer fulfills the obligations laid down in points 2 and 5 of this Part and ensures and declares on his sole responsibility that the products with digital elements or product categories concerned satisfy all the essential cybersecurity requirements set out in Part I of Annex I and that the procedures put in place by the manufacturer for responding to vulnerabilities meet the requirements of Part II of Annex I.
2.Design, development, production, and response to vulnerabilities of products with digital elements
The manufacturer shall apply an approved quality system as referred to in point 3 to the design, development, final product control, and product testing of the products with digital elements concerned, and to the response to vulnerabilities, shall maintain its effectiveness throughout the support period, and shall be subject to surveillance as specified in point 4.
3.Quality system
The manufacturer shall lodge an application for assessment of his quality system with a notified body of his choice in respect of the products with digital elements concerned.
The application includes:
the name and address of the manufacturer and, if the application is submitted by the manufacturer's authorized representative, the name and address of that authorized representative;
the technical documentation for one model of each category of products with digital elements intended to be manufactured or developed. The technical documentation shall include, where applicable, at least the elements listed in Annex VII;
the documentation on the quality system, and
a written declaration that the same application has not been submitted to another notified body.
The quality system ensures that products with digital elements comply with the essential cybersecurity requirements of Part I of Annex I and that the procedures established by the manufacturer for responding to vulnerabilities comply with the cybersecurity requirements of Part II of Annex I.
All elements, requirements, and provisions established by the manufacturer shall be documented in a systematic and orderly manner in the form of written policies, procedures, and instructions. This documentation of the quality system shall enable the quality programs, plans, manuals, and records to be interpreted unambiguously.
In particular, it contains a proper description of:
the quality objectives and organizational structure, the responsibilities and authorities of management with regard to design, development, product quality, and response to vulnerabilities;
the technical design and development specifications, including standards, that will be applied and, where the relevant harmonized standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential cybersecurity requirements of Part I of Annex I that apply to the products with digital elements will be met;
the procedural specifications, including standards, that will be applied and, where the relevant harmonized standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential cybersecurity requirements of Part II of Annex I that apply to the manufacturer are met;
the control of design and development, as well as verification techniques, processes, and systematic measures for design and development that will be used in the design and development of products with digital elements in the product category concerned;
the associated production, quality control, and quality assurance techniques, processes, and systematic measures that will be used;
the examinations and tests to be carried out before, during, and after production, and their frequency;
the quality records, such as inspection reports, test and calibration data, and reports on the qualifications of the personnel concerned;
the means to monitor the achievement of the required design and product quality and the effective operation of the quality system.
The notified body shall assess the quality system to verify whether it satisfies the requirements referred to in point 3.2.
It assumes that those requirements are met for elements of the quality system that comply with the relevant specifications of the national standard implementing the relevant harmonized standard or technical specification.
The audit team shall have experience in quality management systems. In addition, at least one member of the team shall have experience in assessments in the relevant product area and product technology and shall be aware of the applicable requirements of this Regulation. The audit shall include an assessment visit to the manufacturer's premises, if such premises exist. The audit team shall evaluate the technical documentation referred to in point 3.1(b) to verify that the manufacturer is aware of the applicable requirements of this Regulation and is capable of carrying out the necessary investigations to ensure that the product with digital elements complies with those requirements.
The manufacturer or the manufacturer's authorized representative shall be notified of the decision.
That notification shall include the conclusions of the audit and the reasoned assessment decision.
The manufacturer undertakes to fulfill the obligations arising from the approved quality system and to ensure that the system remains appropriate and effective.
The manufacturer shall inform the notified body that has approved the quality system of any intended change to the quality system.
The notified body shall evaluate the proposed changes and decide whether the modified quality system will continue to satisfy the requirements referred to in point 3.2 or whether a reassessment is necessary.
It shall notify the manufacturer of its decision. That notification shall contain the conclusions of the examination and the reasoned assessment decision.
4.Supervisionunder the responsibility of the notified body
The purpose of surveillance is to verify that the manufacturer duly fulfills the obligations arising from the approved quality system.
The manufacturer shall, for assessment purposes, grant the notified body access to the design, development, production, inspection, testing, and storage sites, and shall provide it with all necessary information, in particular:
the documentation on the quality system;
the quality records referred to in the part of the quality system relating to design, such as results of analyses, calculations, and tests;
the quality records referred to in the part of the quality system relating to manufacturing, such as inspection reports, test and calibration data, and reports on the qualifications of the personnel concerned.
The notified body shall carry out periodic audits to verify that the manufacturer maintains and applies the quality system and shall provide the manufacturer with an audit report.
5.Conformity markingand declaration of conformity
The manufacturer shall affix the CE marking and, under the responsibility of the notified body referred to in point 3.1, the identification number of that body to each individual digital product that satisfies the requirements of Part I of Annex I.
The manufacturer shall draw up a written declaration of conformity for each product model and keep it at the disposal of the national authorities for 10 years after the product has been placed on the market with digital elements or for the support period, whichever is longer. The declaration of conformity shall identify the product model for which it has been drawn up.
A copy of the declaration of conformity shall be provided to the relevant authorities upon request.
6.Themanufacturer shall, for a period of at least ten years after the product with digital elements has been placed on the market or for the support period, whichever is longer, keep the following at the disposal of the national authorities:
the technical documentation referred to in point 3.1;
the documentation on the quality system referred to in point 3.1;
the amendments referred to in point 3.5 as approved;
the decisions and reports of the notified body referred to in points 3.5 and 4.3.
7.Eachnotified body shall inform its notifying authorities of the quality system approvals it has issued or withdrawn, and shall, periodically or upon request, make available to its notifying authorities the list of quality system approvals it has refused, suspended, or otherwise restricted.
Each notified body shall inform the other notified bodies of quality system approvals which it has refused, suspended, or withdrawn, and, upon request, of quality system approvals which it has issued.
8.Authorizedrepresentative
The manufacturer's obligations set out in points 3.1, 3.5, 5, and 6 may be fulfilled on behalf of and under the responsibility of the manufacturer by the manufacturer's authorized representative, provided that the relevant obligations are specified in the mandate.
A statement was made in relation to this regulation; that statement can be consulted in OJ C, 2024/6786, 20.11.2024 and via the following link: ELI: http://data.europa.eu/eli/C/2024/6786/oj.
