cra-proposal-annexes.yaml

urn: urn:intuitem:risk:library:cra-proposal-annexes
locale: en
ref_id: CRA-proposal-annexes
name: Cyber Resilience Act
description: 'ANNEXES to the PROPOSAL FOR A REGULATION OF THE EUROPEAN PARLIAMENT
  AND OF THE COUNCIL on horizontal cybersecurity requirements for products with digital
  elements and amending Regulation (EU) 2019/1020

  https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52022PC0454'
copyright: European Union law
version: 1
provider: EU
packager: intuitem
objects:
  framework:
    urn: urn:intuitem:risk:framework:cra-proposal-annexes
    ref_id: CRA-proposal-annexes
    name: Cyber Resilience Act
    description: ANNEXES to the PROPOSAL FOR A REGULATION OF THE EUROPEAN PARLIAMENT
      AND OF THE COUNCIL on horizontal cybersecurity requirements for products with
      digital elements and amending Regulation (EU) 2019/1020
    requirement_nodes:
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1
      assessable: false
      depth: 1
      ref_id: '1'
      name: ANNEX I
      description: ESSENTIAL CYBERSECURITY REQUIREMENTS
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1
      ref_id: '1.1'
      name: Security requirements relating to the properties of products with digital
        elements
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1
      ref_id: 1.1.1
      description: Products with digital elements shall be designed, developed and
        produced in such a way that they ensure an appropriate level of cybersecurity
        based on the risks;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1
      ref_id: 1.1.2
      description: Products with digital elements shall be delivered without any known
        exploitable vulnerabilities;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1
      ref_id: 1.1.3
      description: 'On the basis of the risk assessment referred to in Article 10(2)
        and where applicable, products with digital elements shall:'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3
      ref_id: 1.1.3.a
      description: be delivered with a secure by default configuration, including
        the possibility to reset the product to its original state;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3
      ref_id: 1.1.3.b
      description: ensure protection from unauthorised access by appropriate control
        mechanisms, including but not limited to authentication, identity or access
        management systems;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3
      ref_id: 1.1.3.c
      description: protect the confidentiality of stored, transmitted or otherwise
        processed data, personal or other, such as by encrypting relevant data at
        rest or in transit by state of the art mechanisms;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.d
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3
      ref_id: 1.1.3.d
      description: protect the integrity of stored, transmitted or otherwise processed
        data, personal or other, commands, programs and configuration against any
        manipulation or modification not authorised by the user, as well as report
        on corruptions;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.e
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3
      ref_id: 1.1.3.e
      description: "process only data, personal or other, that are adequate, relevant\
        \ and limited to what is necessary in relation to the intended use of the\
        \ product (\u2018minimisation of data\u2019); "
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.f
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3
      ref_id: 1.1.3.f
      description: protect the availability of essential functions, including the
        resilience against and mitigation of denial of service attacks;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.g
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3
      ref_id: 1.1.3.g
      description: minimise their own negative impact on the availability of services
        provided by other devices or networks;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.h
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3
      ref_id: 1.1.3.h
      description: be designed, developed and produced to limit attack surfaces, including
        external interfaces;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.i
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3
      ref_id: 1.1.3.i
      description: be designed, developed and produced to reduce the impact of an
        incident using appropriate exploitation mitigation mechanisms and techniques;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.j
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3
      ref_id: 1.1.3.j
      description: provide security related information by recording and/or monitoring
        relevant internal activity, including the access to or modification of data,
        services or functions;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.k
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3
      ref_id: 1.1.3.k
      description: ensure that vulnerabilities can be addressed through security updates,
        including, where applicable, through automatic updates and the notification
        of available updates to users.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1
      ref_id: '1.2'
      name: "Vulnerability\_handling\_requirements"
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2
      description: 'Manufacturers of the products with digital elements shall:'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19
      ref_id: 1.2.1
      description: identify and document vulnerabilities and components contained
        in the product, including by drawing up a software bill of materials in a
        commonly used and machine-readable format covering at the very least the top-level
        dependencies of the product;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19
      ref_id: 1.2.2
      description: in relation to the risks posed to the products with digital elements,
        address and remediate vulnerabilities without delay, including by providing
        security updates;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19
      ref_id: 1.2.3
      description: apply effective and regular tests and reviews of the security of
        the product with digital elements;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19
      ref_id: 1.2.4
      description: once a security update has been made available, publically disclose
        information about fixed vulnerabilities, including a description of the vulnerabilities,
        information allowing users to identify the product with digital elements affected,
        the impacts of the vulnerabilities, their severity and information helping
        users to remediate the vulnerabilities;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19
      ref_id: 1.2.5
      description: put in place and enforce a policy on coordinated vulnerability
        disclosure;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2.6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19
      ref_id: 1.2.6
      description: take measures to facilitate the sharing of information about potential
        vulnerabilities in their product with digital elements as well as in third
        party components contained in that product, including by providing a contact
        address for the reporting of the vulnerabilities discovered in the product
        with digital elements;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2.7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19
      ref_id: 1.2.7
      description: provide for mechanisms to securely distribute updates for products
        with digital elements to ensure that exploitable vulnerabilities are fixed
        or mitigated in a timely manner;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2.8
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19
      ref_id: 1.2.8
      description: ensure that, where security patches or updates are available to
        address identified security issues, they are disseminated without delay and
        free of charge, accompanied by advisory messages providing users with the
        relevant information, including on potential action to be taken.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2
      assessable: false
      depth: 1
      ref_id: '2'
      name: ANNEX II
      description: INFORMATION AND INSTRUCTIONS TO THE USER
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2
      description: 'As a minimum, the product with digital elements shall be accompanied
        by:'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29
      ref_id: '2.1'
      description: the name, registered trade name or registered trade mark of the
        manufacturer, and the postal address and the email address at which the manufacturer
        can be contacted, on the product or, where that is not possible, on its packaging
        or in a document accompanying the product;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29
      ref_id: '2.2'
      description: the point of contact where information about cybersecurity vulnerabilities
        of the product can be reported and received;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29
      ref_id: '2.3'
      description: the correct identification of the type, batch, version or serial
        number or other element allowing the identification of the product and the
        corresponding instructions and user information;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29
      ref_id: '2.4'
      description: "the intended use, including the security environment provided\
        \ by the manufacturer, as well as the product\u2019s essential functionalities\
        \ and information about the security properties;"
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29
      ref_id: '2.5'
      description: 'any known or foreseeable circumstance, related to the use of the
        product with digital elements in accordance with its intended purpose or under
        conditions of reasonably foreseeable misuse, which may lead to significant
        cybersecurity risks; '
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29
      ref_id: '2.6'
      description: if and, where applicable, where the software bill of materials
        can be accessed;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29
      ref_id: '2.7'
      description: 'where applicable, the internet address at which the EU declaration
        of conformity can be accessed; '
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.8
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29
      ref_id: '2.8'
      description: 'the type of technical security support offered by the manufacturer
        and until when it will be provided, at the very least until when users can
        expect to receive security updates; '
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29
      ref_id: '2.9'
      description: 'detailed instructions or an internet address referring to such
        detailed instructions and information on:'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9.a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9
      ref_id: 2.9.a
      description: the necessary measures during initial commissioning and throughout
        the lifetime of the product to ensure its secure use;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9.b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9
      ref_id: 2.9.b
      description: how changes to the product can affect the security of data;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9.c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9
      ref_id: 2.9.c
      description: how security-relevant updates can be installed;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9.d
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9
      ref_id: 2.9.d
      description: the secure decommissioning of the product, including information
        on how user data can be securely removed.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3
      assessable: false
      depth: 1
      ref_id: '3'
      name: ANNEX III
      description: CRITICAL PRODUCTS WITH DIGITAL ELEMENTS
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3
      ref_id: '3.1'
      name: Class I
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1
      ref_id: 3.1.1
      description: Identity management systems software and privileged access management
        software;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1
      ref_id: 3.1.2
      description: Standalone and embedded browsers;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1
      ref_id: 3.1.3
      description: Password managers;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1
      ref_id: 3.1.4
      description: Software that searches for, removes, or quarantines malicious software;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1
      ref_id: 3.1.5
      description: Products with digital elements with the function of virtual private
        network (VPN);
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1
      ref_id: 3.1.6
      description: Network management systems;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1
      ref_id: 3.1.7
      description: Network configuration management tools;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.8
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1
      ref_id: 3.1.8
      description: Network traffic monitoring systems;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.9
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1
      ref_id: 3.1.9
      description: Management of network resources;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.10
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1
      ref_id: 3.1.10
      description: Security information and event management (SIEM) systems;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.11
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1
      ref_id: 3.1.11
      description: Update/patch management, including boot managers;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.12
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1
      ref_id: 3.1.12
      description: Application configuration management systems;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.13
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1
      ref_id: 3.1.13
      description: Remote access/sharing software;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.14
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1
      ref_id: 3.1.14
      description: Mobile device management software;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.15
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1
      ref_id: 3.1.15
      description: Physical network interfaces;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.16
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1
      ref_id: 3.1.16
      description: Operating systems not covered by class II;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.17
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1
      ref_id: 3.1.17
      description: Firewalls, intrusion detection and/or prevention systems not covered
        by class II;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.18
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1
      ref_id: 3.1.18
      description: Routers, modems intended for the connection to the internet, and
        switches, not covered by class II;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.19
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1
      ref_id: 3.1.19
      description: Microprocessors not covered by class II;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.20
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1
      ref_id: 3.1.20
      description: Microcontrollers;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.21
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1
      ref_id: 3.1.21
      description: Application specific integrated circuits (ASIC) and field-programmable
        gate arrays (FPGA) intended for the use by essential entities of the type
        referred to in [Annex I to the Directive XXX/XXXX (NIS2)];
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.22
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1
      ref_id: 3.1.22
      description: Industrial Automation & Control Systems (IACS) not covered by class
        II, such as programmable logic controllers (PLC), distributed control systems
        (DCS), computerised numeric controllers for machine tools (CNC) and supervisory
        control and data acquisition systems (SCADA);
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.23
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1
      ref_id: 3.1.23
      description: Industrial Internet of Things not covered by class II.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3
      ref_id: '3.2'
      name: Class II
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2
      ref_id: 3.2.1
      description: Operating systems for servers, desktops, and mobile devices;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2
      ref_id: 3.2.2
      description: Hypervisors and container runtime systems that support virtualised
        execution of operating systems and similar environments;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2
      ref_id: 3.2.3
      description: Public key infrastructure and digital certificate issuers;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2
      ref_id: 3.2.4
      description: Firewalls, intrusion detection and/or prevention systems intended
        for industrial use;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2
      ref_id: 3.2.5
      description: General purpose microprocessors;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2
      ref_id: 3.2.6
      description: Microprocessors intended for integration in programmable logic
        controllers and secure elements;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2
      ref_id: 3.2.7
      description: Routers, modems intended for the connection to the internet, and
        switches, intended for industrial use;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.8
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2
      ref_id: 3.2.8
      description: Secure elements;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.9
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2
      ref_id: 3.2.9
      description: Hardware Security Modules (HSMs);
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.10
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2
      ref_id: 3.2.10
      description: Secure cryptoprocessors;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.11
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2
      ref_id: 3.2.11
      description: Smartcards, smartcard readers and tokens;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.12
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2
      ref_id: 3.2.12
      description: Industrial Automation & Control Systems (IACS) intended for the
        use by essential entities of the type referred to in [Annex I to the Directive
        XXX/XXXX (NIS2)], such as programmable logic controllers (PLC), distributed
        control systems (DCS), computerised numeric controllers for machine tools
        (CNC) and supervisory control and data acquisition systems (SCADA);
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.13
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2
      ref_id: 3.2.13
      description: Industrial Internet of Things devices intended for the use by essential
        entities of the type referred to in [Annex I to the Directive XXX/XXXX (NIS2)];
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.14
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2
      ref_id: 3.2.14
      description: Robot sensing and actuator components and robot controllers;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.15
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2
      ref_id: 3.2.15
      description: Smart meters.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4
      assessable: false
      depth: 1
      ref_id: '4'
      name: ANNEX IV
      description: EU DECLARATION OF CONFORMITY
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4
      description: 'The EU declaration of conformity referred to in Article 20, shall
        contain all of the following information:'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85
      ref_id: '4.1'
      description: Name and type and any additional information enabling the unique
        identification of the product with digital elements;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85
      ref_id: '4.2'
      description: 'Name and address of the manufacturer or his authorised representative; '
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85
      ref_id: '4.3'
      description: 'A statement that the EU declaration of conformity is issued under
        the sole responsibility of the provider; '
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85
      ref_id: '4.4'
      description: 'Object of the declaration (identification of the product allowing
        traceability. It may include a photograph, where appropriate); '
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85
      ref_id: '4.5'
      description: A statement that the object of the declaration described above
        is in conformity with the relevant Union harmonisation legislation;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85
      ref_id: '4.6'
      description: 'References to any relevant harmonised standards used or any other
        common specification or cybersecurity certification in relation to which conformity
        is declared; '
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4.7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85
      ref_id: '4.7'
      description: 'Where applicable, the name and number of the notified body, a
        description of the conformity assessment procedure performed and identification
        of the certificate issued; '
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4.8
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85
      ref_id: '4.8'
      description: "Additional information: \nSigned for and on behalf of:  \n(place\
        \ and date of issue): \n(name, function) (signature):"
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5
      assessable: false
      depth: 1
      ref_id: '5'
      name: ANNEX V
      description: CONTENTS OF THE TECHNICAL DOCUMENTATION
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node95
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5
      description: 'The technical documentation referred to in Article 23 shall contain
        at least the following information, as applicable to the relevant product
        with digital elements:'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node95
      ref_id: '5.1'
      description: 'a general description of the product with digital elements, including: '
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1.a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1
      ref_id: 5.1.a
      description: 'its intended purpose; '
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1.b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1
      ref_id: 5.1.b
      description: 'versions of software affecting compliance with essential requirements; '
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1.c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1
      ref_id: 5.1.c
      description: 'where the product with digital elements is a hardware product,
        photographs or illustrations showing external features, marking and internal
        layout; '
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1.d
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1
      ref_id: 5.1.d
      description: user information and instructions as set out in Annex II;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node95
      ref_id: '5.2'
      description: 'a description of the design, development and production of the
        product and vulnerability handling processes, including: '
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.2.a
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.2
      ref_id: 5.2.a
      description: complete information on the design and development of the product
        with digital elements, including, where applicable, drawings and schemes and/or
        a description of the system architecture explaining how software components
        build on or feed into each other and integrate into the overall processing;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.2.b
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.2
      ref_id: 5.2.b
      description: 'complete information and specifications of the vulnerability handling
        processes put in place by the manufacturer, including the software bill of
        materials, the coordinated vulnerability disclosure policy, evidence of the
        provision of a contact address for the reporting of the vulnerabilities and
        a description of the technical solutions chosen for the secure distribution
        of updates; '
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.2.c
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.2
      ref_id: 5.2.c
      description: 'complete information and specifications of the production and
        monitoring processes of the product with digital elements and the validation
        of these processes. '
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node95
      ref_id: '5.3'
      description: 'an assessment of the cybersecurity risks against which the product
        with digital elements is designed, developed, produced, delivered and maintained
        as laid down in Article 10 of this Regulation; '
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node95
      ref_id: '5.4'
      description: 'a list of the harmonised standards applied in full or in part
        the references of which have been published in the Official Journal of the
        European Union, common specifications as set out in Article 19 of this Regulation
        or cybersecurity certification schemes under Regulation (EU) 2019/881 pursuant
        to Article 18(3), and, where those harmonised standards, common specifications
        or cybersecurity certification schemes have not been applied, descriptions
        of the solutions adopted to meet the essential requirements set out in Sections
        1 and 2 of Annex I, including a list of other relevant technical specifications
        applied. In the event of partly applied harmonised standards, common specifications
        or cybersecurity certifications, the technical documentation shall specify
        the parts which have been applied; '
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node95
      ref_id: '5.5'
      description: reports of the tests carried out to verify the conformity of the
        product and of the vulnerability handling processes with the applicable essential
        requirements as set out in Sections 1 and 2 of Annex I;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node95
      ref_id: '5.6'
      description: a copy of the EU declaration of conformity;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node95
      ref_id: '5.7'
      description: 'where applicable, the software bill of materials as defined in
        Article 3, point (36), further to a reasoned request from a market surveillance
        authority provided that it is necessary in order for this authority to be
        able to check compliance with the essential requirements set out in Annex
        I. '
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6
      assessable: false
      depth: 1
      ref_id: '6'
      name: ANNEX VI
      description: CONFORMITY ASSESSMENT PROCEDURES
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6
      ref_id: 6.A
      name: Conformity Assessment procedure based on internal control (based on Module
        A)
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a
      ref_id: 6.A.1
      description: Internal control is the conformity assessment procedure whereby
        the manufacturer fulfils the obligations laid down in points 2, 3 and 4, and
        ensures and declares on its sole responsibility that the products with digital
        elements satisfy all the essential requirements set out in Section 1 of Annex
        I and the manufacturer meets the essential requirements set out in Section
        2 of Annex I.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a
      ref_id: 6.A.2
      description: 'The manufacturer shall draw up the technical documentation described
        in Annex V. '
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a
      ref_id: 6.A.3
      name: Design, development, production and vulnerability handling of products
        with digital elements
      description: 'The manufacturer shall take all measures necessary so that the
        design, development, production and vulnerability handling processes and their
        monitoring ensure compliance of the manufactured or developed products with
        digital elements and of the processes put in place by the manufacturer with
        the essential requirements set out in sections 1 and 2 of Annex I. '
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a
      ref_id: 6.A.4
      name: Conformity marking and declaration of conformity
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.4
      ref_id: 6.A.4.1
      description: The manufacturer shall affix the CE to each individual product
        with digital elements that satisfies the applicable requirements of this Regulation.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.4
      ref_id: 6.A.4.2
      description: 'The manufacturer shall draw up a written EU declaration of conformity
        for each product with digital elements in accordance with Article 20 and keep
        it together with the technical documentation at the disposal of the national
        authorities for 10 years after the product with digital elements has been
        placed on the market. The EU declaration of conformity shall identify the
        product with digital elements for which it has been drawn up. A copy of the
        EU declaration of conformity shall be made available to the relevant authorities
        upon request. '
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.4.2
      ref_id: 6.A.5
      name: Authorised representatives
      description: "The manufacturer\u2019s obligations set out in point 4 may be\
        \ fulfilled by his authorised representative, on his behalf and under his\
        \ responsibility, provided that they are specified in the mandate."
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6
      ref_id: 6.B
      name: EU-type examination (based on Module B)
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b
      ref_id: 6.B.1
      description: EU-type examination is the part of a conformity assessment procedure
        in which a notified body examines the technical design and development of
        a product and the vulnerability handling processes put in place by the manufacturer,
        and attests that a product with digital elements meets the essential requirements
        set out in Section 1 of Annex I and that the manufacturer meets the essential
        requirements set out in Section 2 of Annex I.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b
      ref_id: 6.B.2
      description: EU-type examination shall be carried out by assessment of the adequacy
        of the technical design and development of the product through examination
        of the technical documentation and supporting evidence referred to in point
        3, plus examination of specimens of one or more critical parts of the product
        (combination of production type and design type).
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b
      ref_id: 6.B.3
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node123
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.3
      description: The manufacturer shall lodge an application for EU-type examination
        with a single notified body of his choice.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node124
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.3
      description: 'The application shall include:'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node125
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node124
      description: '- the name and address of the manufacturer and, if the application
        is lodged by the authorised representative, his name and address as well;'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node126
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node124
      description: '- a written declaration that the same application has not been
        lodged with any other notified body; '
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node127
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node124
      description: '- the technical documentation, which shall make it possible to
        assess the product''s conformity with the applicable essential requirements
        as set out in Section 1 of Annex I and the manufacturer''s vulnerability handling
        processes set out in Section 2 of Annex I, and shall include an adequate analysis
        and assessment of the risk(s). The technical documentation shall specify the
        applicable requirements and cover, as far as relevant for the assessment,
        the design, manufacture and operation of the product. The technical documentation
        shall contain, wherever applicable, at least the elements set out in Annex
        V; '
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node128
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node124
      description: '- the supporting evidence for the adequacy of the technical design
        and development solutions and vulnerability handling processes. This supporting
        evidence shall mention any documents that have been used, in particular where
        the relevant harmonised standards and/or technical specifications have not
        been applied in full. The supporting evidence shall include, where necessary,
        the results of tests carried out by the appropriate laboratory of the manufacturer,
        or by another testing laboratory on his behalf and under his responsibility.'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b
      ref_id: 6.B.4
      description: 'The notified body shall: '
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4.1
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4
      ref_id: 6.B.4.1
      description: examine the technical documentation and supporting evidence to
        assess the adequacy of the technical design and development of the product
        with the essential requirements set out in Section 1 of Annex I and of the
        vulnerability handling processes put in place by the manufacturer with the
        essential requirements set out in Section 2 of Annex I;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4.2
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4
      ref_id: 6.B.4.2
      description: verify that the specimen(s) have been developed or manufactured
        in conformity with the technical documentation, and identify the elements
        which have been designed and developed in accordance with the applicable provisions
        of the relevant harmonised standards and/or technical specifications, as well
        as the elements which have been designed and developed without applying the
        relevant provisions of those standards;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4.3
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4
      ref_id: 6.B.4.3
      description: carry out appropriate examinations and tests, or have them carried
        out, to check whether, where the manufacturer has chosen to apply the solutions
        in the relevant harmonised standards and/or technical specifications for the
        requirements set out in Annex I, these have been applied correctly;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4.4
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4
      ref_id: 6.B.4.4
      description: carry out appropriate examinations and tests, or have them carried
        out, to check whether, where the solutions in the relevant harmonised standards
        and/or technical specifications for the requirements set out in Annex I have
        not been applied, the solutions adopted by the manufacturer meet the corresponding
        essential requirements;
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4.5
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4
      ref_id: 6.B.4.5
      description: agree with the manufacturer on a location where the examinations
        and tests will be carried out.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b
      ref_id: 6.B.5
      description: "The notified body shall draw up an evaluation report that records\
        \ the activities undertaken in accordance with point 4 and their outcomes.\
        \ Without prejudice to its obligations vis-\xE0-vis the notifying authorities,\
        \ the notified body shall release the content of that report, in full or in\
        \ part, only with the agreement of the manufacturer."
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.6
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b
      ref_id: 6.B.6
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node137
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.6
      description: Where the type and the vulnerability handling processes meet the
        essential requirements set out in Annex I, the notified body shall issue an
        EU-type examination certificate to the manufacturer. The certificate shall
        contain the name and address of the manufacturer, the conclusions of the examination,
        the conditions (if any) for its validity and the necessary data for identification
        of the approved type and vulnerability handling processes. The certificate
        may have one or more annexes attached.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node138
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.6
      description: The certificate and its annexes shall contain all relevant information
        to allow the conformity of manufactured or developed products with the examined
        type and vulnerability handling processes to be evaluated and to allow for
        in-service control.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node139
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.6
      description: Where the type and the vulnerability handling processes do not
        satisfy the applicable essential requirements set out in Annex I, the notified
        body shall refuse to issue an EU-type examination certificate and shall inform
        the applicant accordingly, giving detailed reasons for its refusal.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.7
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b
      ref_id: 6.B.7
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node141
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.7
      description: The notified body shall keep itself apprised of any changes in
        the generally acknowledged state of the art which indicate that the approved
        type and the vulnerability handling processes may no longer comply with the
        applicable essential requirements set out in Annex I to this Regulation, and
        shall determine whether such changes require further investigation. If so,
        the notified body shall inform the manufacturer accordingly.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node142
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.7
      description: The manufacturer shall inform the notified body that holds the
        technical documentation relating to the EU-type examination certificate of
        all modifications to the approved type and the vulnerability handling processes
        that may affect the conformity with the essential requirements set out in
        Annex I, or the conditions for validity of the certificate. Such modifications
        shall require additional approval in the form of an addition to the original
        EU-type examination certificate.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.8
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b
      ref_id: 6.B.8
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node144
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.8
      description: Each notified body shall inform its notifying authorities concerning
        the EU-type examination certificates and/or any additions thereto which it
        has issued or withdrawn, and shall, periodically or upon request, make available
        to its notifying authorities the list of certificates and/or any additions
        thereto refused, suspended or otherwise restricted.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node145
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.8
      description: Each notified body shall inform the other notified bodies concerning
        the EU-type examination certificates and/or any additions thereto which it
        has refused, withdrawn, suspended or otherwise restricted, and, upon request,
        concerning the certificates and/or additions thereto which it has issued.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node146
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.8
      description: The Commission, the Member States and the other notified bodies
        may, on request, obtain a copy of the EU-type examination certificates and/or
        additions thereto. On request, the Commission and the Member States may obtain
        a copy of the technical documentation and the results of the examinations
        carried out by the notified body. The notified body shall keep a copy of the
        EU-type examination certificate, its annexes and additions, as well as the
        technical file including the documentation submitted by the manufacturer,
        until the expiry of the validity of the certificate.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.9
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b
      ref_id: 6.B.9
      description: The manufacturer shall keep a copy of the EU-type examination certificate,
        its annexes and additions together with the technical documentation at the
        disposal of the national authorities for 10 years after the product has been
        placed on the market.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.10
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b
      ref_id: 6.B.10
      description: The manufacturer's authorised representative may lodge the application
        referred to in point 3 and fulfil the obligations set out in points 7 and
        9, provided that they are specified in the mandate.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6
      ref_id: 6.C
      name: Conformity to type based on internal production control (based on Module
        C)
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c
      ref_id: 6.C.1
      description: Conformity to type based on internal production control is the
        part of a conformity assessment procedure whereby the manufacturer fulfils
        the obligations laid down in points 2 and 3, and ensures and declares that
        the products concerned are in conformity with the type described in the EU-type
        examination certificate and satisfy the essential requirements set out in
        Section 1 of Annex I.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c
      ref_id: 6.C.2
      name: Production
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.2
      ref_id: 6.C.2.1
      description: 'The manufacturer shall take all measures necessary so that the
        production and its monitoring ensure conformity of the manufactured products
        with the approved type described in the EU-type examination certificate and
        with the essential requirements as set out in Section 1 of Annex I. '
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c
      ref_id: 6.C.3
      name: Conformity marking and declaration of conformity
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.3
      ref_id: 6.C.3.1
      description: The manufacturer shall affix the CE marking to each individual
        product that is in conformity with the type described in the EU-type examination
        certificate and satisfies the applicable requirements of the legislative instrument.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.3
      ref_id: 6.C.3.2
      description: The manufacturer shall draw up a written declaration of conformity
        for a product model and keep it at the disposal of the national authorities
        for 10 years after the product has been placed on the market. The declaration
        of conformity shall identify the product model for which it has been drawn
        up. A copy of the declaration of conformity shall be made available to the
        relevant authorities upon request.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c
      ref_id: 6.C.4
      name: Authorised representative
      description: The manufacturer's obligations set out in point 3 may be fulfilled
        by his authorised representative, on his behalf and under his responsibility,
        provided that they are specified in the mandate.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6
      ref_id: 6.H
      name: Conformity based on full quality assurance (based on Module H)
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h
      ref_id: 6.H.1
      description: Conformity based on full quality assurance is the conformity assessment
        procedure whereby the manufacturer fulfils the obligations laid down in points
        2 and 5, and ensures and declares on his sole responsibility that the products
        (or product categories) concerned satisfy the essential requirements set out
        in Section 1 of Annex I, and that the vulnerability handling processes put
        in place by the manufacturer meet the requirements set out in Section 2 of
        Annex I.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h
      ref_id: 6.H.2
      name: Design, development, production and vulnerability handling of products
        with digital elements
      description: The manufacturer shall operate an approved quality system as specified
        in point 3 for the design, development, and production of the products concerned
        and for handling vulnerabilities, maintain its effectiveness throughout the
        lifecycle of the products concerned, and shall be subject to surveillance
        as specified in point 4.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h
      ref_id: 6.H.3
      name: Quality system
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.1
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3
      ref_id: 6.H.3.1
      name: Surveillance under the responsibility of the notified body
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node162
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.1
      name: Conformity marking and declaration of conformity
      description: The manufacturer shall lodge an application for assessment of his
        quality system with the notified body of his choice, for the products concerned.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node163
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.1
      description: 'The application shall include:'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node164
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node163
      description: '- the name and address of the manufacturer and, if the application
        is lodged by the authorised representative, his name and address as well;'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node165
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node163
      description: '- the technical documentation for one model of each category of
        products intended to be manufactured or developed. The technical documentation
        shall, wherever applicable, contain at least the elements as set out in Annex
        V;'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node166
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node163
      description: '- the documentation concerning the quality system; and'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node167
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node163
      description: '- a written declaration that the same application has not been
        lodged with any other notified body.'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.2
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3
      ref_id: 6.H.3.2
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node169
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.2
      description: The quality system shall ensure compliance of the products with
        the essential requirements set out in Section 1 of Annex I and compliance
        of the vulnerability handling processes put in place by the manufacturer with
        the requirements set out in Section 2 of Annex I.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node170
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.2
      description: All the elements, requirements and provisions adopted by the manufacturer
        shall be documented in a systematic and orderly manner in the form of written
        policies, procedures and instructions. That quality system documentation shall
        permit a consistent interpretation of the quality programmes, plans, manuals
        and records.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.2
      description: 'It shall, in particular, contain an adequate description of:'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node172
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171
      description: '- the quality objectives and the organisational structure, responsibilities
        and powers of the management with regard to design, development, product quality
        and vulnerability handling;'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node173
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171
      description: '- the technical design and development specifications, including
        standards, that will be applied and, where the relevant harmonised standards
        and/or technical specifications will not be applied in full, the means that
        will be used to ensure that the essential requirements set out in Section
        1 of Annex I that apply to the products will be met;'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node174
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171
      description: '- the procedural specifications, including standards, that will
        be applied and, where the relevant harmonised standards and/or technical specifications
        will not be applied in full, the means that will be used to ensure that the
        essential requirements set out in Section 2 of Annex I that apply to the manufacturer
        will be met;'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node175
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171
      description: '- the design and development control, as well as design and development
        verification techniques, processes and systematic actions that will be used
        when designing and developing the products pertaining to the product category
        covered;'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node176
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171
      description: '- the corresponding production, quality control and quality assurance
        techniques, processes and systematic actions that will be used;'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node177
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171
      description: '- the examinations and tests that will be carried out before,
        during and after production, and the frequency with which they will be carried
        out;'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node178
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171
      description: '- the quality records, such as inspection reports and test data,
        calibration data, qualification reports on the personnel concerned, etc;'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node179
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171
      description: '- the means of monitoring the achievement of the required design
        and product quality and the effective operation of the quality system.'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.3
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3
      ref_id: 6.H.3.3
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node181
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.3
      description: The notified body shall assess the quality system to determine
        whether it satisfies the requirements referred to in point 3.2.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node182
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.3
      description: It shall presume conformity with those requirements in respect
        of the elements of the quality system that comply with the corresponding specifications
        of the national standard that implements the relevant harmonised standard
        and/or technical specification.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node183
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.3
      description: In addition to experience in quality management systems, the auditing
        team shall have at least one member experienced as an assessor in the relevant
        product field and product technology concerned, and knowledge of the applicable
        requirements of this Regulation. The audit shall include an assessment visit
        to the manufacturer's premises, where such premises exist. The auditing team
        shall review the technical documentation referred to in point 3.1, second
        indent, to verify the manufacturer's ability to identify the applicable requirements
        of this Regulation and to carry out the necessary examinations with a view
        to ensuring compliance of the product with those requirements.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node184
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.3
      description: The manufacturer or his authorised representative shall be notified
        of the decision.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node185
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.3
      description: The notification shall contain the conclusions of the audit and
        the reasoned assessment decision.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3
      ref_id: 6.H.3.4
      description: The manufacturer shall undertake to fulfil the obligations arising
        out of the quality system as approved and to maintain it so that it remains
        adequate and efficient.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.5
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3
      ref_id: 6.H.3.5
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node188
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.5
      description: The manufacturer shall keep the notified body that has approved
        the quality system informed of any intended change to the quality system.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node189
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.5
      description: The notified body shall evaluate any proposed changes and decide
        whether the modified quality system will continue to satisfy the requirements
        referred to in point 3.2 or whether a reassessment is necessary.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node190
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.5
      description: It shall notify the manufacturer of its decision. The notification
        shall contain the conclusions of the examination and the reasoned assessment
        decision.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h
      ref_id: 6.H.4
      name: Surveillance under the responsibility of the notified body
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4.1
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4
      ref_id: 6.H.4.1
      description: The purpose of surveillance is to make sure that the manufacturer
        duly fulfils the obligations arising out of the approved quality system.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4
      ref_id: 6.H.4.2
      description: 'The manufacturer shall, for assessment purposes, allow the notified
        body access to the design, development, production, inspection, testing and
        storage sites, and shall provide it with all necessary information, in particular:'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node194
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4.2
      description: '- the quality system documentation;'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node195
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4.2
      description: '- the quality records as provided for by the design part of the
        quality system, such as results of analyses, calculations, tests, etc.;'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node196
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4.2
      description: '- the quality records as provided for by the manufacturing part
        of the quality system, such as inspection reports and test data, calibration
        data, qualification reports on the personnel concerned, etc.'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4.3
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4
      ref_id: 6.H.4.3
      description: The notified body shall carry out periodic audits to make sure
        that the manufacturer maintains and applies the quality system and shall provide
        the manufacturer with an audit report.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h
      ref_id: 6.H.5
      name: Conformity marking and declaration of conformity
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.5.1
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.5
      ref_id: 6.H.5.1
      description: The manufacturer shall affix the CE marking, and, under the responsibility
        of the notified body referred to in point 3.1, the latter's identification
        number to each individual product that satisfies the requirements set out
        in Section 1 of Annex I to this Regulation.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.5.2
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.5
      ref_id: 6.H.5.2
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node201
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.5.2
      description: The manufacturer shall draw up a written declaration of conformity
        for each product model and keep it at the disposal of the national authorities
        for 10 years after the product has been placed on the market. The declaration
        of conformity shall identify the product model for which it has been drawn
        up.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node202
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.5.2
      description: A copy of the declaration of conformity shall be made available
        to the relevant authorities upon request.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.6
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h
      ref_id: 6.H.6
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node204
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.6
      description: 'The manufacturer shall, for a period ending at least 10 years
        after the product has been placed on the market, keep at the disposal of the
        national authorities:'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node205
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node204
      description: '- the technical documentation referred to in point 3.1;'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node206
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node204
      description: '- the documentation concerning the quality system referred to
        in point 3.1;'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node207
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node204
      description: '- the change referred to in point 3.5, as approved;'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node208
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node204
      description: '- the decisions and reports of the notified body referred to in
        points 3.5, 4.3 and 4.4.'
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.7
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h
      ref_id: 6.H.7
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node210
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.7
      description: Each notified body shall inform its notifying authorities of quality
        system approvals issued or withdrawn, and shall, periodically or upon request,
        make available to its notifying authorities the list of quality system approvals
        refused, suspended or otherwise restricted.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node211
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.7
      description: Each notified body shall inform the other notified bodies of quality
        system approvals which it has refused, suspended or withdrawn, and, upon request,
        of quality system approvals which it has issued.
    - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.8
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h
      ref_id: 6.H.8
      name: Authorised representative
      description: The manufacturer's obligations set out in points 3.1, 3.5, 5 and
        6 may be fulfilled by his authorised representative, on his behalf and under
        his responsibility, provided that they are specified in the mandate.