diff --git a/backend/library/libraries/cra-proposal-annexes.yaml b/backend/library/libraries/cra-proposal-annexes.yaml new file mode 100644 index 000000000..acfc4aca5 --- /dev/null +++ b/backend/library/libraries/cra-proposal-annexes.yaml @@ -0,0 +1,1569 @@ +urn: urn:intuitem:risk:library:cra-proposal-annexes +locale: en +ref_id: CRA-proposal-annexes +name: Cyber Resilience Act +description: ANNEXES to the PROPOSAL FOR A REGULATION OF THE EUROPEAN PARLIAMENT AND + OF THE COUNCIL on horizontal cybersecurity requirements for products with digital + elements and amending Regulation (EU) 2019/1020 +copyright: European Union law +version: 1 +provider: EU +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:cra-proposal-annexes + ref_id: CRA-proposal-annexes + name: Cyber Resilience Act + description: ANNEXES to the PROPOSAL FOR A REGULATION OF THE EUROPEAN PARLIAMENT + AND OF THE COUNCIL on horizontal cybersecurity requirements for products with + digital elements and amending Regulation (EU) 2019/1020 + requirement_nodes: + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1 + assessable: false + depth: 1 + ref_id: '1' + name: ANNEX I + description: ESSENTIAL CYBERSECURITY REQUIREMENTS + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1 + ref_id: '1.1' + name: Security requirements relating to the properties of products with digital + elements + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1 + ref_id: 1.1.1 + description: Products with digital elements shall be designed, developed and + produced in such a way that they ensure an appropriate level of cybersecurity + based on the risks; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1 + ref_id: 1.1.2 + description: Products with digital elements shall be delivered without any known + exploitable vulnerabilities; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1 + ref_id: 1.1.3 + description: 'On the basis of the risk assessment referred to in Article 10(2) + and where applicable, products with digital elements shall:' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3 + ref_id: 1.1.3.a + description: be delivered with a secure by default configuration, including + the possibility to reset the product to its original state; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3 + ref_id: 1.1.3.b + description: ensure protection from unauthorised access by appropriate control + mechanisms, including but not limited to authentication, identity or access + management systems; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.c + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3 + ref_id: 1.1.3.c + description: protect the confidentiality of stored, transmitted or otherwise + processed data, personal or other, such as by encrypting relevant data at + rest or in transit by state of the art mechanisms; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.d + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3 + ref_id: 1.1.3.d + description: protect the integrity of stored, transmitted or otherwise processed + data, personal or other, commands, programs and configuration against any + manipulation or modification not authorised by the user, as well as report + on corruptions; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.e + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3 + ref_id: 1.1.3.e + description: "process only data, personal or other, that are adequate, relevant\ + \ and limited to what is necessary in relation to the intended use of the\ + \ product (\u2018minimisation of data\u2019); " + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.f + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3 + ref_id: 1.1.3.f + description: protect the availability of essential functions, including the + resilience against and mitigation of denial of service attacks; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.g + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3 + ref_id: 1.1.3.g + description: minimise their own negative impact on the availability of services + provided by other devices or networks; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.h + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3 + ref_id: 1.1.3.h + description: be designed, developed and produced to limit attack surfaces, including + external interfaces; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.i + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3 + ref_id: 1.1.3.i + description: be designed, developed and produced to reduce the impact of an + incident using appropriate exploitation mitigation mechanisms and techniques; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.j + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3 + ref_id: 1.1.3.j + description: provide security related information by recording and/or monitoring + relevant internal activity, including the access to or modification of data, + services or functions; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3.k + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.1.3 + ref_id: 1.1.3.k + description: ensure that vulnerabilities can be addressed through security updates, + including, where applicable, through automatic updates and the notification + of available updates to users. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1 + ref_id: '1.2' + name: "Vulnerability\_handling\_requirements" + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2 + description: 'Manufacturers of the products with digital elements shall:' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19 + ref_id: 1.2.1 + description: identify and document vulnerabilities and components contained + in the product, including by drawing up a software bill of materials in a + commonly used and machine-readable format covering at the very least the top-level + dependencies of the product; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19 + ref_id: 1.2.2 + description: in relation to the risks posed to the products with digital elements, + address and remediate vulnerabilities without delay, including by providing + security updates; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19 + ref_id: 1.2.3 + description: apply effective and regular tests and reviews of the security of + the product with digital elements; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19 + ref_id: 1.2.4 + description: once a security update has been made available, publically disclose + information about fixed vulnerabilities, including a description of the vulnerabilities, + information allowing users to identify the product with digital elements affected, + the impacts of the vulnerabilities, their severity and information helping + users to remediate the vulnerabilities; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19 + ref_id: 1.2.5 + description: put in place and enforce a policy on coordinated vulnerability + disclosure; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19 + ref_id: 1.2.6 + description: take measures to facilitate the sharing of information about potential + vulnerabilities in their product with digital elements as well as in third + party components contained in that product, including by providing a contact + address for the reporting of the vulnerabilities discovered in the product + with digital elements; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2.7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19 + ref_id: 1.2.7 + description: provide for mechanisms to securely distribute updates for products + with digital elements to ensure that exploitable vulnerabilities are fixed + or mitigated in a timely manner; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:1.2.8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node19 + ref_id: 1.2.8 + description: ensure that, where security patches or updates are available to + address identified security issues, they are disseminated without delay and + free of charge, accompanied by advisory messages providing users with the + relevant information, including on potential action to be taken. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2 + assessable: false + depth: 1 + ref_id: '2' + name: ANNEX II + description: INFORMATION AND INSTRUCTIONS TO THE USER + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2 + description: 'As a minimum, the product with digital elements shall be accompanied + by:' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29 + ref_id: '2.1' + description: the name, registered trade name or registered trade mark of the + manufacturer, and the postal address and the email address at which the manufacturer + can be contacted, on the product or, where that is not possible, on its packaging + or in a document accompanying the product; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29 + ref_id: '2.2' + description: the point of contact where information about cybersecurity vulnerabilities + of the product can be reported and received; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29 + ref_id: '2.3' + description: the correct identification of the type, batch, version or serial + number or other element allowing the identification of the product and the + corresponding instructions and user information; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29 + ref_id: '2.4' + description: "the intended use, including the security environment provided\ + \ by the manufacturer, as well as the product\u2019s essential functionalities\ + \ and information about the security properties;" + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29 + ref_id: '2.5' + description: 'any known or foreseeable circumstance, related to the use of the + product with digital elements in accordance with its intended purpose or under + conditions of reasonably foreseeable misuse, which may lead to significant + cybersecurity risks; ' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29 + ref_id: '2.6' + description: if and, where applicable, where the software bill of materials + can be accessed; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29 + ref_id: '2.7' + description: 'where applicable, the internet address at which the EU declaration + of conformity can be accessed; ' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.8 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29 + ref_id: '2.8' + description: 'the type of technical security support offered by the manufacturer + and until when it will be provided, at the very least until when users can + expect to receive security updates; ' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node29 + ref_id: '2.9' + description: 'detailed instructions or an internet address referring to such + detailed instructions and information on:' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9 + ref_id: 2.9.a + description: the necessary measures during initial commissioning and throughout + the lifetime of the product to ensure its secure use; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9 + ref_id: 2.9.b + description: how changes to the product can affect the security of data; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9.c + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9 + ref_id: 2.9.c + description: how security-relevant updates can be installed; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9.d + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:2.9 + ref_id: 2.9.d + description: the secure decommissioning of the product, including information + on how user data can be securely removed. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3 + assessable: false + depth: 1 + ref_id: '3' + name: ANNEX III + description: CRITICAL PRODUCTS WITH DIGITAL ELEMENTS + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3 + ref_id: '3.1' + name: Class I + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 + ref_id: 3.1.1 + description: Identity management systems software and privileged access management + software; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 + ref_id: 3.1.2 + description: Standalone and embedded browsers; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 + ref_id: 3.1.3 + description: Password managers; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 + ref_id: 3.1.4 + description: Software that searches for, removes, or quarantines malicious software; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 + ref_id: 3.1.5 + description: Products with digital elements with the function of virtual private + network (VPN); + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 + ref_id: 3.1.6 + description: Network management systems; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 + ref_id: 3.1.7 + description: Network configuration management tools; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.8 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 + ref_id: 3.1.8 + description: Network traffic monitoring systems; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.9 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 + ref_id: 3.1.9 + description: Management of network resources; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 + ref_id: 3.1.10 + description: Security information and event management (SIEM) systems; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.11 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 + ref_id: 3.1.11 + description: Update/patch management, including boot managers; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.12 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 + ref_id: 3.1.12 + description: Application configuration management systems; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.13 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 + ref_id: 3.1.13 + description: Remote access/sharing software; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.14 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 + ref_id: 3.1.14 + description: Mobile device management software; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.15 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 + ref_id: 3.1.15 + description: Physical network interfaces; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.16 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 + ref_id: 3.1.16 + description: Operating systems not covered by class II; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.17 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 + ref_id: 3.1.17 + description: Firewalls, intrusion detection and/or prevention systems not covered + by class II; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.18 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 + ref_id: 3.1.18 + description: Routers, modems intended for the connection to the internet, and + switches, not covered by class II; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.19 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 + ref_id: 3.1.19 + description: Microprocessors not covered by class II; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.20 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 + ref_id: 3.1.20 + description: Microcontrollers; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.21 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 + ref_id: 3.1.21 + description: Application specific integrated circuits (ASIC) and field-programmable + gate arrays (FPGA) intended for the use by essential entities of the type + referred to in [Annex I to the Directive XXX/XXXX (NIS2)]; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.22 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 + ref_id: 3.1.22 + description: Industrial Automation & Control Systems (IACS) not covered by class + II, such as programmable logic controllers (PLC), distributed control systems + (DCS), computerised numeric controllers for machine tools (CNC) and supervisory + control and data acquisition systems (SCADA); + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1.23 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.1 + ref_id: 3.1.23 + description: Industrial Internet of Things not covered by class II. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3 + ref_id: '3.2' + name: Class II + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 + ref_id: 3.2.1 + description: Operating systems for servers, desktops, and mobile devices; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 + ref_id: 3.2.2 + description: Hypervisors and container runtime systems that support virtualised + execution of operating systems and similar environments; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 + ref_id: 3.2.3 + description: Public key infrastructure and digital certificate issuers; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 + ref_id: 3.2.4 + description: Firewalls, intrusion detection and/or prevention systems intended + for industrial use; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 + ref_id: 3.2.5 + description: General purpose microprocessors; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 + ref_id: 3.2.6 + description: Microprocessors intended for integration in programmable logic + controllers and secure elements; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 + ref_id: 3.2.7 + description: Routers, modems intended for the connection to the internet, and + switches, intended for industrial use; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.8 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 + ref_id: 3.2.8 + description: Secure elements; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.9 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 + ref_id: 3.2.9 + description: Hardware Security Modules (HSMs); + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 + ref_id: 3.2.10 + description: Secure cryptoprocessors; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.11 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 + ref_id: 3.2.11 + description: Smartcards, smartcard readers and tokens; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.12 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 + ref_id: 3.2.12 + description: Industrial Automation & Control Systems (IACS) intended for the + use by essential entities of the type referred to in [Annex I to the Directive + XXX/XXXX (NIS2)], such as programmable logic controllers (PLC), distributed + control systems (DCS), computerised numeric controllers for machine tools + (CNC) and supervisory control and data acquisition systems (SCADA); + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.13 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 + ref_id: 3.2.13 + description: Industrial Internet of Things devices intended for the use by essential + entities of the type referred to in [Annex I to the Directive XXX/XXXX (NIS2)]; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.14 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 + ref_id: 3.2.14 + description: Robot sensing and actuator components and robot controllers; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2.15 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:3.2 + ref_id: 3.2.15 + description: Smart meters. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4 + assessable: false + depth: 1 + ref_id: '4' + name: ANNEX IV + description: EU DECLARATION OF CONFORMITY + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4 + description: 'The EU declaration of conformity referred to in Article 20, shall + contain all of the following information:' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85 + ref_id: '4.1' + description: Name and type and any additional information enabling the unique + identification of the product with digital elements; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85 + ref_id: '4.2' + description: 'Name and address of the manufacturer or his authorised representative; ' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85 + ref_id: '4.3' + description: 'A statement that the EU declaration of conformity is issued under + the sole responsibility of the provider; ' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85 + ref_id: '4.4' + description: 'Object of the declaration (identification of the product allowing + traceability. It may include a photograph, where appropriate); ' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85 + ref_id: '4.5' + description: A statement that the object of the declaration described above + is in conformity with the relevant Union harmonisation legislation; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4.6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85 + ref_id: '4.6' + description: 'References to any relevant harmonised standards used or any other + common specification or cybersecurity certification in relation to which conformity + is declared; ' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4.7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85 + ref_id: '4.7' + description: 'Where applicable, the name and number of the notified body, a + description of the conformity assessment procedure performed and identification + of the certificate issued; ' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:4.8 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node85 + ref_id: '4.8' + description: "Additional information: \nSigned for and on behalf of: \n(place\ + \ and date of issue): \n(name, function) (signature):" + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5 + assessable: false + depth: 1 + ref_id: '5' + name: ANNEX V + description: CONTENTS OF THE TECHNICAL DOCUMENTATION + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node95 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5 + description: 'The technical documentation referred to in Article 23 shall contain + at least the following information, as applicable to the relevant product + with digital elements:' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node95 + ref_id: '5.1' + description: 'a general description of the product with digital elements, including: ' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1 + ref_id: 5.1.a + description: 'its intended purpose; ' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1 + ref_id: 5.1.b + description: 'versions of software affecting compliance with essential requirements; ' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1.c + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1 + ref_id: 5.1.c + description: 'where the product with digital elements is a hardware product, + photographs or illustrations showing external features, marking and internal + layout; ' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1.d + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.1 + ref_id: 5.1.d + description: user information and instructions as set out in Annex II; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node95 + ref_id: '5.2' + description: 'a description of the design, development and production of the + product and vulnerability handling processes, including: ' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.2.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.2 + ref_id: 5.2.a + description: complete information on the design and development of the product + with digital elements, including, where applicable, drawings and schemes and/or + a description of the system architecture explaining how software components + build on or feed into each other and integrate into the overall processing; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.2.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.2 + ref_id: 5.2.b + description: 'complete information and specifications of the vulnerability handling + processes put in place by the manufacturer, including the software bill of + materials, the coordinated vulnerability disclosure policy, evidence of the + provision of a contact address for the reporting of the vulnerabilities and + a description of the technical solutions chosen for the secure distribution + of updates; ' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.2.c + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.2 + ref_id: 5.2.c + description: 'complete information and specifications of the production and + monitoring processes of the product with digital elements and the validation + of these processes. ' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node95 + ref_id: '5.3' + description: 'an assessment of the cybersecurity risks against which the product + with digital elements is designed, developed, produced, delivered and maintained + as laid down in Article 10 of this Regulation; ' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node95 + ref_id: '5.4' + description: 'a list of the harmonised standards applied in full or in part + the references of which have been published in the Official Journal of the + European Union, common specifications as set out in Article 19 of this Regulation + or cybersecurity certification schemes under Regulation (EU) 2019/881 pursuant + to Article 18(3), and, where those harmonised standards, common specifications + or cybersecurity certification schemes have not been applied, descriptions + of the solutions adopted to meet the essential requirements set out in Sections + 1 and 2 of Annex I, including a list of other relevant technical specifications + applied. In the event of partly applied harmonised standards, common specifications + or cybersecurity certifications, the technical documentation shall specify + the parts which have been applied; ' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node95 + ref_id: '5.5' + description: reports of the tests carried out to verify the conformity of the + product and of the vulnerability handling processes with the applicable essential + requirements as set out in Sections 1 and 2 of Annex I; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node95 + ref_id: '5.6' + description: a copy of the EU declaration of conformity; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:5.7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node95 + ref_id: '5.7' + description: 'where applicable, the software bill of materials as defined in + Article 3, point (36), further to a reasoned request from a market surveillance + authority provided that it is necessary in order for this authority to be + able to check compliance with the essential requirements set out in Annex + I. ' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6 + assessable: false + depth: 1 + ref_id: '6' + name: ANNEX VI + description: CONFORMITY ASSESSMENT PROCEDURES + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6 + ref_id: 6.A + name: Conformity Assessment procedure based on internal control (based on Module + A) + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a + ref_id: 6.A.1 + description: Internal control is the conformity assessment procedure whereby + the manufacturer fulfils the obligations laid down in points 2, 3 and 4, and + ensures and declares on its sole responsibility that the products with digital + elements satisfy all the essential requirements set out in Section 1 of Annex + I and the manufacturer meets the essential requirements set out in Section + 2 of Annex I. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a + ref_id: 6.A.2 + description: 'The manufacturer shall draw up the technical documentation described + in Annex V. ' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a + ref_id: 6.A.3 + name: Design, development, production and vulnerability handling of products + with digital elements + description: 'The manufacturer shall take all measures necessary so that the + design, development, production and vulnerability handling processes and their + monitoring ensure compliance of the manufactured or developed products with + digital elements and of the processes put in place by the manufacturer with + the essential requirements set out in sections 1 and 2 of Annex I. ' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a + ref_id: 6.A.4 + name: Conformity marking and declaration of conformity + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.4 + ref_id: 6.A.4.1 + description: The manufacturer shall affix the CE to each individual product + with digital elements that satisfies the applicable requirements of this Regulation. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.4 + ref_id: 6.A.4.2 + description: 'The manufacturer shall draw up a written EU declaration of conformity + for each product with digital elements in accordance with Article 20 and keep + it together with the technical documentation at the disposal of the national + authorities for 10 years after the product with digital elements has been + placed on the market. The EU declaration of conformity shall identify the + product with digital elements for which it has been drawn up. A copy of the + EU declaration of conformity shall be made available to the relevant authorities + upon request. ' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.a.4.2 + ref_id: 6.A.5 + name: Authorised representatives + description: "The manufacturer\u2019s obligations set out in point 4 may be\ + \ fulfilled by his authorised representative, on his behalf and under his\ + \ responsibility, provided that they are specified in the mandate." + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6 + ref_id: 6.B + name: EU-type examination (based on Module B) + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b + ref_id: 6.B.1 + description: EU-type examination is the part of a conformity assessment procedure + in which a notified body examines the technical design and development of + a product and the vulnerability handling processes put in place by the manufacturer, + and attests that a product with digital elements meets the essential requirements + set out in Section 1 of Annex I and that the manufacturer meets the essential + requirements set out in Section 2 of Annex I. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b + ref_id: 6.B.2 + description: EU-type examination shall be carried out by assessment of the adequacy + of the technical design and development of the product through examination + of the technical documentation and supporting evidence referred to in point + 3, plus examination of specimens of one or more critical parts of the product + (combination of production type and design type). + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b + ref_id: 6.B.3 + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node123 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.3 + description: The manufacturer shall lodge an application for EU-type examination + with a single notified body of his choice. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node124 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.3 + description: 'The application shall include:' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node125 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node124 + description: '- the name and address of the manufacturer and, if the application + is lodged by the authorised representative, his name and address as well;' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node126 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node124 + description: '- a written declaration that the same application has not been + lodged with any other notified body; ' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node127 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node124 + description: '- the technical documentation, which shall make it possible to + assess the product''s conformity with the applicable essential requirements + as set out in Section 1 of Annex I and the manufacturer''s vulnerability handling + processes set out in Section 2 of Annex I, and shall include an adequate analysis + and assessment of the risk(s). The technical documentation shall specify the + applicable requirements and cover, as far as relevant for the assessment, + the design, manufacture and operation of the product. The technical documentation + shall contain, wherever applicable, at least the elements set out in Annex + V; ' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node128 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node124 + description: '- the supporting evidence for the adequacy of the technical design + and development solutions and vulnerability handling processes. This supporting + evidence shall mention any documents that have been used, in particular where + the relevant harmonised standards and/or technical specifications have not + been applied in full. The supporting evidence shall include, where necessary, + the results of tests carried out by the appropriate laboratory of the manufacturer, + or by another testing laboratory on his behalf and under his responsibility.' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b + ref_id: 6.B.4 + description: 'The notified body shall: ' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4 + ref_id: 6.B.4.1 + description: examine the technical documentation and supporting evidence to + assess the adequacy of the technical design and development of the product + with the essential requirements set out in Section 1 of Annex I and of the + vulnerability handling processes put in place by the manufacturer with the + essential requirements set out in Section 2 of Annex I; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4 + ref_id: 6.B.4.2 + description: verify that the specimen(s) have been developed or manufactured + in conformity with the technical documentation, and identify the elements + which have been designed and developed in accordance with the applicable provisions + of the relevant harmonised standards and/or technical specifications, as well + as the elements which have been designed and developed without applying the + relevant provisions of those standards; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4.3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4 + ref_id: 6.B.4.3 + description: carry out appropriate examinations and tests, or have them carried + out, to check whether, where the manufacturer has chosen to apply the solutions + in the relevant harmonised standards and/or technical specifications for the + requirements set out in Annex I, these have been applied correctly; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4.4 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4 + ref_id: 6.B.4.4 + description: carry out appropriate examinations and tests, or have them carried + out, to check whether, where the solutions in the relevant harmonised standards + and/or technical specifications for the requirements set out in Annex I have + not been applied, the solutions adopted by the manufacturer meet the corresponding + essential requirements; + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4.5 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.4 + ref_id: 6.B.4.5 + description: agree with the manufacturer on a location where the examinations + and tests will be carried out. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b + ref_id: 6.B.5 + description: "The notified body shall draw up an evaluation report that records\ + \ the activities undertaken in accordance with point 4 and their outcomes.\ + \ Without prejudice to its obligations vis-\xE0-vis the notifying authorities,\ + \ the notified body shall release the content of that report, in full or in\ + \ part, only with the agreement of the manufacturer." + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b + ref_id: 6.B.6 + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node137 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.6 + description: Where the type and the vulnerability handling processes meet the + essential requirements set out in Annex I, the notified body shall issue an + EU-type examination certificate to the manufacturer. The certificate shall + contain the name and address of the manufacturer, the conclusions of the examination, + the conditions (if any) for its validity and the necessary data for identification + of the approved type and vulnerability handling processes. The certificate + may have one or more annexes attached. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node138 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.6 + description: The certificate and its annexes shall contain all relevant information + to allow the conformity of manufactured or developed products with the examined + type and vulnerability handling processes to be evaluated and to allow for + in-service control. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node139 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.6 + description: Where the type and the vulnerability handling processes do not + satisfy the applicable essential requirements set out in Annex I, the notified + body shall refuse to issue an EU-type examination certificate and shall inform + the applicant accordingly, giving detailed reasons for its refusal. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b + ref_id: 6.B.7 + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node141 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.7 + description: The notified body shall keep itself apprised of any changes in + the generally acknowledged state of the art which indicate that the approved + type and the vulnerability handling processes may no longer comply with the + applicable essential requirements set out in Annex I to this Regulation, and + shall determine whether such changes require further investigation. If so, + the notified body shall inform the manufacturer accordingly. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node142 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.7 + description: The manufacturer shall inform the notified body that holds the + technical documentation relating to the EU-type examination certificate of + all modifications to the approved type and the vulnerability handling processes + that may affect the conformity with the essential requirements set out in + Annex I, or the conditions for validity of the certificate. Such modifications + shall require additional approval in the form of an addition to the original + EU-type examination certificate. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.8 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b + ref_id: 6.B.8 + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node144 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.8 + description: Each notified body shall inform its notifying authorities concerning + the EU-type examination certificates and/or any additions thereto which it + has issued or withdrawn, and shall, periodically or upon request, make available + to its notifying authorities the list of certificates and/or any additions + thereto refused, suspended or otherwise restricted. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node145 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.8 + description: Each notified body shall inform the other notified bodies concerning + the EU-type examination certificates and/or any additions thereto which it + has refused, withdrawn, suspended or otherwise restricted, and, upon request, + concerning the certificates and/or additions thereto which it has issued. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node146 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.8 + description: The Commission, the Member States and the other notified bodies + may, on request, obtain a copy of the EU-type examination certificates and/or + additions thereto. On request, the Commission and the Member States may obtain + a copy of the technical documentation and the results of the examinations + carried out by the notified body. The notified body shall keep a copy of the + EU-type examination certificate, its annexes and additions, as well as the + technical file including the documentation submitted by the manufacturer, + until the expiry of the validity of the certificate. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.9 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b + ref_id: 6.B.9 + description: The manufacturer shall keep a copy of the EU-type examination certificate, + its annexes and additions together with the technical documentation at the + disposal of the national authorities for 10 years after the product has been + placed on the market. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b.10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.b + ref_id: 6.B.10 + description: The manufacturer's authorised representative may lodge the application + referred to in point 3 and fulfil the obligations set out in points 7 and + 9, provided that they are specified in the mandate. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6 + ref_id: 6.C + name: Conformity to type based on internal production control (based on Module + C) + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c + ref_id: 6.C.1 + description: Conformity to type based on internal production control is the + part of a conformity assessment procedure whereby the manufacturer fulfils + the obligations laid down in points 2 and 3, and ensures and declares that + the products concerned are in conformity with the type described in the EU-type + examination certificate and satisfy the essential requirements set out in + Section 1 of Annex I. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c + ref_id: 6.C.2 + name: Production + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.2 + ref_id: 6.C.2.1 + description: 'The manufacturer shall take all measures necessary so that the + production and its monitoring ensure conformity of the manufactured products + with the approved type described in the EU-type examination certificate and + with the essential requirements as set out in Section 1 of Annex I. ' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c + ref_id: 6.C.3 + name: Conformity marking and declaration of conformity + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.3 + ref_id: 6.C.3.1 + description: The manufacturer shall affix the CE marking to each individual + product that is in conformity with the type described in the EU-type examination + certificate and satisfies the applicable requirements of the legislative instrument. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.3 + ref_id: 6.C.3.2 + description: The manufacturer shall draw up a written declaration of conformity + for a product model and keep it at the disposal of the national authorities + for 10 years after the product has been placed on the market. The declaration + of conformity shall identify the product model for which it has been drawn + up. A copy of the declaration of conformity shall be made available to the + relevant authorities upon request. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.c + ref_id: 6.C.4 + name: Authorised representative + description: The manufacturer's obligations set out in point 3 may be fulfilled + by his authorised representative, on his behalf and under his responsibility, + provided that they are specified in the mandate. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6 + ref_id: 6.H + name: Conformity based on full quality assurance (based on Module H) + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h + ref_id: 6.H.1 + description: Conformity based on full quality assurance is the conformity assessment + procedure whereby the manufacturer fulfils the obligations laid down in points + 2 and 5, and ensures and declares on his sole responsibility that the products + (or product categories) concerned satisfy the essential requirements set out + in Section 1 of Annex I, and that the vulnerability handling processes put + in place by the manufacturer meet the requirements set out in Section 2 of + Annex I. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h + ref_id: 6.H.2 + name: Design, development, production and vulnerability handling of products + with digital elements + description: The manufacturer shall operate an approved quality system as specified + in point 3 for the design, development, and production of the products concerned + and for handling vulnerabilities, maintain its effectiveness throughout the + lifecycle of the products concerned, and shall be subject to surveillance + as specified in point 4. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h + ref_id: 6.H.3 + name: Quality system + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3 + ref_id: 6.H.3.1 + name: Surveillance under the responsibility of the notified body + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node162 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.1 + name: Conformity marking and declaration of conformity + description: The manufacturer shall lodge an application for assessment of his + quality system with the notified body of his choice, for the products concerned. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node163 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.1 + description: 'The application shall include:' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node164 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node163 + description: '- the name and address of the manufacturer and, if the application + is lodged by the authorised representative, his name and address as well;' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node165 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node163 + description: '- the technical documentation for one model of each category of + products intended to be manufactured or developed. The technical documentation + shall, wherever applicable, contain at least the elements as set out in Annex + V;' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node166 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node163 + description: '- the documentation concerning the quality system; and' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node167 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node163 + description: '- a written declaration that the same application has not been + lodged with any other notified body.' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3 + ref_id: 6.H.3.2 + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node169 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.2 + description: The quality system shall ensure compliance of the products with + the essential requirements set out in Section 1 of Annex I and compliance + of the vulnerability handling processes put in place by the manufacturer with + the requirements set out in Section 2 of Annex I. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node170 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.2 + description: All the elements, requirements and provisions adopted by the manufacturer + shall be documented in a systematic and orderly manner in the form of written + policies, procedures and instructions. That quality system documentation shall + permit a consistent interpretation of the quality programmes, plans, manuals + and records. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.2 + description: 'It shall, in particular, contain an adequate description of:' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node172 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171 + description: '- the quality objectives and the organisational structure, responsibilities + and powers of the management with regard to design, development, product quality + and vulnerability handling;' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node173 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171 + description: '- the technical design and development specifications, including + standards, that will be applied and, where the relevant harmonised standards + and/or technical specifications will not be applied in full, the means that + will be used to ensure that the essential requirements set out in Section + 1 of Annex I that apply to the products will be met;' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node174 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171 + description: '- the procedural specifications, including standards, that will + be applied and, where the relevant harmonised standards and/or technical specifications + will not be applied in full, the means that will be used to ensure that the + essential requirements set out in Section 2 of Annex I that apply to the manufacturer + will be met;' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node175 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171 + description: '- the design and development control, as well as design and development + verification techniques, processes and systematic actions that will be used + when designing and developing the products pertaining to the product category + covered;' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node176 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171 + description: '- the corresponding production, quality control and quality assurance + techniques, processes and systematic actions that will be used;' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node177 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171 + description: '- the examinations and tests that will be carried out before, + during and after production, and the frequency with which they will be carried + out;' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node178 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171 + description: '- the quality records, such as inspection reports and test data, + calibration data, qualification reports on the personnel concerned, etc;' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node179 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node171 + description: '- the means of monitoring the achievement of the required design + and product quality and the effective operation of the quality system.' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3 + ref_id: 6.H.3.3 + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node181 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.3 + description: The notified body shall assess the quality system to determine + whether it satisfies the requirements referred to in point 3.2. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node182 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.3 + description: It shall presume conformity with those requirements in respect + of the elements of the quality system that comply with the corresponding specifications + of the national standard that implements the relevant harmonised standard + and/or technical specification. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node183 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.3 + description: In addition to experience in quality management systems, the auditing + team shall have at least one member experienced as an assessor in the relevant + product field and product technology concerned, and knowledge of the applicable + requirements of this Regulation. The audit shall include an assessment visit + to the manufacturer's premises, where such premises exist. The auditing team + shall review the technical documentation referred to in point 3.1, second + indent, to verify the manufacturer's ability to identify the applicable requirements + of this Regulation and to carry out the necessary examinations with a view + to ensuring compliance of the product with those requirements. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node184 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.3 + description: The manufacturer or his authorised representative shall be notified + of the decision. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node185 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.3 + description: The notification shall contain the conclusions of the audit and + the reasoned assessment decision. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3 + ref_id: 6.H.3.4 + description: The manufacturer shall undertake to fulfil the obligations arising + out of the quality system as approved and to maintain it so that it remains + adequate and efficient. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.5 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3 + ref_id: 6.H.3.5 + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node188 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.5 + description: The manufacturer shall keep the notified body that has approved + the quality system informed of any intended change to the quality system. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node189 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.5 + description: The notified body shall evaluate any proposed changes and decide + whether the modified quality system will continue to satisfy the requirements + referred to in point 3.2 or whether a reassessment is necessary. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node190 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.3.5 + description: It shall notify the manufacturer of its decision. The notification + shall contain the conclusions of the examination and the reasoned assessment + decision. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h + ref_id: 6.H.4 + name: Surveillance under the responsibility of the notified body + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4 + ref_id: 6.H.4.1 + description: The purpose of surveillance is to make sure that the manufacturer + duly fulfils the obligations arising out of the approved quality system. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4 + ref_id: 6.H.4.2 + description: 'The manufacturer shall, for assessment purposes, allow the notified + body access to the design, development, production, inspection, testing and + storage sites, and shall provide it with all necessary information, in particular:' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node194 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4.2 + description: '- the quality system documentation;' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node195 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4.2 + description: '- the quality records as provided for by the design part of the + quality system, such as results of analyses, calculations, tests, etc.;' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node196 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4.2 + description: '- the quality records as provided for by the manufacturing part + of the quality system, such as inspection reports and test data, calibration + data, qualification reports on the personnel concerned, etc.' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4.3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.4 + ref_id: 6.H.4.3 + description: The notified body shall carry out periodic audits to make sure + that the manufacturer maintains and applies the quality system and shall provide + the manufacturer with an audit report. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h + ref_id: 6.H.5 + name: Conformity marking and declaration of conformity + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.5.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.5 + ref_id: 6.H.5.1 + description: The manufacturer shall affix the CE marking, and, under the responsibility + of the notified body referred to in point 3.1, the latter's identification + number to each individual product that satisfies the requirements set out + in Section 1 of Annex I to this Regulation. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.5.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.5 + ref_id: 6.H.5.2 + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node201 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.5.2 + description: The manufacturer shall draw up a written declaration of conformity + for each product model and keep it at the disposal of the national authorities + for 10 years after the product has been placed on the market. The declaration + of conformity shall identify the product model for which it has been drawn + up. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node202 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.5.2 + description: A copy of the declaration of conformity shall be made available + to the relevant authorities upon request. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h + ref_id: 6.H.6 + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node204 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.6 + description: 'The manufacturer shall, for a period ending at least 10 years + after the product has been placed on the market, keep at the disposal of the + national authorities:' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node205 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node204 + description: '- the technical documentation referred to in point 3.1;' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node206 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node204 + description: '- the documentation concerning the quality system referred to + in point 3.1;' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node207 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node204 + description: '- the change referred to in point 3.5, as approved;' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node208 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node204 + description: '- the decisions and reports of the notified body referred to in + points 3.5, 4.3 and 4.4.' + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h + ref_id: 6.H.7 + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node210 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.7 + description: Each notified body shall inform its notifying authorities of quality + system approvals issued or withdrawn, and shall, periodically or upon request, + make available to its notifying authorities the list of quality system approvals + refused, suspended or otherwise restricted. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:node211 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.7 + description: Each notified body shall inform the other notified bodies of quality + system approvals which it has refused, suspended or withdrawn, and, upon request, + of quality system approvals which it has issued. + - urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h.8 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cra-proposal-annexes:6.h + ref_id: 6.H.8 + name: Authorised representative + description: The manufacturer's obligations set out in points 3.1, 3.5, 5 and + 6 may be fulfilled by his authorised representative, on his behalf and under + his responsibility, provided that they are specified in the mandate. diff --git a/tools/cra/cra-proposal-annexes.xlsx b/tools/cra/cra-proposal-annexes.xlsx new file mode 100644 index 000000000..2b9a662d9 Binary files /dev/null and b/tools/cra/cra-proposal-annexes.xlsx differ