Indicate which standards provide presumption of conformity #186
Conversation
Signed-off-by: Tobie Langel <[email protected]>
Signed-off-by: Tobie Langel <[email protected]>
| | Number | Description | CRA Link | CEN/CENELEC | ETSI | Provides presumption of conformity<sup><a href="#note-1">[1]</a><sup> | | ||
| |---|---|---|:---:|:---:|:---:| | ||
| | 1 | designing, developing and producing products with digital elements in such a way that they ensure an appropriate level of cybersecurity based on the risks | [Annex I, Part I, point (1)][Annex I] | WG9 PT1 | - | No | | ||
| | 15 | vulnerability handling for products with digital elements | [Annex I, Part II][Annex I] | WG9 PT3 | - | No | |
There was a problem hiding this comment.
PT3 aims to achieve a "Yes" here
|
|
||
| --- | ||
|
|
||
| <sup><a href="#note-1" name="note-1">[1]</a></sup> _Vertical standards mentioned in Point 2.3 of Annex II of the [European Commission implementing decision of a standardisation request to the ESOs][StandReq] are the only one requested to aim to provide a presumption of conformity._ |
There was a problem hiding this comment.
| <sup><a href="#note-1" name="note-1">[1]</a></sup> _Vertical standards mentioned in Point 2.3 of Annex II of the [European Commission implementing decision of a standardisation request to the ESOs][StandReq] are the only one requested to aim to provide a presumption of conformity._ | |
| <sup><a href="#note-1" name="note-1">[1]</a></sup> _Vertical standards mentioned in Point 2.3 of Annex II of the [European Commission implementing decision of a standardisation request to the ESOs][StandReq] are the only ones requested to aim to provide a presumption of conformity._ |
There was a problem hiding this comment.
Maybe actually add a second footnote referencing Article 27 paragraph 1 of the CRA which states
Products with digital elements and processes put in place by the manufacturer which are in conformity with harmonised standards or parts thereof, the references of which have been published in the Official Journal of the European Union, shall be presumed to be in conformity with the essential cybersecurity requirements set out in Annex I covered by those standards or parts thereof.
There was a problem hiding this comment.
This seems to very much clash with what I'm hearing that only the vertical standards will provide presumption of conformity.
There was a problem hiding this comment.
Did you mean to respond to the other thread?
There was a problem hiding this comment.
No. Doesn't that imply all harmonised standards would provide presumption of conformity?
There was a problem hiding this comment.
So, I looked all of it up.The Blue Guide has the relevant sections 4.1.2.1 and 4.1.2.2.
As soon as a reference to a harmonised standard is published in the OJE it does provide presumption of conformity.
This can therefore also happen (and is supposed to at least for vulnerability management) for horizontal standards.
So, I think we should revise this as not only vertical ones will be relevant.
There was a problem hiding this comment.
I believe, but can't instantly confirm, that compliance with all applicable parts of all harmonised standards is necessary for a presumption of conformity.
There was a problem hiding this comment.
We definitely need FAQs on this topic. Happy to bring to the Commission and/or CEN/CENELEC for input. We need more clarity here, imho.
There was a problem hiding this comment.
I volunteered offline to create a FAQ on this
|
Looks good from my end. You could add that there will be (needs to be) an OJ published list of the standards that qualify for this conformity. Or even prefix the answer with; that the OJ will contain this list. |
This is based on the information found in annex II of the draft standardization request.
Here's what the rendered changes look like