Skip to main content

Manufacturer's Responsibilities Under Module A for Software

Choosing the self-assessment path (Module A) under the Cyber Resilience Act (CRA) for your game, app, or software component means you're in the driver's seat. It also means the buck stops with you. Here’s what you’re signing up for.

Sole Responsibility for Conformity

The big one: under Module A, you, the manufacturer, ensure and declare on your sole responsibility that your software product and your internal processes satisfy all the essential cybersecurity requirements laid out in Annex I of the CRA. This is clearly stated in Annex VIII, Part I, point 1. If something's not right, it's on you.

Ensuring Compliant Design, Development, and Vulnerability Handling

You are responsible for taking all necessary measures so that your software's design, development, its "production" (for software, this means your build, compilation, and packaging processes), and your vulnerability handling processes ensure compliance. This isn't just about the final app or game; it’s about how you build and maintain it securely throughout its lifecycle, as detailed in Annex VIII, Part I, point 3.

Documentation is Your Proof

You must draw up and maintain the technical documentation (as per Annex VII). This documentation is your evidence that you've met the requirements. You're also responsible for drawing up the EU Declaration of Conformity, which formally states your product’s compliance (Annex VIII, Part I, point 4.2).

CE Marking and Record Keeping

Affixing the CE marking correctly according to Article 30 is your job. You also need to keep the technical documentation and the EU Declaration of Conformity available for market surveillance authorities for at least 10 years after your software is placed on the market, or for its entire support period, whichever is longer (Annex VIII, Part I, point 4.2; Article 13, Paragraph 13).

Key Takeway

Under Module A, the manufacturer carries the full weight of ensuring and declaring software conformity with the CRA, covering everything from secure development practices to documentation and formal declarations.