CRA Technische documentatie: gids Bijlage VII

Het technisch dossier is uw bewijs­pakket voor CRA-compliance. Markttoezichtautoriteiten zullen het opvragen. Aangemelde instanties zullen het inzien. Zonder een volledig technisch dossier mag u uw product niet wettelijk op de EU-markt brengen.

Deze gids behandelt Bijlage VII sectie voor sectie en legt uit wat elke sectie vereist en hoe u die voorbereidt.

Wat is het technisch dossier?

Het technisch dossier (ook wel "technische documentatie" genoemd) is het volledige bewijs­pakket waarmee u aantoont dat uw product aan de CRA-vereisten voldoet.

Het is niet:

• Marketingmateriaal
• Alleen gebruikershandleidingen
• Een afvinkoefening

Het is wel:

• Uitgebreide technische bewijsvoering
• Levende documentatie (bijgewerkt gedurende de gehele productlevenscyclus)
• Uw verweer bij markttoezichtonderzoeken
• Verplicht voor de conformiteitsbeoordeling

Belangrijk: Het technisch dossier moet klaar zijn VOOR de marktintroductie en moet 10 jaar na de datum waarop de laatste eenheid op de markt is gebracht bewaard blijven. Autoriteiten kunnen het op elk moment opvragen.

Structuuroverzicht van Bijlage VII

Bijlage VII van de CRA specificeert de vereisten voor technische documentatie:

STRUCTUUR TECHNISCH DOSSIER (Bijlage VII)

1. GENERAL DESCRIPTION
   \-- Product identification and intended purpose

2. ONTWERP, ONTWIKKELING, KWETSBAARHEIDSBEHEER EN PRODUCTIE
   \-- Beveiliging ingebouwd, kwetsbaarheden beheerd, productie en monitoring gevalideerd

3. CYBERSECURITY RISK ASSESSMENT
   \-- Risks identified and addressed

4. INFORMATIE OVER DE ONDERSTEUNINGSPERIODE
   \-- Informatie gebruikt voor het bepalen van de ondersteuningsperiode (artikel 13, lid 8)

5. TOEGEPASTE NORMEN
   \-- Gebruikte normen en afwijkingen

6. TESTRESULTATEN
   \-- Verificatiebewijs

7. EU-VERKLARING VAN OVEREENSTEMMING
   \-- Of een kopie ervan

8. SOFTWARE BILL OF MATERIALS
   \-- Componenten en afhankelijkheden (op gemotiveerd verzoek)

Sectie 1: Algemene beschrijving

Doel: Vastleggen wat het product is en waarvoor het dient.

Vereiste inhoud

GENERAL DESCRIPTION CHECKLIST

Product Identification:
[ ] Product name and model number
[ ] Hardware version(s)
[ ] Software/firmware version(s)
[ ] Serial number format or range
[ ] Unique product identifier

Intended Purpose:
[ ] Primary function description
[ ] Target users/environment
[ ] Intended use cases
[ ] Not-intended uses (exclusions)

Product Category:
[ ] CRA classification (Default/Important/Critical)
[ ] Justification for classification
[ ] Related product regulations (if any)

Market Information:
[ ] Date of first EU market placement
[ ] Target member states
[ ] Distribution channels

Voorbeeld

GENERAL DESCRIPTION

Product Name: SmartSense Pro Industrial Sensor
Model Number: SSP-3000
Hardware Version: Rev C (PCB v3.2)
Firmware Version: 2.4.1

INTENDED PURPOSE:
The SmartSense Pro is an industrial environmental sensor
designed for manufacturing facility monitoring. It measures
temperature, humidity, and air quality, transmitting data
via WiFi to cloud or local servers.

TARGET USERS:
- Facility managers
- Industrial automation integrators
- Environmental compliance officers

INTENDED ENVIRONMENT:
- Indoor industrial facilities
- Operating temperature: -10°C to +60°C
- Network: WiFi 802.11 b/g/n

NOT INTENDED FOR:
- Medical or life-safety applications
- Outdoor installation
- Explosive atmospheres
- Consumer/residential use

CRA CLASSIFICATION:
Default product. Not listed in Annex III or IV.
Justification: General-purpose sensor without security
functions or critical infrastructure application.

EU MARKET PLACEMENT:
First placed on market: March 15, 2027
Target markets: All EU member states
Distribution: Direct sales and authorized distributors

Sectie 2: Ontwerp, ontwikkeling en kwetsbaarheidsbeheer

Doel: Documenteer hoe het product is ontworpen en ontwikkeld, hoe kwetsbaarheden na de marktintroductie worden beheerd en hoe productie- en monitoringprocessen worden gevalideerd. Bijlage VII §2 behandelt deze als één blok: ontwerp en ontwikkeling onder §2(a), processen voor kwetsbaarheidsbeheer onder §2(b), productie- en monitoringprocessen onder §2(c).

Ontwerp en ontwikkeling: vereiste inhoud

DESIGN DOCUMENTATION CHECKLIST

Architecture:
[ ] System architecture diagram
[ ] Component interaction diagram
[ ] Data flow diagram
[ ] Trust boundaries identified

Security Design:
[ ] Security architecture description
[ ] Cryptographic implementations
[ ] Authentication mechanisms
[ ] Authorization model
[ ] Secure communication protocols
[ ] Data protection measures

Development Process:
[ ] Secure development lifecycle description
[ ] Security requirements traceability
[ ] Code review procedures
[ ] Security testing in development
[ ] Configuration management

Change Management:
[ ] Version control procedures
[ ] Change impact assessment
[ ] Security review for changes

Hoe "Secure by Design"-documentatie eruitziet

SECURITY ARCHITECTURE OVERVIEW

1. TRUST BOUNDARIES
   +-----------------------------------------+
   |            Cloud Backend                 |
   |  (Authentication, Data Storage)          |
   \---------------+-------------------------+
                   | TLS 1.3
   +---------------+-------------------------+
   |         Device Firmware                  |
   |  +---------------------------------+    |
   |  |    Application Layer            |    |
   |  +---------------------------------+    |
   |  |    Security Services            |    |
   |  |  (Crypto, Auth, Secure Boot)    |    |
   |  +---------------------------------+    |
   |  |    Hardware Security            |    |
   |  |  (Secure Element, RNG)          |    |
   |  \---------------------------------+    |
   \-----------------------------------------+

2. AUTHENTICATION
   - Device-to-cloud: Mutual TLS with device certificates
   - User-to-device: Local API requires authentication token
   - Certificate provisioning: Factory-provisioned, unique per device

3. DATA PROTECTION
   - Data at rest: AES-256-GCM encryption
   - Data in transit: TLS 1.3 with certificate pinning
   - Sensitive data: Stored in secure element

4. UPDATE MECHANISM
   - Signed firmware updates (ECDSA P-256)
   - Signature verification before installation
   - Rollback protection via version counter
   - Automatic update checks (user-configurable)

Kwetsbaarheidsbeheer: vereiste inhoud

VULNERABILITY HANDLING CHECKLIST

Intake:
[ ] Contact methods documented (email, web form, security.txt)
[ ] CVD policy published
[ ] Researcher communication procedures

Process:
[ ] Triage procedures
[ ] Severity assessment methodology
[ ] Escalation paths
[ ] Patch development workflow
[ ] Testing procedures for patches

Communication:
[ ] Customer notification procedures
[ ] Advisory publication process
[ ] ENISA reporting integration (for active exploitation)

Monitoring:
[ ] Dependency vulnerability monitoring
[ ] CVE database monitoring
[ ] Threat intelligence sources

Documentatie kwetsbaarheidsbeheer

VULNERABILITY HANDLING PROCEDURES

1. CONTACT METHODS
   Primary: security@company.com
   Web Form: https://company.com/security/report
   security.txt: https://company.com/.well-known/security.txt
   CVD Policy: https://company.com/security/disclosure-policy

2. RESPONSE COMMITMENTS
   Acknowledgment: Within 3 business days
   Initial Assessment: Within 10 business days
   Status Updates: Every 14 days
   Resolution Target: 90 days (critical: 7 days)

3. INTERNAL PROCESS
   [Flowchart or process description]
   See: Process Document PD-VULN-003

4. PATCH DISTRIBUTION
   Mechanism: OTA updates via cloud infrastructure
   Notification: In-app notification + email to registered users
   Verification: Signed updates with rollback capability

5. ENISA REPORTING
   Trigger: Active exploitation detected
   Timeline: 24h early warning, 72h detailed report
   Responsible: Security Team Lead
   Process: See PD-ENISA-001

6. HISTORICAL RECORD
   Vulnerabilities handled (past 24 months): 3
   Average resolution time: 45 days
   ENISA reports filed: 0

Productie en monitoring: vereiste inhoud

Voor softwareproducten is er geen fabriekslijn. Bijlage VII, punt 2(c) beschrijft de build- en releasepipeline die uitleverbare artefacten produceert, de validatie dat die processen werken zoals bedoeld, en de monitoring na uitrol die regressies en nieuwe kwetsbaarheden opvangt. Documenteer elk onderdeel zodat een auditor een release kan herleiden tot een geverifieerde, reproduceerbare build.

PRODUCTION AND MONITORING CHECKLIST

Build and Release Pipeline:
[ ] Source of truth identified (repository, branch protection)
[ ] Reproducible build documented (toolchain versions pinned)
[ ] Build provenance captured (SLSA level, in-toto attestations)
[ ] Signing keys and key management documented
[ ] Release artifact integrity (signed binaries, SBOM at release)

Validation of Production Processes:
[ ] Security gates in CI documented (SAST, DAST, SCA pass criteria)
[ ] Regression suite covers Annex I-tagged requirements
[ ] Release approval workflow documented
[ ] Rollback plan for failed releases
[ ] Reproducibility audit cadence

Post-Deployment Monitoring:
[ ] Dependency vulnerability monitoring cadence (daily/weekly)
[ ] SBOM diff process on each release
[ ] CVE feed integration (NVD, GHSA, vendor advisories)
[ ] KEV cross-check for active exploitation
[ ] Telemetry for security-relevant events (failed updates, signature failures)
[ ] Customer notification triggers documented

Documentatie productie en monitoring

PRODUCTION AND MONITORING PROCESSES

Product: Industrial Gateway IG-200
Build platform: GitHub Actions on ubuntu-22.04 runners
Provenance: SLSA Level 3 (signed in-toto attestations)
Signing: Cosign + Sigstore, offline KMS-backed root key

BUILD PIPELINE:
1. Source: github.com/example/ig200-firmware (main branch protected,
   2-of-N review gate, signed commits required)
2. Build: reproducible cross-compile (rustc 1.78, locked Cargo.lock)
3. SAST: cargo-audit + clippy security lints (gate: 0 high+ findings)
4. SCA: trivy scan against built binary (gate: 0 known-exploitable CVEs)
5. Test: regression suite (1247 tests) + Annex-I conformance suite (89 tests)
6. Sign: cosign sign-blob + attest --predicate slsa-provenance.json
7. Release: artifact + SBOM (CycloneDX 1.5) + DoC excerpt published

VALIDATION OF PROCESSES:
- Pipeline definition reviewed quarterly (Security Lead + Release Manager)
- Annex I conformance test suite reviewed when standards or risks change
- Annual reproducibility audit (independent rebuild from tagged source)
- Failure mode: any gate fails -> release blocked, incident logged

POST-DEPLOYMENT MONITORING:
- Dependency CVE feed: Trivy + Renovate, daily scan against current SBOM
- Threshold: Critical or High with KEV match -> patch within 7 days
- Threshold: Medium without KEV -> patch in next monthly release
- Customer notification: signed RSS feed + email for advisories
- Internal telemetry: failed update events, signature verification failures
- Review cadence: weekly triage, monthly trend review

Sectie 3: Risicoanalyse voor cyberbeveiliging

Doel: Vastgelegde risico's en de aanpak daarvan documenteren.

Vereiste inhoud

RISK ASSESSMENT CHECKLIST

Methodology:
[ ] Risk assessment methodology described
[ ] Scope definition
[ ] Asset identification
[ ] Threat identification approach

Risk Analysis:
[ ] Threats enumerated
[ ] Vulnerabilities considered
[ ] Impact assessment
[ ] Likelihood assessment
[ ] Risk ratings

Risk Treatment:
[ ] Treatment decisions for each risk
[ ] Security controls mapped to risks
[ ] Residual risk assessment
[ ] Risk acceptance criteria

Opzet van de risicoanalyse

CYBERSECURITY RISK ASSESSMENT

Product: SmartSense Pro (SSP-3000)
Version: 2.4.1
Assessment Date: January 2027
Assessor: [Name, Security Team]

METHODOLOGY:
Based on ISO 27005 adapted for product security.
Risk = Likelihood × Impact
Scale: Low (1-4), Medium (5-9), High (10-16), Critical (17-25)

-------------------------------------------------------------
RISK ID: R-001
THREAT: Unauthorized firmware modification
VULNERABILITY: Unsigned firmware could be installed
IMPACT: High (5) - Device compromise, data breach
LIKELIHOOD: Medium (3) - Requires physical access
INHERENT RISK: 15 (High)

CONTROL: Firmware signature verification
IMPLEMENTATION: ECDSA P-256 signature checked before install
RESIDUAL RISK: 3 (Low) - Cryptographic attack unlikely

STATUS: Mitigated
-------------------------------------------------------------
RISK ID: R-002
THREAT: Man-in-the-middle attack on cloud communication
VULNERABILITY: Network traffic interception
IMPACT: High (4) - Data exposure, command injection
LIKELIHOOD: Medium (3) - Public networks possible
INHERENT RISK: 12 (High)

CONTROL: TLS 1.3 with certificate pinning
IMPLEMENTATION: Hardcoded CA certificate, no fallback
RESIDUAL RISK: 2 (Low) - Certificate compromise unlikely

STATUS: Mitigated
-------------------------------------------------------------
[Continue for all identified risks...]

RISK SUMMARY:
Total risks identified: 23
Critical: 0
High: 3 (all mitigated to Low/Medium)
Medium: 8 (all mitigated to Low)
Low: 12 (accepted or mitigated)

RESIDUAL RISK ACCEPTANCE:
All residual risks are within acceptable tolerance.
Signed: [Security Lead], [Date]

Sectie 4: Informatie over de ondersteuningsperiode

Doel: Documenteer de redenering achter de gekozen ondersteuningsperiode, conform artikel 13, lid 8. De ondersteuningsperiode is de periode waarin de fabrikant zich verbindt om beveiligingsupdates te leveren. Bijlage VII, punt 4 vereist dat het technisch dossier de informatie bevat die tot die beslissing heeft geleid.

Vereiste inhoud

SUPPORT PERIOD DECISION RECORD

Declared Support Period: [start date] to [end date]
Minimum: 5 years from market placement (or product lifetime, if shorter)

Inputs Considered (Article 13(8)):
[ ] Expected use duration of the product
[ ] User and customer expectations
[ ] Nature and intended purpose of the product
[ ] Relevant Union law (sector-specific minimums)
[ ] Guidance issued by the Commission
[ ] Reasonable expectations of consumers and other end users

Documented Justification:
[ ] Comparable product lifetimes in the market
[ ] Component vendor support timelines (OS, runtime, libraries)
[ ] Customer contracts or SLAs that imply update windows
[ ] Hardware end-of-life schedules (if applicable)

Hoe goede documentatie eruitziet

SUPPORT PERIOD DETERMINATION
Product: Industrial Gateway IG-200
Market placement: 2026-09-01
Declared support period: 2026-09-01 to 2034-09-01 (8 years)

Rationale:
1. Expected operational lifetime: 8-10 years (field deployment data,
   comparable to predecessor IG-150 still active in 2024 at 9 years).
2. Component support: Linux LTS kernel covers 6 years; we backport
   security patches for 2 additional years using vendor commitments.
3. Customer contracts: top 3 customers have 7-year service agreements;
   remainder typically renew on 5-year cycles.
4. Sector guidance: NIS2 covers operators of essential services using
   this gateway; assume update requirements through asset lifetime.
5. End-of-support communication: documented in user manual and EOL
   policy at https://example.com/security/eol.

Decision approved by: [Product Owner], [Security Lead], [Legal]
Date: 2026-08-15
Review trigger: any material change to component support timelines

Veelvoorkomende valkuilen

• Vasthouden aan het minimum van 5 jaar zonder onderbouwing. De 5 jaar uit artikel 13, lid 8 is een ondergrens, geen standaard. Producten met een langere verwachte levensduur vragen om een langere periode.
• Vergeten dat de ondergrens "of de levensduur van het product, indien korter" luidt. Een consumentenapparaat dat 18 maanden wordt verkocht, behoudt updateondersteuning gedurende de periode dat het product redelijkerwijs in gebruik blijft.
• De inputs niet vastleggen. Markttoezichtautoriteiten kunnen vragen hoe de periode is bepaald. "We hebben 5 jaar gekozen" is geen antwoord.
• Het als in beton gegoten beschouwen. Als de ondersteuningstermijnen van componenten veranderen (bijvoorbeeld wanneer een upstream-OS eerder dan verwacht EOL bereikt), moet het besluit worden bijgewerkt en moet de ondersteuningstoezegging worden gecommuniceerd.

Mapping van essentiële vereisten (Bijlage I)

Doel: Aantonen hoe aan elke vereiste van Bijlage I is voldaan.

Vereisten Bijlage I, Deel I

Koppel elke vereiste aan uw implementatie:

ESSENTIAL REQUIREMENTS COMPLIANCE MATRIX

ANNEX I, PART I - SECURITY REQUIREMENTS
═══════════════════════════════════════════════════════════

1. DESIGNED WITHOUT KNOWN EXPLOITABLE VULNERABILITIES
   Status: COMPLIANT
   Evidence:
   - Vulnerability scan report (Trivy): 0 critical/high
   - Dependency analysis: All components at latest secure versions
   - Penetration test report: No exploitable vulnerabilities found
   Reference: Test Report TR-2027-001, pages 15-23

2. SECURE BY DEFAULT CONFIGURATION
   Status: COMPLIANT
   Evidence:
   - Default configuration review document
   - No default passwords (unique credentials required at setup)
   - Unnecessary services disabled by default
   - Secure protocols enabled by default (TLS, not HTTP)
   Reference: Design Document DD-004, Section 3.2

3. PROTECTION AGAINST UNAUTHORIZED ACCESS
   Status: COMPLIANT
   Evidence:
   - Authentication architecture document
   - Access control implementation
   - Session management design
   - Failed login lockout mechanism
   Reference: Security Architecture SA-001, Chapter 4

4. CONFIDENTIALITY OF DATA
   Status: COMPLIANT
   Evidence:
   - Encryption specifications (AES-256-GCM)
   - Key management procedures
   - Data classification and handling
   Reference: Design Document DD-005

5. INTEGRITY OF DATA AND COMMANDS
   Status: COMPLIANT
   Evidence:
   - Message authentication (HMAC)
   - Command validation logic
   - Input validation procedures
   Reference: Security Architecture SA-001, Chapter 5

6. DATA MINIMIZATION
   Status: COMPLIANT
   Evidence:
   - Data inventory document
   - Justification for each data type collected
   - Retention policy (automatic purge after 90 days)
   Reference: Privacy Impact Assessment PIA-001

[Continue for all Annex I requirements...]

Vereisten Bijlage I, Deel II

ANNEX I, PART II - VULNERABILITY HANDLING
═══════════════════════════════════════════════════════════

1. IDENTIFY AND DOCUMENT VULNERABILITIES
   Status: COMPLIANT
   Evidence:
   - Vulnerability tracking system (JIRA project VULN)
   - CVE monitoring process document
   - SBOM-based dependency tracking
   Reference: Process Document PD-VULN-001

2. ADDRESS VULNERABILITIES WITHOUT DELAY
   Status: COMPLIANT
   Evidence:
   - Vulnerability response SLA document
   - Historical response time metrics
   - Patch development process
   Reference: Process Document PD-VULN-002

3. APPLY EFFECTIVE REGULAR TESTING
   Status: COMPLIANT
   Evidence:
   - Security testing schedule
   - Automated scan reports (weekly)
   - Annual penetration test reports
   Reference: Test Plan TP-SEC-001

[Continue for all Part II requirements...]

Sectie 5: Toegepaste normen

Doel: Documenteren welke normen zijn gebruikt en hoe.

Vereiste inhoud

STANDARDS APPLICATION CHECKLIST

Standards List:
[ ] All applied standards listed with version numbers
[ ] Harmonized standards identified separately
[ ] Reference to Official Journal publication (if harmonized)

Application Evidence:
[ ] How each standard was applied
[ ] Which clauses/sections apply
[ ] Any deviations or partial application

Deviation Handling:
[ ] Deviations documented with justification
[ ] Alternative measures for deviated requirements
[ ] Risk assessment for deviations

Opmaak normendocumentatie

APPLIED STANDARDS

HARMONIZED STANDARDS (presumption of conformity):
-------------------------------------------------------------
Standard: EN 303 645 (when harmonized for CRA)
Title: Cybersecurity for Consumer IoT
Status: Applied in full
Publication: OJEU [reference when published]
Evidence: Standards Compliance Report SCR-001
-------------------------------------------------------------

OTHER STANDARDS APPLIED:
-------------------------------------------------------------
Standard: IEC 62443-4-1:2018
Title: Security for Industrial Automation - Secure Development
Status: Applied (selected requirements)
Clauses Applied: 5, 6, 7, 8, 10
Evidence: SDL Documentation SLD-001
-------------------------------------------------------------
Standard: ISO/IEC 27001:2022
Title: Information Security Management
Status: Organization certified (Certificate #12345)
Relevance: ISMS covers product development processes
-------------------------------------------------------------
Standard: NIST Cybersecurity Framework 2.0
Title: Framework for Improving Critical Infrastructure Cybersecurity
Status: Reference framework for risk assessment
Evidence: Risk Assessment methodology document
-------------------------------------------------------------

DEVIATIONS:
-------------------------------------------------------------
Standard: EN 303 645
Clause: 5.3-2 (Unique per device credentials)
Deviation: Credentials unique per device but not pre-provisioned
Justification: Device requires user setup; credentials created
              during first-time configuration
Alternative Measure: Strong password requirements enforced,
                    account lockout after failed attempts
Risk Assessment: Residual risk acceptable (see R-015)
-------------------------------------------------------------

Sectie 6: Testresultaten

Doel: Bewijs leveren dat aan de vereisten daadwerkelijk is voldaan.

Vereiste inhoud

TEST DOCUMENTATION CHECKLIST

Test Planning:
[ ] Test plan with scope and objectives
[ ] Test cases mapped to requirements
[ ] Test environment description
[ ] Pass/fail criteria

Test Execution:
[ ] Test execution records
[ ] Test results summary
[ ] Failed tests and resolution
[ ] Retest evidence

Test Types:
[ ] Functional security testing
[ ] Vulnerability scanning
[ ] Penetration testing (if applicable)
[ ] Fuzz testing (if applicable)
[ ] Configuration review

Opmaak testresultaten

TEST RESULTS SUMMARY

Product: SmartSense Pro (SSP-3000) v2.4.1
Test Period: December 2026 - January 2027
Test Lead: [Name]

═══════════════════════════════════════════════════════════
TEST CAMPAIGN: TC-2027-001
═══════════════════════════════════════════════════════════

1. SECURITY FUNCTIONAL TESTING
   Scope: Authentication, authorization, encryption, secure boot
   Test Cases: 85
   Passed: 85
   Failed: 0
   Reference: Test Report TR-FUNC-001

2. VULNERABILITY SCANNING
   Tool: Trivy v0.48.0 + Nessus Professional
   Scope: Firmware, network services, web interface
   Findings:
     Critical: 0
     High: 0
     Medium: 2 (accepted with justification)
     Low: 5 (accepted)
   Reference: Scan Report SR-VULN-001

3. PENETRATION TESTING
   Provider: [Third-party firm name]
   Scope: Black-box testing of deployed device
   Duration: 5 days
   Findings:
     Critical: 0
     High: 0
     Medium: 1 (remediated before release)
     Low: 3 (accepted)
   Reference: Pentest Report PT-2027-001

4. FIRMWARE ANALYSIS
   Tool: EMBA v1.3
   Scope: Binary analysis, hardcoded credentials, crypto issues
   Findings:
     Critical: 0
     High: 0
     Informational: 4
   Reference: Firmware Analysis Report FA-001

5. CONFIGURATION REVIEW
   Scope: Default configuration security
   Findings: All defaults meet security requirements
   Reference: Configuration Review CR-001

═══════════════════════════════════════════════════════════
OVERALL ASSESSMENT: PASS
All critical and high findings remediated.
Medium/Low findings accepted with documented justification.
═══════════════════════════════════════════════════════════

Sectie 7: EU-verklaring van overeenstemming

Doel: De formele verklaring opnemen of ernaar verwijzen.

Vereiste inhoud

Het technisch dossier moet een kopie van de EU-verklaring van overeenstemming bevatten, of een verwijzing naar waar die te verkrijgen is.

EU DECLARATION OF CONFORMITY

(See separate DoC document or include copy in technical file)

Reference: DoC-SSP3000-2027-001
Date: March 1, 2027
Location: Technical File, Appendix A

The EU Declaration of Conformity accompanies every product
and is available for download at:
https://company.com/support/ssp3000/doc

Sectie 8: Software Bill of Materials

Doel: Componenttransparantie bieden voor het volgen van kwetsbaarheden. Bijlage VII, punt 8 maakt de SBOM op gemotiveerd verzoek van een markttoezichtautoriteit deel van het technisch dossier. In de praktijk stellen fabrikanten deze op en onderhouden deze samen met de rest van het dossier.

Verwante gidsen: Hardwareproducten vereisen daarnaast een HBOM, en de kwaliteit wordt beheerst door BSI TR-03183. De kwetsbaarheidsstatus van SBOM-componenten wordt gecommuniceerd via VEX. Zie de gids voor SBOM-vereisten voor CycloneDX versus SPDX, BSI TR-03183-kwaliteitsniveaus, HBOM-reikwijdte en VEX-gebruik, en de gids voor kwetsbaarheidsrapportage voor hoe VEX de verplichting "geen bekende exploiteerbare kwetsbaarheden" ondersteunt.

Vereiste inhoud

SBOM REQUIREMENTS CHECKLIST

Format:
[ ] Machine-readable format (CycloneDX or SPDX)
[ ] Human-readable summary

Content:
[ ] All software components listed
[ ] Component versions specified
[ ] Supplier information included
[ ] License information included
[ ] Known vulnerabilities at assessment time

Scope:
[ ] Direct dependencies
[ ] Transitive dependencies
[ ] Operating system components (if applicable)
[ ] Third-party libraries

SBOM-documentatie

SOFTWARE BILL OF MATERIALS

Product: SmartSense Pro (SSP-3000)
Firmware Version: 2.4.1
SBOM Format: CycloneDX 1.5
Generated: 2027-01-15
Tool: Trivy + syft

SBOM FILE:
sbom-ssp3000-v2.4.1.json (attached)

COMPONENT SUMMARY:
-------------------------------------------------------------
Total Components: 127
  Direct Dependencies: 23
  Transitive Dependencies: 104

By Type:
  Libraries: 98
  Frameworks: 12
  Operating System: 1 (FreeRTOS)
  Firmware Modules: 16

By License:
  MIT: 45
  Apache 2.0: 38
  BSD: 15
  LGPL: 8
  Proprietary: 21 (internal components)
-------------------------------------------------------------

VULNERABILITY STATUS AT ASSESSMENT:
-------------------------------------------------------------
Scan Date: 2027-01-15
Scanner: Trivy v0.48.0

Critical: 0
High: 0
Medium: 2 (accepted - see below)
Low: 5 (accepted)

ACCEPTED VULNERABILITIES:
CVE-2026-XXXXX (Medium): Component xyz v1.2.3
  Status: Not exploitable in our configuration
  Justification: Feature not enabled, code path not reachable
  Review Date: 2027-04-15

CVE-2026-YYYYY (Medium): Component abc v2.0.1
  Status: Mitigated by network controls
  Justification: Requires local access, device is network-isolated
  Review Date: 2027-04-15
-------------------------------------------------------------

SBOM UPDATE COMMITMENT:
SBOM will be updated with each firmware release and made
available to customers upon request.

Wanneer moet het technisch dossier worden bijgewerkt?

Levende documentatie

Het technisch dossier is geen statisch document:

TECHNICAL FILE UPDATE TRIGGERS

MANDATORY UPDATES:
- New firmware/software version
- Security patch release
- Vulnerability discovered and addressed
- Design change affecting security
- Standards update (if applied standards change)
- SBOM changes (new/updated components)

PERIODIC REVIEWS:
- Quarterly: SBOM and vulnerability status
- Annually: Full technical file review
- Before support period end: Final documentation freeze

VERSION CONTROL:
- All documents version-controlled
- Change history maintained
- Previous versions archived

Bewaartermijn

Let op: "10 jaar vanaf de datum waarop de laatste eenheid op de markt is gebracht" betekent: als u producten verkoopt tot en met 2030, loopt de bewaartermijn tot 2040. Plan uw documentopslag daar op in.

DOCUMENTATION RETENTION

Retention Period: 10 years from last unit placed on market

Example Timeline:
- Product first placed on market: March 2027
- Last unit placed on market: December 2030
- Documentation retention until: December 2040

Storage Requirements:
- Secure, accessible storage
- Backup procedures
- Integrity protection
- Available within [48 hours] of authority request

Veelgemaakte fouten

Waarschuwing: Een technisch dossier dat alleen versie 1.0 beschrijft terwijl uw product op versie 2.3 staat, geldt als non-compliant. Werk de documentatie bij bij elke release.

Onvolledige risicoanalyse

Probleem: Een risicoanalyse die niet alle dreigingen dekt of geen behandeldetails bevat.

Oplossing: Gebruik een gestructureerde methode. Koppel elk geïdentificeerd risico aan een maatregel of een acceptatiebeslissing.

Ontbrekende SBOM

Probleem: Geen SBOM, of een SBOM zonder transitieve afhankelijkheden.

Oplossing: Genereer de SBOM met geschikte tooling. Neem de volledige afhankelijkheidsboom op.

Verouderde documentatie

Probleem: Het technisch dossier beschrijft versie 1.0 terwijl het product op versie 2.3 staat.

Oplossing: Werk de documentatie bij bij elke release. Houd versies expliciet bij.

Geen vereistentracering

Probleem: Compliance wordt geclaimd maar er wordt niet aangetoond hoe aan elke vereiste is voldaan.

Oplossing: Maak een expliciete mapping van elke Bijlage I-vereiste naar het bijbehorende bewijs.

Tests zonder bewijs

Probleem: Er wordt gesteld dat testen heeft plaatsgevonden, maar rapporten zijn niet beschikbaar.

Oplossing: Bewaar alle testrapporten. Neem ze op in het technisch dossier of verwijs er duidelijk naar.

Checklist technisch dossier

TECHNICAL FILE COMPLETENESS CHECKLIST

SECTION 1 - GENERAL DESCRIPTION:
[ ] Product identification complete
[ ] Intended purpose documented
[ ] CRA classification stated with justification
[ ] Market placement information

SECTION 2 - DESIGN, DEVELOPMENT AND VULNERABILITY HANDLING:
[ ] Architecture diagrams
[ ] Security design documentation
[ ] Development process description
[ ] Change management procedures
[ ] Vulnerability contact methods documented
[ ] CVD policy published
[ ] Vulnerability handling process documented
[ ] ENISA reporting procedures in place

SECTION 3 - RISK ASSESSMENT:
[ ] Methodology documented
[ ] All risks identified
[ ] Treatment decisions for each risk
[ ] Residual risk assessment

SECTION 4 - SUPPORT PERIOD INFORMATION:
[ ] Declared support period stated (start and end dates)
[ ] Article 13(8) inputs documented (use duration, user expectations, sector law)
[ ] Justification recorded (component support timelines, customer contracts, hardware EOL)
[ ] Decision sign-off captured (product, security, legal)

ANNEX I MAPPING (supports Sections 5-7):
[ ] Annex I Part I mapping complete
[ ] Annex I Part II mapping complete
[ ] Evidence referenced for each requirement

SECTION 5 - STANDARDS:
[ ] All applied standards listed
[ ] Application evidence provided
[ ] Deviations documented and justified

SECTION 6 - TEST RESULTS:
[ ] Test plan documented
[ ] Test reports attached
[ ] All findings addressed

SECTION 7 - DoC:
[ ] Declaration of Conformity included/referenced

SECTION 8 - SBOM (on reasoned request):
[ ] Machine-readable SBOM prepared (CycloneDX or SPDX)
[ ] All components included (direct + transitive)
[ ] Vulnerability status documented
[ ] Available for surveillance authority on request

MAINTENANCE:
[ ] Version control established
[ ] Update procedures documented
[ ] Retention plan in place