From Jordan's response,
It's also important to note that while recitals do provide context to support interpretation, they are not exhaustive. In my view, for some products, in particularly in lower-risk uses and for very popular libraries, they may suffice. However for higher risk products or use cases, in my view they are inadequate. The law creates Security attestations to address this problem (at least, that was the logic when it was written!)
Beyond this, my understanding is that in all cases of manufacturer due diligence on the components incorporated into a Product with Digital Elements, the diligence goes well beyond simply checking for an attestation/CE mark on the component. An incorporating product will need to be self-assessed/assessed and secure with the component incorporated, including via testing and whatever other mitigations are required for the incorporating product. This will then all become part of the technical documentation. By providing clear attestations the component manufacturer (or OSS project/steward) makes it much easier for the incorporating manufacturer ... but does not absolve them of their own duties.
Furthermore, in some cases, such as Remote Data Processing Solutions and possibly other classes of component products commonly integrated into a class of Product with Digital Elements it may be possible for the CRA vertical standards to include more detail or even requirements regarding what constitutes appropriate due diligence. I haven't seen this yet in practice though.
Sincerely,
August Bournique
