Can authorities ask for internal documentation and data, not just the public-facing compliance file?
Yes.
On a reasoned request, authorities must be granted access to the data needed to assess design, development, production, and vulnerability handling, including related internal documentation of the relevant economic operator. The documentation must be accessible in a language easily understood by the authority.
Can data-protection authorities also access CRA documentation?
Yes, where they need that documentation for the fulfilment of their own tasks.
Article 52(7) gives authorities supervising Union data-protection law the power to request and access documentation created or maintained under the CRA, while also requiring them to inform the designated CRA market-surveillance authorities of the Member State concerned.
Do market-surveillance authorities have to test a product in the same way as the manufacturer?
Not necessarily.
The Commission FAQ says authorities may consider using the same methodology as the manufacturer, especially where that methodology is part of a harmonised standard supporting the CRA, but they may use a different methodology on a justified basis.
If a CRA problem is found in one Member State, does the corrective action stop there?
No.
If the product has been made available across the Union, the economic operator must ensure that appropriate corrective action is taken for all affected products throughout the Union.
What happens if the operator does not take adequate corrective action?
The national authority must take appropriate provisional measures itself.
Those measures can include prohibiting or restricting the product from being made available on the national market, withdrawing it, or recalling it. The authority must then notify the Commission and the other Member States without delay.
It is the Commission review process that applies when another Member State objects to a notified national measure or when the Commission considers that measure contrary to Union law.
The Commission must consult the relevant Member State and the economic operator, evaluate the national measure, and decide within nine months from the Article 54(5) notification whether the measure is justified.
What if the underlying CRA enforcement problem comes from a harmonised standard, a certification scheme, or a common specification?
The safeguard procedure still applies, but the Commission may also need to act on the conformity tool itself.
If the justified national measure is linked to shortcomings in a harmonised standard, the Commission applies the standards safeguard procedure. If it is linked to shortcomings in a European cybersecurity certification scheme or in common specifications, the Commission must consider whether to amend or repeal the CRA act that gave that tool presumption-of-conformity effect.
Can a product still be restricted even if it complies with the CRA?
Yes.
Article 57 covers products that are compliant with the CRA but still present a significant cybersecurity risk together with a risk to health or safety, fundamental-rights compliance, the availability, authenticity, integrity or confidentiality of services offered by essential entities, or other aspects of public-interest protection.
Can the Commission intervene directly in exceptional cases?
Yes.
If immediate intervention is justified to preserve the proper functioning of the internal market, and effective national measures have not been taken, the Commission may carry out its own evaluation, may request ENISA analysis, and may adopt Union-level implementing acts requiring corrective or restrictive measures, including withdrawal or recall.
The CRA provides this type of Union-level intervention both for non-compliant products that present a significant cybersecurity risk and for compliant products that still present the risks covered by Article 57.
What role do CSIRTs and ENISA play in CRA enforcement?
They support enforcement, but they are not the primary market-surveillance authorities.
Authorities may ask CSIRTs designated as coordinators or ENISA for technical advice and compliance-support analysis. ENISA can also propose joint activities and identify product categories for sweeps.
Does a notified-body certificate or other third-party conformity evidence block CRA market-surveillance action?
No.
The CRA still allows market-surveillance authorities to investigate, require corrective action, adopt restrictive measures, and address formal non-compliance. Where an Article 54 investigation leads to corrective action, the authority must also inform the relevant notified body.
It covers certain documentary or marking failures even before the authority proves a deeper substantive breach of Annex I.
Article 58 lists the relevant cases: CE marking missing or wrongly affixed, the EU declaration of conformity missing or incorrect, the notified-body identification number missing where required, or technical documentation unavailable or incomplete.
What happens under the CRA if formal non-compliance is not fixed?
The Member State concerned must take appropriate measures to restrict or prohibit the product from being made available on the market or to ensure that it is recalled or withdrawn.
They are coordinated actions that market-surveillance authorities may carry out with other relevant authorities for specific products or categories of products, especially where those products are often found to present cybersecurity risks.
The Commission or ENISA may propose joint activities based on indications of potential non-compliance across several Member States, and the agreement on joint activities must be made public.
Sweeps are simultaneous coordinated control actions for particular products or product categories to check compliance or detect infringements.
They may include inspections of products acquired under a cover identity. Unless the participating authorities agree otherwise, sweeps are coordinated by the Commission, and ENISA may propose categories of products for which sweeps should be organised.
Can CRA market surveillance focus on support-period decisions as well as immediate vulnerabilities?
Yes.
Authorities must monitor how manufacturers applied the Article 13(8) criteria when determining support periods. ADCO must publish relevant statistics, including average support periods, and may issue recommendations to focus surveillance on product categories where support periods appear inadequate.
Is CRA enforcement subject to confidentiality protections?
Yes.
The CRA protects intellectual property, confidential business information, trade secrets, source code, the effectiveness of inspections and investigations, public and national security interests, and the integrity of criminal or administrative proceedings. Information exchanged confidentially between authorities and the Commission is also protected against onward disclosure without the originating authority's agreement.
How do CRA penalties and administrative fines work?
Member States must lay down the national penalty rules, but Article 64 sets Union-level caps for certain infringements.
The highest cap applies to non-compliance with Annex I and with Articles 13 and 14: up to EUR 15 000 000 or, for an undertaking, up to 2.5% of total worldwide annual turnover for the preceding financial year, whichever is higher. Article 64 also sets lower caps for other listed obligations and for supplying incorrect, incomplete, or misleading information.