Find the exact question, open the source answer card, and copy a direct link to the anchored sub-FAQ response.
Yes.
The CRA expressly allows administrative fines, depending on the circumstances, to be imposed in addition to other corrective or restrictive measures applied for the same infringement.
Article 64(9) allows administrative fines in addition to corrective or restrictive measures.
Yes.
Supplying incorrect, incomplete, or misleading information to notified bodies or market-surveillance authorities in reply to a request has its own fine category, with a cap of up to EUR 5 000 000 or, for an undertaking, up to 1% of total worldwide annual turnover for the preceding financial year, whichever is higher.
Article 64(4) sets a separate fine category for incorrect, incomplete, or misleading replies to authorities or notified bodies.
Yes.
They must report the outcomes of relevant market-surveillance activities to the Commission on an annual basis. They must also report without delay any information identified during market-surveillance activities that may be of potential interest for the application of Union competition law.
Article 52(13) requires annual market-surveillance reporting and competition-law information reporting.
No.
The CRA uses different enforcement routes depending on the problem. Article 54, together with Article 55, covers products that present a significant cybersecurity risk and are found non-compliant. Article 57 covers products that comply with the CRA but still present the additional risks listed there. Article 58 covers formal non-compliance such as missing or incorrect CE-marking, declaration, or technical-documentation elements.
Articles 54, 55, 57 and 58 distinguish non-compliant-risk, compliant-risk, safeguard, and formal non-compliance tracks.
Yes.
Article 54(6) requires the notifying authority to include the arguments put forward by the relevant economic operator. Article 54(8) also preserves the operator's procedural rights under Regulation (EU) 2019/1020, and Article 55(1) requires the Commission to consult the relevant economic operator during the Union safeguard procedure. The Blue Guide likewise explains that safeguard decisions are binding legal measures and can be subject to appeal under the applicable framework.
Articles 54(6), 54(8), and 55(1) require operator arguments, preserve procedural rights, and require Commission consultation.
Section 7.6.2 explains procedural safeguards and the reasons that must support national measures.
Yes.
Article 59(4) expressly allows a market-surveillance authority to use information obtained through joint activities as part of any investigation it undertakes. So joint activities are not limited to one-off coordination exercises with no later evidentiary value.
Article 59(4) permits market-surveillance authorities to use joint-activity information in later investigations.
Yes.
Article 60 says sweeps may include inspections of products acquired under a cover identity. It also says that, when conducting sweeps, market-surveillance authorities may use the investigation powers in Articles 52 to 58 and any additional powers conferred by national law. They may also invite Commission officials and other persons authorised by the Commission to participate.
Article 60(1), (4), and (5) supports cover-identity inspections, investigation powers, and Commission participation in sweeps.
Yes.
Article 13(25) allows ADCO to decide to conduct a Union-wide dependency assessment for specific categories of products with digital elements. For that purpose, market-surveillance authorities may request manufacturers of those categories to provide the relevant SBOMs. The authorities may then provide ADCO only anonymised and aggregated information about software dependencies.
Article 13(25) allows ADCO dependency assessments and SBOM requests for specific product categories.
Yes.
Article 52(12) requires market-surveillance authorities to facilitate, where relevant, cooperation with relevant stakeholders, including scientific, research, and consumer organisations.
Article 52(12) requires relevant stakeholder cooperation, including scientific, research, and consumer organisations.
Module B+C is a two-step conformity-assessment route.
Module B is EU-type examination by a notified body. Module C is conformity to the approved type based on the manufacturer's internal production control. Together, they cover both the examination of the product type and the manufacturer's obligation to keep actual production in line with that approved type.
Identifies Module B+C as EU-type examination followed by conformity to EU-type based on internal production control.
Explains the practical distinction between the notified-body examination step and the manufacturer's production-control step.
Module B+C is one of the mandatory third-party routes for:
- important products of class I where Article 32(2) requires third-party assessment for the relevant requirements
- important products of class II, such as hypervisors and container runtime systems, firewalls, intrusion detection and prevention systems, and tamper-resistant microprocessors or microcontrollers
- critical products listed in Annex IV, unless the applicable certification route under Article 8(1) applies
Sets when class I, class II, and critical products must use Module B+C, Module H, or an applicable cybersecurity certification route.
Confirms that important and critical products can trigger third-party conformity assessment before EU market placement.
Yes.
Article 32(1) allows manufacturers to use Module B+C for products generally covered by paragraph 1, even where module A would also be available.
Allows manufacturers to choose Module B+C among the general Article 32(1) conformity assessment procedures.
Distinguishes voluntary use of a notified-body route from the default internal-control route where third-party assessment is not required.
Yes.
Module B is the notified-body part of the route. Module C then follows with the manufacturer's own internal production control against the approved type.
Module B is performed by a notified body; Module C is the manufacturer's internal production-control step.
Only one.
The manufacturer must lodge the EU-type examination application with a single notified body of its choice and must declare that the same application has not been lodged with any other notified body.
Requires the Module B application to go to one notified body and include a declaration that no duplicate application was lodged elsewhere.
The application must include:
- the manufacturer details and, where relevant, the authorised representative's details
- a declaration that the same application has not been lodged with another notified body
- technical documentation that allows conformity to be assessed, including an adequate analysis and assessment of the risks
- supporting evidence for the adequacy of the technical design, development solutions, and vulnerability-handling processes
Where necessary, the supporting evidence must include test results from the manufacturer's own laboratory or another testing laboratory acting on its behalf and under its responsibility.
Lists the manufacturer details, non-duplicate-application declaration, technical documentation, risk analysis, supporting evidence, and test evidence required for Module B.
It covers both.
EU-type examination is not limited to the product's technical design and development. The notified body also examines the vulnerability-handling processes put in place by the manufacturer against Part II of Annex I.
Shows that EU-type examination covers both the product's technical design and the manufacturer's vulnerability-handling processes.
It assesses both.
Annex VIII Part II requires examination of the technical documentation and supporting evidence, plus examination of specimens of one or more critical parts of the product. The notified body must also carry out appropriate examinations and tests, or have them carried out.
Requires the notified body to examine documentation, supporting evidence, specimens of critical parts, and appropriate examinations or tests.
The notified body checks:
- whether the technical documentation and supporting evidence are adequate
- whether the examined specimens match the documentation
- which elements were designed and developed using relevant harmonised standards or technical specifications and which were not
- whether the manufacturer's chosen solutions satisfy the applicable essential cybersecurity requirements
Sets the notified body's checks on documentation, specimens, harmonised-standard use, and alternative solutions.
Yes.
Annex VIII Part II point 4.5 says the notified body and the manufacturer agree on the location where the examinations and tests will be carried out.
Allows the manufacturer and notified body to agree where Module B examinations and tests are performed.
The manufacturer receives an EU-type examination certificate.
The certificate identifies the approved type and the vulnerability-handling processes, and it records the conclusions of the examination and any validity conditions.
Defines the EU-type examination certificate contents when the type and vulnerability-handling processes meet Annex I.