Who is responsible for CRA market surveillance when the product is also a high-risk AI system?
For those products, the market-surveillance authorities designated under the AI Act are responsible for the CRA market-surveillance activities.
They still have to cooperate, as appropriate, with the market-surveillance authorities designated under the CRA and, for Article 14 reporting supervision, with the CSIRTs designated as coordinators and ENISA.
Are open-source software stewards also supervised through CRA market surveillance?
Yes.
The authorities designated under Article 52 are also responsible for market-surveillance activities relating to the obligations imposed on open-source software stewards under Article 24. If a steward is non-compliant, the authority must require appropriate corrective action.
Do CRA market-surveillance authorities have to cooperate with other regulators?
Yes.
The CRA requires cooperation, where relevant, with national cybersecurity certification authorities, CSIRTs designated as coordinators, ENISA, market-surveillance authorities under other Union product laws, and authorities supervising Union data-protection law.
Can complaints, vulnerability reports, or other outside signals trigger enforcement attention?
Yes.
The CRA requires authorities to inform consumers where to submit complaints indicating possible non-compliance and where and how to access mechanisms for reporting vulnerabilities, incidents, and cyber threats affecting products with digital elements. Because the CRA applies the Union market-surveillance framework in Regulation (EU) 2019/1020, the Blue Guide also states that complaints must be followed up appropriately and that consumer complaints, media reports, incidents, and similar information can feed the authorities' risk-based choice of online and offline checks.
But a complaint or report does not by itself establish infringement. Any corrective or restrictive measure still has to rest on the legal findings required under the CRA procedures.
Can CRA market-surveillance authorities provide guidance as well as enforce?
Yes.
The CRA expressly allows market-surveillance authorities to provide guidance and advice to economic operators on implementation, with support from the Commission and, where appropriate, CSIRTs and ENISA.
What can trigger a formal CRA product evaluation by a national authority?
A national authority can open the Article 54 procedure where it has sufficient reason to consider that a product with digital elements, including its vulnerability handling, presents a significant cybersecurity risk.
The evaluation concerns compliance with all CRA requirements, not just one suspected defect.
Does "significant cybersecurity risk" include non-technical factors?
Yes.
When determining the significance of a cybersecurity risk, authorities must also consider non-technical risk factors, in particular those identified through Union-level coordinated security risk assessments of critical supply chains under NIS 2.
What must economic operators do during a CRA investigation?
They must cooperate with the market-surveillance authority as necessary.
The CRA also allows authorities to request technical support from a CSIRT designated as coordinator or from ENISA when implementing or enforcing the Regulation and when evaluating compliance under Article 54.
Can authorities ask for internal documentation and data, not just the public-facing compliance file?
Yes.
On a reasoned request, authorities must be granted access to the data needed to assess design, development, production, and vulnerability handling, including related internal documentation of the relevant economic operator. The documentation must be accessible in a language easily understood by the authority.
Can data-protection authorities also access CRA documentation?
Yes, where they need that documentation for the fulfilment of their own tasks.
Article 52(7) gives authorities supervising Union data-protection law the power to request and access documentation created or maintained under the CRA, while also requiring them to inform the designated CRA market-surveillance authorities of the Member State concerned.
Do market-surveillance authorities have to test a product in the same way as the manufacturer?
Not necessarily.
The Commission FAQ says authorities may consider using the same methodology as the manufacturer, especially where that methodology is part of a harmonised standard supporting the CRA, but they may use a different methodology on a justified basis.
If a CRA problem is found in one Member State, does the corrective action stop there?
No.
If the product has been made available across the Union, the economic operator must ensure that appropriate corrective action is taken for all affected products throughout the Union.
What happens if the operator does not take adequate corrective action?
The national authority must take appropriate provisional measures itself.
Those measures can include prohibiting or restricting the product from being made available on the national market, withdrawing it, or recalling it. The authority must then notify the Commission and the other Member States without delay.
It is the Commission review process that applies when another Member State objects to a notified national measure or when the Commission considers that measure contrary to Union law.
The Commission must consult the relevant Member State and the economic operator, evaluate the national measure, and decide within nine months from the Article 54(5) notification whether the measure is justified.
What if the underlying CRA enforcement problem comes from a harmonised standard, a certification scheme, or a common specification?
The safeguard procedure still applies, but the Commission may also need to act on the conformity tool itself.
If the justified national measure is linked to shortcomings in a harmonised standard, the Commission applies the standards safeguard procedure. If it is linked to shortcomings in a European cybersecurity certification scheme or in common specifications, the Commission must consider whether to amend or repeal the CRA act that gave that tool presumption-of-conformity effect.
Can a product still be restricted even if it complies with the CRA?
Yes.
Article 57 covers products that are compliant with the CRA but still present a significant cybersecurity risk together with a risk to health or safety, fundamental-rights compliance, the availability, authenticity, integrity or confidentiality of services offered by essential entities, or other aspects of public-interest protection.
Can the Commission intervene directly in exceptional cases?
Yes.
If immediate intervention is justified to preserve the proper functioning of the internal market, and effective national measures have not been taken, the Commission may carry out its own evaluation, may request ENISA analysis, and may adopt Union-level implementing acts requiring corrective or restrictive measures, including withdrawal or recall.
The CRA provides this type of Union-level intervention both for non-compliant products that present a significant cybersecurity risk and for compliant products that still present the risks covered by Article 57.
What role do CSIRTs and ENISA play in CRA enforcement?
They support enforcement, but they are not the primary market-surveillance authorities.
Authorities may ask CSIRTs designated as coordinators or ENISA for technical advice and compliance-support analysis. ENISA can also propose joint activities and identify product categories for sweeps.