Search every question across CRA sub-FAQs

No.

The CRA still allows market-surveillance authorities to investigate, require corrective action, adopt restrictive measures, and address formal non-compliance. Where an Article 54 investigation leads to corrective action, the authority must also inform the relevant notified body.

It covers certain documentary or marking failures even before the authority proves a deeper substantive breach of Annex I.

Article 58 lists the relevant cases: CE marking missing or wrongly affixed, the EU declaration of conformity missing or incorrect, the notified-body identification number missing where required, or technical documentation unavailable or incomplete.

The Member State concerned must take appropriate measures to restrict or prohibit the product from being made available on the market or to ensure that it is recalled or withdrawn.

They are coordinated actions that market-surveillance authorities may carry out with other relevant authorities for specific products or categories of products, especially where those products are often found to present cybersecurity risks.

The Commission or ENISA may propose joint activities based on indications of potential non-compliance across several Member States, and the agreement on joint activities must be made public.

Sweeps are simultaneous coordinated control actions for particular products or product categories to check compliance or detect infringements.

They may include inspections of products acquired under a cover identity. Unless the participating authorities agree otherwise, sweeps are coordinated by the Commission, and ENISA may propose categories of products for which sweeps should be organised.

Yes.

Authorities must monitor how manufacturers applied the Article 13(8) criteria when determining support periods. ADCO must publish relevant statistics, including average support periods, and may issue recommendations to focus surveillance on product categories where support periods appear inadequate.

Yes.

The CRA protects intellectual property, confidential business information, trade secrets, source code, the effectiveness of inspections and investigations, public and national security interests, and the integrity of criminal or administrative proceedings. Information exchanged confidentially between authorities and the Commission is also protected against onward disclosure without the originating authority's agreement.

Member States must lay down the national penalty rules, but Article 64 sets Union-level caps for certain infringements.

The highest cap applies to non-compliance with Annex I and with Articles 13 and 14: up to EUR 15 000 000 or, for an undertaking, up to 2.5% of total worldwide annual turnover for the preceding financial year, whichever is higher. Article 64 also sets lower caps for other listed obligations and for supplying incorrect, incomplete, or misleading information.

Yes.

The CRA expressly allows administrative fines, depending on the circumstances, to be imposed in addition to other corrective or restrictive measures applied for the same infringement.

Yes.

Supplying incorrect, incomplete, or misleading information to notified bodies or market-surveillance authorities in reply to a request has its own fine category, with a cap of up to EUR 5 000 000 or, for an undertaking, up to 1% of total worldwide annual turnover for the preceding financial year, whichever is higher.

Yes.

They must report the outcomes of relevant market-surveillance activities to the Commission on an annual basis. They must also report without delay any information identified during market-surveillance activities that may be of potential interest for the application of Union competition law.

No.

The CRA uses different enforcement routes depending on the problem. Article 54, together with Article 55, covers products that present a significant cybersecurity risk and are found non-compliant. Article 57 covers products that comply with the CRA but still present the additional risks listed there. Article 58 covers formal non-compliance such as missing or incorrect CE-marking, declaration, or technical-documentation elements.

Yes.

Article 54(6) requires the notifying authority to include the arguments put forward by the relevant economic operator. Article 54(8) also preserves the operator's procedural rights under Regulation (EU) 2019/1020, and Article 55(1) requires the Commission to consult the relevant economic operator during the Union safeguard procedure. The Blue Guide likewise explains that safeguard decisions are binding legal measures and can be subject to appeal under the applicable framework.

Yes.

Article 59(4) expressly allows a market-surveillance authority to use information obtained through joint activities as part of any investigation it undertakes. So joint activities are not limited to one-off coordination exercises with no later evidentiary value.

Yes.

Article 60 says sweeps may include inspections of products acquired under a cover identity. It also says that, when conducting sweeps, market-surveillance authorities may use the investigation powers in Articles 52 to 58 and any additional powers conferred by national law. They may also invite Commission officials and other persons authorised by the Commission to participate.

Yes.

Article 13(25) allows ADCO to decide to conduct a Union-wide dependency assessment for specific categories of products with digital elements. For that purpose, market-surveillance authorities may request manufacturers of those categories to provide the relevant SBOMs. The authorities may then provide ADCO only anonymised and aggregated information about software dependencies.

Yes.

Article 52(12) requires market-surveillance authorities to facilitate, where relevant, cooperation with relevant stakeholders, including scientific, research, and consumer organisations.

Module A is the internal control conformity-assessment procedure.

Under this route, the manufacturer itself ensures and declares, on its sole responsibility, that the product satisfies the essential cybersecurity requirements in Part I of Annex I and that the manufacturer meets the vulnerability-handling requirements in Part II of Annex I.

No.

Module A is the CRA's self-assessment route. The Commission FAQ states expressly that no notified body participates in this procedure.

Yes, for products that are not pushed by Article 32 into a stricter route.

Article 32(1) lists module A as one of the CRA's general conformity-assessment procedures. In practice, it is the route available unless the product falls into the specific cases where Article 32(2), 32(3), or 32(4) require another procedure.