EU Cyber Resilience Act FAQ Market Surveillance and Enforcement

Member States do, through their designated market surveillance authorities.

The CRA requires each Member State to designate one or more market surveillance authorities, and it makes the general Union market-surveillance framework in Regulation (EU) 2019/1020 applicable to products within the CRA's scope.

No.

The CRA uses the existing Union market-surveillance framework rather than creating a completely standalone enforcement system. Article 52(1) expressly makes Regulation (EU) 2019/1020 applicable to products with digital elements covered by the CRA.

For those products, the market-surveillance authorities designated under the AI Act are responsible for the CRA market-surveillance activities.

They still have to cooperate, as appropriate, with the market-surveillance authorities designated under the CRA and, for Article 14 reporting supervision, with the CSIRTs designated as coordinators and ENISA.

Yes.

The authorities designated under Article 52 are also responsible for market-surveillance activities relating to the obligations imposed on open-source software stewards under Article 24. If a steward is non-compliant, the authority must require appropriate corrective action.

Yes.

The CRA requires cooperation, where relevant, with national cybersecurity certification authorities, CSIRTs designated as coordinators, ENISA, market-surveillance authorities under other Union product laws, and authorities supervising Union data-protection law.

Yes.

The CRA requires authorities to inform consumers where to submit complaints indicating possible non-compliance and where and how to access mechanisms for reporting vulnerabilities, incidents, and cyber threats affecting products with digital elements. Because the CRA applies the Union market-surveillance framework in Regulation (EU) 2019/1020, the Blue Guide also states that complaints must be followed up appropriately and that consumer complaints, media reports, incidents, and similar information can feed the authorities' risk-based choice of online and offline checks.

But a complaint or report does not by itself establish infringement. Any corrective or restrictive measure still has to rest on the legal findings required under the CRA procedures.

Yes.

The CRA expressly allows market-surveillance authorities to provide guidance and advice to economic operators on implementation, with support from the Commission and, where appropriate, CSIRTs and ENISA.

A national authority can open the Article 54 procedure where it has sufficient reason to consider that a product with digital elements, including its vulnerability handling, presents a significant cybersecurity risk.

The evaluation concerns compliance with all CRA requirements, not just one suspected defect.

Yes.

When determining the significance of a cybersecurity risk, authorities must also consider non-technical risk factors, in particular those identified through Union-level coordinated security risk assessments of critical supply chains under NIS 2.

They must cooperate with the market-surveillance authority as necessary.

The CRA also allows authorities to request technical support from a CSIRT designated as coordinator or from ENISA when implementing or enforcing the Regulation and when evaluating compliance under Article 54.

Yes.

On a reasoned request, authorities must be granted access to the data needed to assess design, development, production, and vulnerability handling, including related internal documentation of the relevant economic operator. The documentation must be accessible in a language easily understood by the authority.

Yes, where they need that documentation for the fulfilment of their own tasks.

Article 52(7) gives authorities supervising Union data-protection law the power to request and access documentation created or maintained under the CRA, while also requiring them to inform the designated CRA market-surveillance authorities of the Member State concerned.

Not necessarily.

The Commission FAQ says authorities may consider using the same methodology as the manufacturer, especially where that methodology is part of a harmonised standard supporting the CRA, but they may use a different methodology on a justified basis.

It can require the relevant economic operator to bring the product into compliance, withdraw it from the market, or recall it.

The deadline must be reasonable and proportionate to the nature of the cybersecurity risk.

No.

If the product has been made available across the Union, the economic operator must ensure that appropriate corrective action is taken for all affected products throughout the Union.

The national authority must take appropriate provisional measures itself.

Those measures can include prohibiting or restricting the product from being made available on the national market, withdrawing it, or recalling it. The authority must then notify the Commission and the other Member States without delay.

If no Member State and the Commission object within three months after the Article 54(5) notification, the measure is deemed justified.

That deeming rule does not prejudice the economic operator's procedural rights under Regulation (EU) 2019/1020.

It is the Commission review process that applies when another Member State objects to a notified national measure or when the Commission considers that measure contrary to Union law.

The Commission must consult the relevant Member State and the economic operator, evaluate the national measure, and decide within nine months from the Article 54(5) notification whether the measure is justified.

The safeguard procedure still applies, but the Commission may also need to act on the conformity tool itself.

If the justified national measure is linked to shortcomings in a harmonised standard, the Commission applies the standards safeguard procedure. If it is linked to shortcomings in a European cybersecurity certification scheme or in common specifications, the Commission must consider whether to amend or repeal the CRA act that gave that tool presumption-of-conformity effect.

Yes.

Article 57 covers products that are compliant with the CRA but still present a significant cybersecurity risk together with a risk to health or safety, fundamental-rights compliance, the availability, authenticity, integrity or confidentiality of services offered by essential entities, or other aspects of public-interest protection.

Yes.

If immediate intervention is justified to preserve the proper functioning of the internal market, and effective national measures have not been taken, the Commission may carry out its own evaluation, may request ENISA analysis, and may adopt Union-level implementing acts requiring corrective or restrictive measures, including withdrawal or recall.

The CRA provides this type of Union-level intervention both for non-compliant products that present a significant cybersecurity risk and for compliant products that still present the risks covered by Article 57.

They support enforcement, but they are not the primary market-surveillance authorities.

Authorities may ask CSIRTs designated as coordinators or ENISA for technical advice and compliance-support analysis. ENISA can also propose joint activities and identify product categories for sweeps.

No.

The CRA still allows market-surveillance authorities to investigate, require corrective action, adopt restrictive measures, and address formal non-compliance. Where an Article 54 investigation leads to corrective action, the authority must also inform the relevant notified body.

It covers certain documentary or marking failures even before the authority proves a deeper substantive breach of Annex I.

Article 58 lists the relevant cases: CE marking missing or wrongly affixed, the EU declaration of conformity missing or incorrect, the notified-body identification number missing where required, or technical documentation unavailable or incomplete.

The Member State concerned must take appropriate measures to restrict or prohibit the product from being made available on the market or to ensure that it is recalled or withdrawn.

They are coordinated actions that market-surveillance authorities may carry out with other relevant authorities for specific products or categories of products, especially where those products are often found to present cybersecurity risks.

The Commission or ENISA may propose joint activities based on indications of potential non-compliance across several Member States, and the agreement on joint activities must be made public.

Sweeps are simultaneous coordinated control actions for particular products or product categories to check compliance or detect infringements.

They may include inspections of products acquired under a cover identity. Unless the participating authorities agree otherwise, sweeps are coordinated by the Commission, and ENISA may propose categories of products for which sweeps should be organised.

Yes.

Authorities must monitor how manufacturers applied the Article 13(8) criteria when determining support periods. ADCO must publish relevant statistics, including average support periods, and may issue recommendations to focus surveillance on product categories where support periods appear inadequate.

Yes.

The CRA protects intellectual property, confidential business information, trade secrets, source code, the effectiveness of inspections and investigations, public and national security interests, and the integrity of criminal or administrative proceedings. Information exchanged confidentially between authorities and the Commission is also protected against onward disclosure without the originating authority's agreement.

Member States must lay down the national penalty rules, but Article 64 sets Union-level caps for certain infringements.

The highest cap applies to non-compliance with Annex I and with Articles 13 and 14: up to EUR 15 000 000 or, for an undertaking, up to 2.5% of total worldwide annual turnover for the preceding financial year, whichever is higher. Article 64 also sets lower caps for other listed obligations and for supplying incorrect, incomplete, or misleading information.

Yes.

The CRA expressly allows administrative fines, depending on the circumstances, to be imposed in addition to other corrective or restrictive measures applied for the same infringement.

Yes.

Supplying incorrect, incomplete, or misleading information to notified bodies or market-surveillance authorities in reply to a request has its own fine category, with a cap of up to EUR 5 000 000 or, for an undertaking, up to 1% of total worldwide annual turnover for the preceding financial year, whichever is higher.

Yes.

They must report the outcomes of relevant market-surveillance activities to the Commission on an annual basis. They must also report without delay any information identified during market-surveillance activities that may be of potential interest for the application of Union competition law.

No.

The CRA uses different enforcement routes depending on the problem. Article 54, together with Article 55, covers products that present a significant cybersecurity risk and are found non-compliant. Article 57 covers products that comply with the CRA but still present the additional risks listed there. Article 58 covers formal non-compliance such as missing or incorrect CE-marking, declaration, or technical-documentation elements.

Yes.

Article 54(6) requires the notifying authority to include the arguments put forward by the relevant economic operator. Article 54(8) also preserves the operator's procedural rights under Regulation (EU) 2019/1020, and Article 55(1) requires the Commission to consult the relevant economic operator during the Union safeguard procedure. The Blue Guide likewise explains that safeguard decisions are binding legal measures and can be subject to appeal under the applicable framework.

Yes.

Article 59(4) expressly allows a market-surveillance authority to use information obtained through joint activities as part of any investigation it undertakes. So joint activities are not limited to one-off coordination exercises with no later evidentiary value.

Yes.

Article 60 says sweeps may include inspections of products acquired under a cover identity. It also says that, when conducting sweeps, market-surveillance authorities may use the investigation powers in Articles 52 to 58 and any additional powers conferred by national law. They may also invite Commission officials and other persons authorised by the Commission to participate.

Yes.

Article 13(25) allows ADCO to decide to conduct a Union-wide dependency assessment for specific categories of products with digital elements. For that purpose, market-surveillance authorities may request manufacturers of those categories to provide the relevant SBOMs. The authorities may then provide ADCO only anonymised and aggregated information about software dependencies.

Yes.

Article 52(12) requires market-surveillance authorities to facilitate, where relevant, cooperation with relevant stakeholders, including scientific, research, and consumer organisations.