Use this CRA FAQ to understand how Member State market-surveillance authorities enforce the Cyber Resilience Act, when corrective action, withdrawal, recall, or restrictions can be required, and how safeguard procedures, sweeps, documentation access, confidentiality, and penalties fit together.
Built for legal, compliance, certification, regulatory, security, and product teams preparing evidence and response controls for CRA enforcement questions.
Structured answer sets in this page tree.
Cited legal and guidance references.
The Cyber Resilience Act uses the EU market-surveillance framework in Regulation (EU) 2019/1020 and adds CRA-specific procedures for products with digital elements. This FAQ explains who enforces the CRA, how investigations and corrective action work, when withdrawal, recall, or restrictions can be used, what evidence authorities can request, and where penalties are actually specified.
Member States do, through their designated market surveillance authorities.
The CRA requires each Member State to designate one or more market surveillance authorities, and it makes the general Union market-surveillance framework in Regulation (EU) 2019/1020 applicable to products within the CRA's scope.
Article 52(1)-(2) applies Regulation (EU) 2019/1020 and requires Member States to designate CRA market-surveillance authorities.
Research Copilot helps teams keep CRA market-surveillance sources, technical-documentation evidence, corrective-action records, and authority-response work in one cited workspace.
Organise CRA articles, official guidance, product evidence, authority requests, and corrective-action records in a cited research workspace.
Review CRA evidence gaps, documentation access controls, and response steps before a market-surveillance request or corrective-action decision.
No.
The CRA uses the existing Union market-surveillance framework rather than creating a completely standalone enforcement system. Article 52(1) expressly makes Regulation (EU) 2019/1020 applicable to products with digital elements covered by the CRA.
Article 52(1) makes the EU market-surveillance framework apply to CRA products with digital elements.
For those products, the market-surveillance authorities designated under the AI Act are responsible for the CRA market-surveillance activities.
They still have to cooperate, as appropriate, with the market-surveillance authorities designated under the CRA and, for Article 14 reporting supervision, with the CSIRTs designated as coordinators and ENISA.
Article 52(14) assigns CRA market surveillance for high-risk AI systems to the AI Act market-surveillance authorities, with cooperation duties.
Yes.
The authorities designated under Article 52 are also responsible for market-surveillance activities relating to the obligations imposed on open-source software stewards under Article 24. If a steward is non-compliant, the authority must require appropriate corrective action.
Articles 24 and 52(3) place open-source software steward obligations within the CRA market-surveillance remit.
Yes.
The CRA requires cooperation, where relevant, with national cybersecurity certification authorities, CSIRTs designated as coordinators, ENISA, market-surveillance authorities under other Union product laws, and authorities supervising Union data-protection law.
Article 52(4)-(7) sets cooperation duties with certification, CSIRT, ENISA, product-law, and data-protection authorities.
Yes.
The CRA requires authorities to inform consumers where to submit complaints indicating possible non-compliance and where and how to access mechanisms for reporting vulnerabilities, incidents, and cyber threats affecting products with digital elements. Because the CRA applies the Union market-surveillance framework in Regulation (EU) 2019/1020, the Blue Guide also states that complaints must be followed up appropriately and that consumer complaints, media reports, incidents, and similar information can feed the authorities' risk-based choice of online and offline checks.
But a complaint or report does not by itself establish infringement. Any corrective or restrictive measure still has to rest on the legal findings required under the CRA procedures.
Article 52(11) requires consumer complaint and vulnerability-reporting information; Articles 54, 57 and 58 govern resulting measures.
Sections 7.3.3 and 7.4.1 explain complaint follow-up and risk-based market-surveillance checks.
Yes.
The CRA expressly allows market-surveillance authorities to provide guidance and advice to economic operators on implementation, with support from the Commission and, where appropriate, CSIRTs and ENISA.
Article 52(10) allows market-surveillance authorities to provide implementation guidance and advice to economic operators.
A national authority can open the Article 54 procedure where it has sufficient reason to consider that a product with digital elements, including its vulnerability handling, presents a significant cybersecurity risk.
The evaluation concerns compliance with all CRA requirements, not just one suspected defect.
Article 54(1) sets the significant-cybersecurity-risk trigger for a national evaluation.
Yes.
When determining the significance of a cybersecurity risk, authorities must also consider non-technical risk factors, in particular those identified through Union-level coordinated security risk assessments of critical supply chains under NIS 2.
Articles 54(2) and 56(2) require non-technical risk factors to be considered when assessing significant cybersecurity risk.
They must cooperate with the market-surveillance authority as necessary.
The CRA also allows authorities to request technical support from a CSIRT designated as coordinator or from ENISA when implementing or enforcing the Regulation and when evaluating compliance under Article 54.
Articles 52(5) and 54(1) support technical assistance requests and require economic-operator cooperation.
Yes.
On a reasoned request, authorities must be granted access to the data needed to assess design, development, production, and vulnerability handling, including related internal documentation of the relevant economic operator. The documentation must be accessible in a language easily understood by the authority.
Article 53 gives authorities access, on reasoned request, to data and internal documentation needed to assess conformity.
Section 4.1.8 explains the risk-assessment and technical-documentation material kept for market-surveillance review.
Yes, where they need that documentation for the fulfilment of their own tasks.
Article 52(7) gives authorities supervising Union data-protection law the power to request and access documentation created or maintained under the CRA, while also requiring them to inform the designated CRA market-surveillance authorities of the Member State concerned.
Article 52(7) gives data-protection supervisory authorities access to CRA documentation when needed for their tasks.
Not necessarily.
The Commission FAQ says authorities may consider using the same methodology as the manufacturer, especially where that methodology is part of a harmonised standard supporting the CRA, but they may use a different methodology on a justified basis.
Section 6.5 addresses how market-surveillance testing methodology can relate to the manufacturer methodology.
It can require the relevant economic operator to bring the product into compliance, withdraw it from the market, or recall it.
The deadline must be reasonable and proportionate to the nature of the cybersecurity risk.
Article 54(1) lists corrective action, withdrawal, and recall after a finding of CRA non-compliance.
No.
If the product has been made available across the Union, the economic operator must ensure that appropriate corrective action is taken for all affected products throughout the Union.
Article 54(3)-(4) requires Union-wide corrective action for affected products when non-compliance is not confined nationally.
The national authority must take appropriate provisional measures itself.
Those measures can include prohibiting or restricting the product from being made available on the national market, withdrawing it, or recalling it. The authority must then notify the Commission and the other Member States without delay.
Article 54(5)-(6) governs national provisional restrictions, withdrawal, recall, and notification to the Commission and Member States.
If no Member State and the Commission object within three months after the Article 54(5) notification, the measure is deemed justified.
That deeming rule does not prejudice the economic operator's procedural rights under Regulation (EU) 2019/1020.
Article 54(8)-(9) sets the three-month no-objection rule and follow-up restrictive measures.
It is the Commission review process that applies when another Member State objects to a notified national measure or when the Commission considers that measure contrary to Union law.
The Commission must consult the relevant Member State and the economic operator, evaluate the national measure, and decide within nine months from the Article 54(5) notification whether the measure is justified.
Article 55(1)-(2) sets Commission consultation, evaluation, decision timing, and follow-up for objected national measures.
The safeguard procedure still applies, but the Commission may also need to act on the conformity tool itself.
If the justified national measure is linked to shortcomings in a harmonised standard, the Commission applies the standards safeguard procedure. If it is linked to shortcomings in a European cybersecurity certification scheme or in common specifications, the Commission must consider whether to amend or repeal the CRA act that gave that tool presumption-of-conformity effect.
Articles 54(6)(b) and 55(3)-(5) address shortcomings in harmonised standards, certification schemes, and common specifications.
Yes.
Article 57 covers products that are compliant with the CRA but still present a significant cybersecurity risk together with a risk to health or safety, fundamental-rights compliance, the availability, authenticity, integrity or confidentiality of services offered by essential entities, or other aspects of public-interest protection.
Article 57(1)-(5) covers compliant CRA products that still present listed significant cybersecurity and public-interest risks.
Yes.
If immediate intervention is justified to preserve the proper functioning of the internal market, and effective national measures have not been taken, the Commission may carry out its own evaluation, may request ENISA analysis, and may adopt Union-level implementing acts requiring corrective or restrictive measures, including withdrawal or recall.
The CRA provides this type of Union-level intervention both for non-compliant products that present a significant cybersecurity risk and for compliant products that still present the risks covered by Article 57.
Articles 56(3)-(7) and 57(6)-(10) allow Union-level intervention when immediate internal-market action is justified.
They support enforcement, but they are not the primary market-surveillance authorities.
Authorities may ask CSIRTs designated as coordinators or ENISA for technical advice and compliance-support analysis. ENISA can also propose joint activities and identify product categories for sweeps.
Articles 52, 56, 57, 59 and 60 support CSIRT and ENISA technical advice, analysis, joint-activity proposals, and sweep proposals.
No.
The CRA still allows market-surveillance authorities to investigate, require corrective action, adopt restrictive measures, and address formal non-compliance. Where an Article 54 investigation leads to corrective action, the authority must also inform the relevant notified body.
Articles 54, 57 and 58 preserve market-surveillance action even where conformity-assessment evidence exists.
It covers certain documentary or marking failures even before the authority proves a deeper substantive breach of Annex I.
Article 58 lists the relevant cases: CE marking missing or wrongly affixed, the EU declaration of conformity missing or incorrect, the notified-body identification number missing where required, or technical documentation unavailable or incomplete.
Article 58(1) lists CRA formal non-compliance findings for CE marking, declarations, notified-body numbers, and technical documentation.
The Member State concerned must take appropriate measures to restrict or prohibit the product from being made available on the market or to ensure that it is recalled or withdrawn.
Article 58(2) requires restrictions, prohibition, recall, or withdrawal when formal non-compliance persists.
They are coordinated actions that market-surveillance authorities may carry out with other relevant authorities for specific products or categories of products, especially where those products are often found to present cybersecurity risks.
The Commission or ENISA may propose joint activities based on indications of potential non-compliance across several Member States, and the agreement on joint activities must be made public.
Article 59 defines CRA joint activities and their publication, competition, and later-use safeguards.
Sweeps are simultaneous coordinated control actions for particular products or product categories to check compliance or detect infringements.
They may include inspections of products acquired under a cover identity. Unless the participating authorities agree otherwise, sweeps are coordinated by the Commission, and ENISA may propose categories of products for which sweeps should be organised.
Article 60 defines simultaneous coordinated control actions and sweep coordination.
Yes.
Authorities must monitor how manufacturers applied the Article 13(8) criteria when determining support periods. ADCO must publish relevant statistics, including average support periods, and may issue recommendations to focus surveillance on product categories where support periods appear inadequate.
Article 52(16) requires monitoring of support-period criteria and allows ADCO recommendations for surveillance focus.
Yes.
The CRA protects intellectual property, confidential business information, trade secrets, source code, the effectiveness of inspections and investigations, public and national security interests, and the integrity of criminal or administrative proceedings. Information exchanged confidentially between authorities and the Commission is also protected against onward disclosure without the originating authority's agreement.
Article 63 protects confidential information, source code, investigations, security interests, and proceedings.
Member States must lay down the national penalty rules, but Article 64 sets Union-level caps for certain infringements.
The highest cap applies to non-compliance with Annex I and with Articles 13 and 14: up to EUR 15 000 000 or, for an undertaking, up to 2.5% of total worldwide annual turnover for the preceding financial year, whichever is higher. Article 64 also sets lower caps for other listed obligations and for supplying incorrect, incomplete, or misleading information.
Article 64(1)-(4) sets Member State penalty rules and Union-level administrative-fine caps for listed infringements.
Yes.
The CRA expressly allows administrative fines, depending on the circumstances, to be imposed in addition to other corrective or restrictive measures applied for the same infringement.
Article 64(9) allows administrative fines in addition to corrective or restrictive measures.
Yes.
Supplying incorrect, incomplete, or misleading information to notified bodies or market-surveillance authorities in reply to a request has its own fine category, with a cap of up to EUR 5 000 000 or, for an undertaking, up to 1% of total worldwide annual turnover for the preceding financial year, whichever is higher.
Article 64(4) sets a separate fine category for incorrect, incomplete, or misleading replies to authorities or notified bodies.
Yes.
They must report the outcomes of relevant market-surveillance activities to the Commission on an annual basis. They must also report without delay any information identified during market-surveillance activities that may be of potential interest for the application of Union competition law.
Article 52(13) requires annual market-surveillance reporting and competition-law information reporting.
No.
The CRA uses different enforcement routes depending on the problem. Article 54, together with Article 55, covers products that present a significant cybersecurity risk and are found non-compliant. Article 57 covers products that comply with the CRA but still present the additional risks listed there. Article 58 covers formal non-compliance such as missing or incorrect CE-marking, declaration, or technical-documentation elements.
Articles 54, 55, 57 and 58 distinguish non-compliant-risk, compliant-risk, safeguard, and formal non-compliance tracks.
Yes.
Article 54(6) requires the notifying authority to include the arguments put forward by the relevant economic operator. Article 54(8) also preserves the operator's procedural rights under Regulation (EU) 2019/1020, and Article 55(1) requires the Commission to consult the relevant economic operator during the Union safeguard procedure. The Blue Guide likewise explains that safeguard decisions are binding legal measures and can be subject to appeal under the applicable framework.
Articles 54(6), 54(8), and 55(1) require operator arguments, preserve procedural rights, and require Commission consultation.
Section 7.6.2 explains procedural safeguards and the reasons that must support national measures.
Yes.
Article 59(4) expressly allows a market-surveillance authority to use information obtained through joint activities as part of any investigation it undertakes. So joint activities are not limited to one-off coordination exercises with no later evidentiary value.
Article 59(4) permits market-surveillance authorities to use joint-activity information in later investigations.
Yes.
Article 60 says sweeps may include inspections of products acquired under a cover identity. It also says that, when conducting sweeps, market-surveillance authorities may use the investigation powers in Articles 52 to 58 and any additional powers conferred by national law. They may also invite Commission officials and other persons authorised by the Commission to participate.
Article 60(1), (4), and (5) supports cover-identity inspections, investigation powers, and Commission participation in sweeps.
Yes.
Article 13(25) allows ADCO to decide to conduct a Union-wide dependency assessment for specific categories of products with digital elements. For that purpose, market-surveillance authorities may request manufacturers of those categories to provide the relevant SBOMs. The authorities may then provide ADCO only anonymised and aggregated information about software dependencies.
Article 13(25) allows ADCO dependency assessments and SBOM requests for specific product categories.
Yes.
Article 52(12) requires market-surveillance authorities to facilitate, where relevant, cooperation with relevant stakeholders, including scientific, research, and consumer organisations.
Article 52(12) requires relevant stakeholder cooperation, including scientific, research, and consumer organisations.
"must state the exact grounds"
"scientific, research and consumer organisations"
"may use a different methodology"