Role of National Cybersecurity Authorities under the EU Cyber Resilience Act (CRA)

Summary

National cybersecurity authorities play a crucial role in enforcing the EU Cyber Resilience Act (CRA) by conducting market surveillance, coordinating with other authorities, and ensuring compliance with cybersecurity requirements for products with digital elements.

Relevant CRA Provisions

Recitals: Recital (113), Recital (107), Recital (69)

Articles: Article 59, Article 54

Detailed Explanation

The CRA empowers national cybersecurity authorities to perform several key functions:

• Market Surveillance: Authorities are responsible for monitoring and evaluating the cybersecurity compliance of products with digital elements within their jurisdiction (Recital 107).
• Joint Activities: Authorities can collaborate with other relevant bodies to conduct joint market surveillance activities, especially when there are indications of non-compliance across multiple Member States (Recital 113, Article 59).
• Reporting and Notification: Authorities must establish mechanisms for manufacturers to report cybersecurity incidents and vulnerabilities. ENISA is tasked with managing a single reporting platform to facilitate these notifications (Recital 69).
• Enforcement Actions: When a product is found to present a significant cybersecurity risk, authorities can require economic operators to take corrective actions, such as recalls or market withdrawals. They must also inform the Commission and other Member States of any significant non-compliance (Article 54).

Obligations for Stakeholders

Stakeholders, including manufacturers, distributors, and importers, must:

• Cooperate fully with national cybersecurity authorities during market surveillance and enforcement actions.
• Take appropriate corrective actions when non-compliance is identified.
• Use the single reporting platform managed by ENISA to notify authorities of any cybersecurity incidents or vulnerabilities.