Summary

The Cyber Resilience Act (CRA) mandates that national authorities play a crucial role in enforcing compliance, imposing penalties, and ensuring effective enforcement across different jurisdictions. This includes designating market surveillance authorities, conducting market surveillance activities, imposing administrative fines, and facilitating cooperation between authorities.

Relevant CRA Provisions

Recitals: Recital (107), Recital (109), Recital (120)

Articles: Article 36, Article 37, Article 51, Article 52, Article 60, Article 64

Detailed Explanation

The CRA establishes a framework for national authorities to enforce compliance with cybersecurity requirements for products with digital elements. Each Member State must designate market surveillance authorities responsible for monitoring compliance, conducting market surveillance activities, and imposing administrative fines for non-compliance. These authorities must cooperate with each other and with other relevant bodies, such as national cybersecurity certification authorities and Computer Security Incident Response Teams (CSIRTs). The CRA also sets out the maximum levels for administrative fines and the criteria for determining their amount, ensuring that penalties are effective, proportionate, and dissuasive. Certain entities, such as microenterprises, small enterprises, and open-source software stewards, are exempt from certain fines.

Obligations for Stakeholders

  • Market Surveillance Authorities: Must be designated by each Member State to ensure compliance with the CRA, conduct market surveillance activities, impose administrative fines, and cooperate with other authorities.
  • Notifying Authorities: Must be established to assess, designate, and notify conformity assessment bodies, ensuring no conflict of interest and maintaining objectivity and impartiality.
  • Economic Operators: Must cooperate with market surveillance authorities and other competent authorities, providing necessary information and taking corrective actions when required.
  • Open-Source Software Stewards: Must comply with specific obligations under the CRA, though they are exempt from certain administrative fines.