Summary

The Cyber Resilience Act (CRA) emphasizes the importance of cooperation between national authorities and the European Union Agency for Cybersecurity (ENISA) to enhance the implementation and enforcement of cybersecurity measures across member states. This cooperation is crucial for ensuring a coordinated approach to cybersecurity, leveraging ENISA’s expertise and resources to support national authorities in their efforts to protect consumers and maintain the integrity of the digital market.

Relevant CRA Provisions

Recitals: Recital 73, Recital 115, Recital 69, Recital 116, Recital 72

Articles: Article 59, Article 17

Detailed Explanation

The CRA establishes a framework for cooperation between national authorities and ENISA to enhance cybersecurity across the EU. Recital (73) highlights the need for ENISA to consult with other Union institutions or agencies managing platforms with stringent security requirements, such as eu-LISA, to benefit from past experiences. Recital (115) emphasizes ENISA’s role in supporting the implementation of the CRA, including proposing joint activities for market surveillance authorities and conducting evaluations in exceptional circumstances where significant cybersecurity risks are identified. Recital (69) mandates the establishment of a single reporting platform by ENISA, managed with national electronic notification end-points, to ensure quick dissemination of notifications to relevant CSIRTs and manufacturers. Recital (116) underscores the need for appropriate resources for ENISA to effectively carry out its tasks under the CRA. Recital (72) encourages Member States to provide national single entry points for reporting requirements to simplify the reporting process and reduce administrative burdens.

Article 59 allows market surveillance authorities to conduct joint activities with other relevant authorities to ensure cybersecurity, with proposals for such activities coming from the Commission or ENISA based on indications of potential non-compliance. Article 17 outlines ENISA’s role in submitting information to the EU-CyCLONe network, preparing biennial technical reports on cybersecurity risks, and adding known vulnerabilities to the European vulnerability database after security updates are available.

Obligations for Stakeholders

  • ENISA: Must establish and manage the single reporting platform, consult with other Union institutions, support market surveillance authorities, conduct evaluations in exceptional circumstances, and prepare technical reports on cybersecurity risks.
  • Market Surveillance Authorities: May conduct joint activities with other authorities to ensure cybersecurity, ensuring such activities do not lead to unfair competition and maintaining objectivity, independence, and impartiality.
  • Manufacturers: Required to notify ENISA and the designated CSIRT of actively exploited vulnerabilities and severe incidents via the single reporting platform. They may also voluntarily notify ENISA or the CSIRT of other vulnerabilities, cyber threats, incidents, or near misses.
  • Member States: Encouraged to provide national single entry points for reporting requirements to simplify the reporting process and reduce administrative burdens.