Summary

The EU Cyber Resilience Act (CRA) establishes a framework for reporting mechanisms and penalties for non-compliance at the national level, ensuring accountability and enforcement across different jurisdictions.

Relevant CRA Provisions

• Recital (120)
• Article 64

Detailed Explanation

The CRA mandates that each Member State must establish rules on penalties for infringements of the Regulation. These penalties must be effective, proportionate, and dissuasive. The Regulation specifies different levels of administrative fines for various types of non-compliance, including failure to meet essential cybersecurity requirements and obligations, as well as providing incorrect information to notified bodies and market surveillance authorities. The amount of the fine is determined by considering factors such as the nature, gravity, and duration of the infringement, previous fines for similar infringements, and the size of the economic operator. Certain entities, such as microenterprises, small enterprises, and open-source software stewards, are exempt from certain fines.

Obligations for Stakeholders

Member States: Must lay down rules on penalties for infringements and notify the Commission of these rules. They must also ensure that market surveillance authorities can impose administrative fines and communicate these to other Member States.

Market Surveillance Authorities: Responsible for imposing administrative fines and ensuring that these are communicated to other Member States through the information and communication system.

Economic Operators: Subject to administrative fines for non-compliance with the CRA, with specific exemptions for microenterprises, small enterprises, and open-source software stewards in certain cases.