Summary

This article outlines the critical role of national authorities in enforcing the EU Cyber Resilience Act (CRA), focusing on their responsibilities and powers in market surveillance, compliance checks, and ensuring adherence to cybersecurity standards.

Relevant CRA Provisions

• Recital (107)
• Article 36
• Article 37
• Article 39
• Article 51
• Article 52
• Article 60
• Article 63

Detailed Explanation

National authorities play a crucial role in the enforcement of the CRA. They are responsible for designating notifying authorities and market surveillance authorities, ensuring these bodies function impartially and effectively. Notifying authorities are tasked with assessing, designating, and monitoring conformity assessment bodies, ensuring they meet specific requirements and operate without conflicts of interest. Market surveillance authorities conduct market surveillance activities, including coordinated control actions (sweeps) to check compliance with the CRA. They also cooperate with other authorities and stakeholders to ensure comprehensive enforcement of cybersecurity standards.

Obligations for Stakeholders

National Authorities: Must designate and monitor notifying and market surveillance authorities, ensure coordination between notified bodies, and facilitate cooperation between market surveillance authorities across Member States.

Notifying Authorities: Must be established to avoid conflicts of interest, function impartially, ensure decisions are made by competent personnel, refrain from offering services that conformity assessment bodies perform, safeguard confidentiality, and have sufficient competent personnel.

Market Surveillance Authorities: Must conduct market surveillance, including sweeps, cooperate with other authorities, provide guidance to economic operators, inform consumers of complaint mechanisms, and ensure compliance with cybersecurity standards. They must also respect confidentiality of information obtained during their tasks.

Conformity Assessment Bodies: Must be independent, have necessary technical competence, ensure impartiality, take out liability insurance, observe professional secrecy, and participate in standardisation activities.