CRA Market Surveillance — Authorities Check

Three pillars of CRA market surveillance

Art. 53

Reasoned-request right of access to design / dev / production / vulnerability-handling data

Art. 54

National procedure for significant cybersecurity risk — corrective action, recall, withdrawal

Art. 60

Sweeps — simultaneous coordinated control actions, inspections under cover identity

What the market surveillance authority actually does

These are the operational powers the regulation grants the national market surveillance authority. Read in conjunction with Regulation (EU) 2019/1020.

Designation and scope (Article 52)

Each Member State designates one or more market surveillance authorities. Member States can use existing or new authorities, including NIS2 competent authorities (Dir. (EU) 2022/2555 Art. 8) or the national cybersecurity certification authority under Reg (EU) 2019/881 Art. 58. The authority also supervises open-source software stewards (Art. 52(3)).

Access to data and documentation (Article 53)

On reasoned request, market surveillance authorities are granted access — in a language easily understood by them — to the data required to assess design, development, production and vulnerability handling, including related internal documentation. They can demand the Annex VII technical documentation and, on reasoned request, the SBOM (Annex VII, point 8).

National procedure for significant risk (Article 54)

On sufficient reason to consider a product presents a significant cybersecurity risk, the authority — in cooperation with the relevant CSIRT where appropriate — evaluates compliance. On finding non-compliance, it requires corrective action, withdrawal or recall within a reasonable period. Non-technical risk factors (Art. 54(2)) are taken into account, including outcomes of Union-level coordinated risk assessments under Art. 22 of NIS2.

Union safeguard procedure (Article 55)

Where Member States or the Commission disagree on a national measure, or the Commission considers it contrary to Union law, the Commission consults the Member State and operators and decides within nine months whether the national measure is justified. If shortcomings in harmonised standards or common specifications are the cause, separate procedures apply (Art. 55(3)–(5)).

Union-level procedure for significant risk (Article 56)

On sufficient reason, including information from ENISA, the Commission can require national authorities to act. In exceptional circumstances justifying immediate intervention to preserve the internal market, the Commission can adopt corrective or restrictive measures at Union level by implementing act — including Union-wide withdrawal or recall (Art. 56(5)).

Compliant products with significant risk (Article 57)

Even a product compliant with the CRA can present a significant cybersecurity risk plus a risk to health/safety, fundamental rights, services offered by NIS2 essential entities, or other public interest. The authority can still require corrective action, withdrawal or recall. Notification to the Commission and other Member States is immediate.

Formal non-compliance (Article 58)

Six explicit failure points: (a) CE marking affixed in violation of Articles 29–30, (b) CE marking not affixed, (c) EU declaration of conformity not drawn up, (d) EU DoC drawn up incorrectly, (e) notified-body identification number not affixed where applicable, (f) technical documentation not available or not complete. Authority requires the manufacturer to put an end to the non-compliance; if it persists, withdrawal / recall / prohibition.

Joint activities (Article 59)

Market surveillance authorities may agree with other relevant authorities to carry out joint activities. The Commission or ENISA may propose joint activities based on cross-border non-compliance indications. Information obtained during joint activities can be used in subsequent investigations (Art. 59(4)).

Sweeps (Article 60)

Simultaneous coordinated control actions across Member States. May include inspections of products acquired under a cover identity. Coordinated by the Commission unless authorities agree otherwise; ENISA may propose product categories for sweeps based on Article 14 notifications received. Aggregated results may be made publicly available.

ADCO (Article 52(15))

The administrative cooperation group for the cyber resilience of products with digital elements is established under Article 30(2) of Reg (EU) 2019/1020. Composed of representatives of designated market surveillance authorities and, if appropriate, single liaison offices. Also addresses specific matters related to the obligations placed on open-source software stewards. Issues guidance on support periods (Art. 13(8) fourth subpara, Art. 52(16)).

Common mistakes

❌

DOCS-NOT-READY

“If they ask, we will compile the documentation”

Article 53 grants access on reasoned request — in a language easily understood by the authority. Article 58(f) makes ‘technical documentation not available or not complete’ a formal non-compliance. The dossier must already exist and be retrievable in 10-year retention (Art. 13(13)). Compiling reactively is itself the offence.

❌

SINGLE-MARKET ASSUMPTION

“We will only deal with one national authority”

Articles 54(3), 55, 56, 59 and 60 create a tightly coordinated cross-Member-State regime. Sweeps (Art. 60) are coordinated by the Commission, propagating findings across Member States simultaneously. Art. 64(6) cross-communicates fines via the Reg (EU) 2019/1020 information system.

❌

COMPLIANT-PRODUCT IMMUNITY

“Our product complies, so we are immune to enforcement”

Article 57 explicitly allows enforcement against COMPLIANT products that nonetheless present a significant cybersecurity risk plus a risk to health/safety, fundamental rights, NIS2-essential-entity services, or other public interest. Compliance is necessary, not sufficient.

Does the CRA apply to your product?

Four-question self-check. If you answer YES to all four, your product is in scope of Regulation (EU) 2024/2847.

Is it a hardware or software product (or component) with digital elements?

Art. 3(1) — “product with digital elements”

Can it connect directly or indirectly to a device or network?

Art. 2(1) — logical or physical data connection

Will it be placed or made available on the EU market in the course of a commercial activity?

Art. 3(21)(22) + Recital 15

Is it NOT excluded? (not a medical device, not a motor vehicle, not certified aviation, not marine equipment, not national security/defence-only, not a spare part)

Art. 2(2)–(7)

Take the full product classification test →

Choose your licence

One-time payment. No subscription. The downloaded dossier is yours forever.

1 PRODUCT

149 €

/ product

8-document CRA dossier (ZIP)
Product Classifier + Technical Documentation
Risk Assessment + User Information
10 regenerations · 30 days
1 licence = 1 product

Buy licence →

PROFESSIONAL PACK

1,199 €

70 generations · 1 key

For multi-product catalogues

70 generations with a single key
70 complete dossiers (8 documents each)
Switch product between generations
Ideal for importers with large catalogues
For consultants billing CRA compliance

Buy Professional Pack →

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines whether your product is Default, Important Class I, Important Class II (Annex III) or Critical (Annex IV). Documents the rationale and the applicable conformity assessment procedure under Article 32.

Technical Documentation

Article 31 + Annex VII dossier. Product description, design and development, vulnerability handling processes, risk assessment, list of harmonised standards applied, conformity solutions.

Cybersecurity Risk Assessment

Annex I, Part I analysis. Intended purpose, reasonably foreseeable use, operational environment, applicability of each essential requirement, mitigation measures.

User Information & Instructions

Annex II. Manufacturer details, single point of contact, intended purpose, support period end date, secure decommissioning, automatic-update opt-out instructions.

EU Declaration of Conformity

Article 28 + Annex V. Pre-structured with your classification, applicable conformity module, harmonised standards or certificates relied on, notified body number when applicable.

Coordinated Vulnerability Disclosure Policy

Annex I, Part II, point (5). Single point of contact, intake workflow, triage and remediation timeline, public disclosure rules.

ENISA Notification Template

Article 14 reporting. Pre-filled 24h early warning, 72h vulnerability/incident notification, 14-day final report templates.

Obligations Calendar

Personalised milestones: Article 14 reporting starts 11 September 2026, full application 11 December 2027, document retention 10 years, support period (Art. 13(8)) end date.

See before you buy — Download sample dossier (PDF, fictional company). Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

📖 MARKET SURVEILLANCE READINESS AUDIT BY COUNSEL

€10,000–€40,000

Pre-emptive audit checking that the Annex VII technical documentation, the EU DoC, the CVD policy and the support-period information are all retrievable, complete and in the right languages.

CRACHECK — SAME OUTPUT

€149

CRACheck delivers the dossier the authority will ask for under Article 53: Annex VII technical documentation, EU DoC (Annex V), CVD policy (Annex I Part II point 5), risk assessment, user information (Annex II), SBOM template. Plus 10-year archivable PDFs.

Legal sources

Every article and recital cited on this page comes from the official text of Regulation (EU) 2024/2847 (Cyber Resilience Act), published in the Official Journal of the European Union on 20 November 2024 (ELI: data.europa.eu/eli/reg/2024/2847/oj).

→ Full text on EUR-Lex (CELEX 32024R2847)
→ HTML version (article-by-article)
→ Official PDF (81 pages)
→ All 24 EU language versions

Related: Regulation (EU) 2019/881 (Cybersecurity Act, EUCC) · Directive (EU) 2022/2555 (NIS2) · Regulation (EU) 2019/1020 (market surveillance) · Regulation (EU) 2024/1689 (AI Act).

Important notice

This is not legal advice. CRACheck is structured self-assessment software based on Regulation (EU) 2024/2847. The dossier you download is structured documentation, not a third-party audit or certification.

Class II and Critical products still need a notified body. CRACheck prepares the dossier that the notified body will examine — it does not replace the third-party conformity assessment required by Article 32(3) and Article 32(4).

Maximum liability: the amount you paid for the licence. Always verify your specific situation with your legal counsel.

Frequently asked questions

What can a market surveillance authority demand from me?

Article 53: ‘Where necessary to assess the conformity of products with digital elements and the processes put in place by their manufacturers with the essential cybersecurity requirements set out in Annex I, the market surveillance authorities shall, upon a reasoned request, be granted access to the data, in a language easily understood by them, required to assess the design, development, production and vulnerability handling of such products, including related internal documentation of the relevant economic operator.’ The Annex VII technical documentation and SBOM (Annex VII point 8) are explicit targets.

What is a sweep under Article 60?

Simultaneous coordinated control actions by market surveillance authorities across Member States, targeting particular products with digital elements or categories of them, to check compliance or detect infringements. Sweeps may include inspections of products acquired under a cover identity. They are typically coordinated by the Commission. ENISA may propose categories for sweeps based on notifications received under Article 14. Aggregated results may be made publicly available (Art. 60(2)).

Can authorities act on a product that complies with the CRA?

Yes, under Article 57. If a product compliant with the regulation nonetheless presents a significant cybersecurity risk plus a risk to (a) health/safety of persons; (b) compliance with Union or national law intended to protect fundamental rights; (c) availability, authenticity, integrity or confidentiality of services offered by NIS2 essential entities (Art. 3(1) of Dir. (EU) 2022/2555); or (d) other aspects of public interest, the authority can still require corrective measures, withdrawal or recall. The Commission then evaluates whether the national measure is justified.

Does my support-period decision get reviewed?

Yes, by ADCO. Article 13(8) fourth subparagraph allows the Commission to adopt delegated acts specifying minimum support periods for specific product categories where market surveillance data suggest inadequate support periods. Article 52(16) requires market surveillance authorities to monitor how manufacturers apply the criteria of Article 13(8), and ADCO publishes statistics on average support periods per category and may issue recommendations to authorities to focus activities on categories with inadequate support.

Is this a subscription?

No. One-time payment. 30-day editing window. 10 regenerations. The PDF dossier is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, the act of licence activation constitutes express consent for immediate digital content generation, which removes the right of withdrawal. Refunds are issued only for reproducible technical failures.

What if the regulation changes before I file my dossier?

Regenerate at no additional cost during your licence validity. Substantive amendments to Regulation (EU) 2024/2847 are tracked weekly from EUR-Lex; if a clause you cited is amended, you can regenerate the affected sections.

What CRA market surveillance authorities check: powers under Articles 52 to 60 of Regulation (EU) 2024/2847, plus the ADCO group, the sweeps regime under Article 60, and the data-access right under Article 53