Article 54 Procedure at national level concerning products with digital elements presenting a significant cybersecurity risk

Summary What does Article 54 of the CRA regulation say?

This article sets out the enforcement procedure that market surveillance authorities must follow when they have sufficient reason to believe a product with digital elements presents a significant cybersecurity risk.

It establishes a clear escalation path: from initial evaluation and requiring corrective action from the economic operator, through to provisional market restrictions if corrective action is not taken, and ultimately to cross-border notification obligations when non-compliance extends beyond a single Member State.

The article connects directly to Article 55, which governs what happens when Member States or the Commission contest the national measures taken under this article.

Important points:

Market surveillance authorities are required to carry out a full compliance evaluation of a product they suspect presents a significant cybersecurity risk, and must also consider non-technical risk factors, including those arising from Union-level coordinated security risk assessments of critical supply chains.
Ensure corrective action covers all products made available throughout the Union, not just within the territory of the Member State that initiated the evaluation.
Where no objection is raised by another Member State or the Commission within three months of notification of a provisional measure, that measure is deemed to be justified.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

1. Where the market surveillance authority of a Member State has sufficient reason to consider that a product with digital elements, including its vulnerability handling, presents a significant cybersecurity risk, it shall, without undue delay and, where appropriate, in cooperation with the relevant CSIRT, carry out an evaluation of the product with digital elements concerned in respect of its compliance with all the requirements laid down in this Regulation. The relevant economic operators shall cooperate with the market surveillance authority as necessary.
2. Where, in the course of that evaluation, the market surveillance authority finds that the product with digital elements does not comply with the requirements laid down in this Regulation, it shall without delay require the relevant economic operator to take all appropriate corrective actions to bring the product with digital elements into compliance with those requirements, to withdraw it from the market, or to recall it within a reasonable period, commensurate with the nature of the cybersecurity risk, as the market surveillance authority may prescribe.
3. The market surveillance authority shall inform the relevant notified body accordingly. Article 18 of Regulation (EU) 2019/1020 shall apply to the corrective actions.
1. When determining the significance of a cybersecurity risk referred to in paragraph 1 of this Article, the market surveillance authorities shall also consider non-technical risk factors, in particular those established as a result of Union level coordinated security risk assessments of critical supply chains carried out in accordance with Article 22 of Directive (EU) 2022/2555. Where a market surveillance authority has sufficient reason to consider that a product with digital elements presents a significant cybersecurity risk in light of non-technical risk factors, it shall inform the competent authorities designated or established pursuant to Article 8 of Directive (EU) 2022/2555 and cooperate with those authorities as necessary.
1. Where the market surveillance authority considers that non-compliance is not restricted to its national territory, it shall inform the Commission and the other Member States of the results of the evaluation and of the actions which it has required the economic operator to take.
1. The economic operator shall ensure that all appropriate corrective action is taken in respect of all the products with digital elements concerned that it has made available on the market throughout the Union.
1. Where the economic operator does not take adequate corrective action within the period referred to in paragraph 1, second subparagraph, the market surveillance authority shall take all appropriate provisional measures to prohibit or restrict that product with digital elements from being made available on its national market, to withdraw it from that market or to recall it.
2. That authority shall notify the Commission and the other Member States, without delay, of those measures.
1. The information referred to in paragraph 5 shall include all available details, in particular the data necessary for the identification of the non-compliant product with digital elements, the origin of that product with digital elements, the nature of the alleged non-compliance and the risk involved, the nature and duration of the national measures taken and the arguments put forward by the relevant economic operator. In particular, the market surveillance authority shall indicate whether the non-compliance is due to one or more of the following:
  1. a failure of the product with digital elements or of the processes put in place by the manufacturer to meet the essential cybersecurity requirements set out in Annex I;
  2. shortcomings in the harmonised standards, European cybersecurity certification schemes or common specifications, as referred to in Article 27.
1. The market surveillance authorities of the Member States other than the market surveillance authority of the Member State initiating the procedure shall without delay inform the Commission and the other Member States of any measures adopted and of any additional information at their disposal relating to the non-compliance of the product with digital elements concerned, and, in the event of disagreement with the notified national measure, of their objections.
1. Where, within three months of receipt of the notification referred to in paragraph 5 of this Article, no objection has been raised by either a Member State or the Commission in respect of a provisional measure taken by a Member State, that measure shall be deemed to be justified. This is without prejudice to the procedural rights of the economic operator concerned in accordance with Article 18 of Regulation (EU) 2019/1020.
1. The market surveillance authorities of all Member States shall ensure that appropriate restrictive measures are taken in respect of the product with digital elements concerned, such as withdrawal of that product from their market, without delay.

Relevant recitals

Recital 52 Security of 5G networks and supply chain assessments of NIS 2

In order to improve the security of products with digital elements placed on the internal market it is necessary to lay down essential cybersecurity requirements applicable to such products. Those essential cybersecurity requirements should be without prejudice to the Union level coordinated security risk assessments of critical supply chains provided for in Article 22 of Directive (EU) 2022/2555, which take into account both technical and, where relevant, non-technical risk factors, such as undue influence by a third country on suppliers. Furthermore, they should be without prejudice to the Member States’ prerogative to lay down additional requirements that take account of non-technical factors for the purpose of ensuring a high level of resilience, including those defined in Commission Recommendation (EU) 2019/534(²³), in the EU coordinated risk assessment of the cybersecurity of 5G networks and in the EU Toolbox on 5G cybersecurity agreed by the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555.

Recital 111 Restricting or forbidding the free movement of a product with digital elements

In certain cases, a product with digital elements which complies with this Regulation can nonetheless present a significant cybersecurity risk or pose a risk to the health or safety of persons, to compliance with obligations under Union or national law intended to protect fundamental rights, to the availability, authenticity, integrity or confidentiality of services offered using an electronic information system by essential entities as referred to in Article 3(1) of Directive (EU) 2022/2555 or to other aspects of public interest protection. Therefore it is necessary to establish rules which ensure mitigation of those risks. As a result, market surveillance authorities should take measures to require the economic operator to ensure that the product no longer presents that risk, or to recall or withdraw it, depending on the risk. As soon as a market surveillance authority restricts or forbids the free movement of a product with digital elements in such way, the Member State should notify without delay the Commission and the other Member States of the provisional measures, indicating the reasons and justification for the decision. Where a market surveillance authority adopts such measures against products with digital elements presenting a risk, the Commission should enter into consultation with the Member States and the relevant economic operator or operators without delay and should evaluate the national measure. On the basis of the results of this evaluation, the Commission should decide whether the national measure is justified or not. The Commission should address its decision to all Member States and immediately communicate it to them and the relevant economic operator or operators. If the measure is considered to be justified, the Commission should also consider whether to adopt proposals to revise the relevant Union law.

Table of contents

Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.