Source: OJ L 2024/2847, 20.11.2024Current language: EN
- Cyber resilience for products with digital elements
Basic legislative acts
- CRA regulation
Article 55 Union safeguard procedure
Summary What does Article 55 of the CRA regulation say?
This article acts as a direct continuation of Article 54, kicking in specifically when a Member State objects to another Member State's market measure, or when the Commission believes that measure conflicts with Union law.
It establishes a dispute resolution and escalation mechanism, placing the Commission at the centre as the arbiter.
The Commission must consult with the relevant parties and reach a decision on whether the national measure is justified within nine months of the original notification.
Importantly, if the non-compliance that triggered the measure turns out to stem from flaws in the underlying technical standards or certification schemes, the article directs the Commission to address those root causes through the appropriate regulatory channels.
Important points:
- The Commission is required to evaluate disputed national market measures and decide on their justification within nine months of the original notification under Article 54.
- If a national measure is found justified, all Member States must withdraw the non-compliant product from their markets; if not justified, the Member State that imposed it must withdraw the measure.
- Where justified non-compliance is traced back to shortcomings in harmonised standards, cybersecurity certification schemes, or common specifications, the Commission must take steps to address those underlying deficiencies.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Where, within three months of receipt of the notification referred to in Article 54(5), objections are raised by a Member State against a measure taken by another Member State, or where the Commission considers the measure to be contrary to Union law, the Commission shall without delay enter into consultation with the relevant Member State and the economic operator or operators and shall evaluate the national measure. On the basis of the results of that evaluation, the Commission shall decide whether the national measure is justified or not within nine months from the notification referred to in Article 54(5) and notify that decision to the Member State concerned.
If the national measure is considered to be justified, all Member States shall take the measures necessary to ensure that the non-compliant product with digital elements is withdrawn from their market, and shall inform the Commission accordingly. If the national measure is not considered to be justified, the Member State concerned shall withdraw the measure.
Where the national measure is considered to be justified and the non-compliance of the product with digital elements is attributed to shortcomings in the harmonised standards, the Commission shall apply the procedure provided for in Article 11 of Regulation (EU) No 1025/2012.
Where the national measure is considered to be justified and the non-compliance of the product with digital elements is attributed to shortcomings in a European cybersecurity certification scheme as referred to in Article 27, the Commission shall consider whether to amend or repeal any delegated act adopted pursuant to Article 27(9) that specifies the presumption of conformity concerning that certification scheme.
Where the national measure is considered to be justified and the non-compliance of the product with digital elements is attributed to shortcomings in common specifications as referred to in Article 27, the Commission shall consider whether to amend or repeal any implementing act adopted pursuant to Article 27(2) setting out those common specifications.
Relevant recitals
Recital 110 Union safeguard procedure
In order to ensure timely, proportionate and effective measures in relation to products with digital elements presenting a significant cybersecurity risk, a Union safeguard procedure under which interested parties are informed of measures intended to be taken with regard to such products should be provided for. This should also allow market surveillance authorities, in cooperation with the relevant economic operators, to act at an earlier stage where necessary. Where the Member States and the Commission agree as to the justification of a measure taken by a Member State, no further involvement of the Commission should be required, except where non-compliance can be attributed to shortcomings of a harmonised standard.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
incident
Definition
importer
Definition
economic operator
Definition
component
Definition
cybersecurity
Definition
manufacturer
Definition
distributor
Definition
authorised representative
Definition
product with digital elements
Definition
harmonised standard
Definition
significant cybersecurity risk
Definition
remote data processing
Definition
cybersecurity risk
Definition
electronic information system
Definition
market surveillance authority
Definition
hardware
Definition
software