Article 56 Procedure at Union level concerning products with digital elements presenting a significant cybersecurity risk

Summary What does Article 56 of the CRA regulation say?

This article establishes the Commission's own powers of intervention when a product with digital elements presents a significant cybersecurity risk and national-level action has proven insufficient.

It sits alongside Articles 54 and 55, which govern market surveillance authority evaluations and national procedures, but goes further by giving the Commission a direct escalation path.

Where the Commission has sufficient reason to believe a product is non-compliant or poses risks — including non-technical risk factors — it can alert market surveillance authorities, engage ENISA for analysis, consult Member States and economic operators, and ultimately adopt implementing acts imposing corrective or restrictive measures at Union level, up to and including market withdrawal or recall.

This intervention power is explicitly time-limited, applying only for the duration of the exceptional situation that triggered it.

Important points:

The Commission is empowered to act at Union level — including ordering market withdrawal or recall — where national market surveillance authorities have not taken effective measures against a non-compliant product presenting a significant cybersecurity risk.
Non-technical risk factors can also trigger the Commission's intervention, in which case it must additionally inform relevant competent authorities under Directive (EU) 2022/2555 and consider the implications for Union-level critical supply chain risk assessments.
Economic operators are required to cooperate with ENISA when the Commission carries out its compliance evaluation, and Member States must implement any resulting implementing acts without delay.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

1. Where the Commission has sufficient reason to consider, including based on information provided by ENISA, that a product with digital elements that presents a significant cybersecurity risk does not comply with the requirements laid down in this Regulation, it shall inform the relevant market surveillance authorities. Where the market surveillance authorities carry out an evaluation of that product with digital elements that may present a significant cybersecurity risk in respect of its compliance with the requirements laid down in this Regulation, the procedures referred to in Articles 54 and 55 shall apply.
1. Where the Commission has sufficient reason to consider that a product with digital elements presents a significant cybersecurity risk in light of non-technical risk factors, it shall inform the relevant market surveillance authorities and, where appropriate, the competent authorities designated or established pursuant to Article 8 of Directive (EU) 2022/2555 and cooperate with those authorities as necessary. The Commission shall also consider the relevance of the identified risks for that product with digital elements in view of its tasks regarding the Union level coordinated security risk assessments of critical supply chains provided for in Article 22 of Directive (EU) 2022/2555, and consult, as necessary, the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555 and ENISA.
1. In circumstances which justify an immediate intervention to preserve the proper functioning of the internal market and where the Commission has sufficient reason to consider that the product with digital elements referred to in paragraph 1 remains non-compliant with the requirements laid down in this Regulation and no effective measures have been taken by the relevant market surveillance authorities, the Commission shall carry out an evaluation of compliance and may request ENISA to provide an analysis to support it. The Commission shall inform the relevant market surveillance authorities accordingly. The relevant economic operators shall cooperate with ENISA as necessary.
1. Based on the evaluation referred to in paragraph 3, the Commission may decide that a corrective or restrictive measure is necessary at Union level. To that end, it shall without delay consult the Member States concerned and the relevant economic operator or operators.
1. On the basis of the consultation referred to in paragraph 4 of this Article, the Commission may adopt implementing acts to provide for corrective or restrictive measures at Union level, including requiring the products with digital elements concerned to be withdrawn from the market or recalled, within a reasonable period, commensurate with the nature of the risk. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).
1. The Commission shall immediately communicate the implementing acts referred to in paragraph 5 to the relevant economic operator or operators. Member States shall implement those implementing acts without delay and shall inform the Commission accordingly.
1. Paragraphs 3 to 6 shall be applicable for the duration of the exceptional situation that justified the Commission’s intervention, provided that the product with digital elements concerned is not brought in compliance with this Regulation.

Relevant recitals

Recital 52 Security of 5G networks and supply chain assessments of NIS 2

In order to improve the security of products with digital elements placed on the internal market it is necessary to lay down essential cybersecurity requirements applicable to such products. Those essential cybersecurity requirements should be without prejudice to the Union level coordinated security risk assessments of critical supply chains provided for in Article 22 of Directive (EU) 2022/2555, which take into account both technical and, where relevant, non-technical risk factors, such as undue influence by a third country on suppliers. Furthermore, they should be without prejudice to the Member States’ prerogative to lay down additional requirements that take account of non-technical factors for the purpose of ensuring a high level of resilience, including those defined in Commission Recommendation (EU) 2019/534(²³), in the EU coordinated risk assessment of the cybersecurity of 5G networks and in the EU Toolbox on 5G cybersecurity agreed by the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555.

Recital 58 Strategic cybersecurity supply chain risks

The joint communication of the Commission and the High Representative of the Union for Foreign Affairs and Security Policy of 20 June 2023 entitled ‘European Economic Security Strategy’ stated that the Union needs to maximise the benefits of its economic openness while minimising the risks from economic dependencies on high-risk vendors, through a common strategic framework for Union economic security. Dependencies on high-risk suppliers of products with digital elements may pose a strategic risk that needs to be addressed at Union level, especially where the products with digital elements are intended for the use by essential entities as referred to in Article 3(1) of Directive (EU) 2022/2555. Such risks may be linked, but not limited, to the jurisdiction applicable to the manufacturer, the characteristics of its corporate ownership and the links of control to a third-country government where it is established, in particular where a third country engages in economic espionage or irresponsible state behaviour in cyberspace and its legislation allows arbitrary access to any kind of company operations or data, including commercially sensitive data, and can impose obligations for intelligence purposes without democratic checks and balances, oversight mechanisms, due process or the right to appeal to an independent court or tribunal. When determining the significance of a cybersecurity risk within the meaning of this Regulation, the Commission and the market surveillance authorities, as per their responsibilities as set out in this Regulation, should also consider non-technical risk factors, in particular those established as a result of Union level coordinated security risk assessments of critical supply chains carried out in accordance with Article 22 of Directive (EU) 2022/2555.

Table of contents

Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.