Source: OJ L 2024/2847, 20.11.2024Current language: EN
- Cyber resilience for products with digital elements
Basic legislative acts
- CRA regulation
Article 60 Sweeps
Summary What does Article 60 of the CRA regulation say?
This article establishes a coordinated enforcement mechanism known as "sweeps" — simultaneous control actions carried out by market surveillance authorities across Member States to check compliance with, or detect infringements of, the regulation.
It sets out how these sweeps are organised, who coordinates them, and what powers can be used during them.
Notably, sweeps can involve undercover purchases of products, and ENISA plays a feeding role by proposing sweep targets based on notifications it receives under Article 14.
Important points:
- Market surveillance authorities are required to conduct simultaneous coordinated sweeps of products with digital elements, which may include acquiring products under a cover identity.
- Sweeps are coordinated by the Commission unless the market surveillance authorities involved agree otherwise, and ENISA can propose categories of products for sweeps based on its monitoring activity.
- Market surveillance authorities may draw on the full range of investigation powers set out in Articles 52 to 58, as well as any additional powers available under national law, when conducting sweeps.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Market surveillance authorities shall conduct simultaneous coordinated control actions (sweeps) of particular products with digital elements or categories thereof to check compliance with or to detect infringements to this Regulation. Those sweeps may include inspections of products with digital elements acquired under a cover identity.
Unless otherwise agreed upon by the market surveillance authorities involved, sweeps shall be coordinated by the Commission. The coordinator of the sweep shall, where appropriate, make the aggregated results publicly available.
Where, in the performance of its tasks, including based on the notifications received pursuant to Article 14(1) and (3), ENISA identifies categories of products with digital elements for which sweeps may be organised, it shall submit a proposal for a sweep to the coordinator referred to in paragraph 2 of this Article for the consideration of the market surveillance authorities.
When conducting sweeps, the market surveillance authorities involved may use the investigation powers set out in Articles 52 to 58 and any other powers conferred upon them by national law.
Market surveillance authorities may invite Commission officials, and other accompanying persons authorised by the Commission, to participate in sweeps.
Relevant recitals
Recital 114 Simultaneous coordinated control actions (sweeps)
Simultaneous coordinated control actions (sweeps) are specific enforcement actions by market surveillance authorities that can further enhance product security. Sweeps should, in particular, be conducted where market trends, consumer complaints or other indications suggest that certain categories of products with digital elements are often found to present cybersecurity risks. Furthermore, when determining the product categories to be subjected to sweeps, market surveillance authorities should also take into account circumstances relating to non-technical risk factors. To that end, market surveillance authorities should be able to take into account the results of Union level coordinated security risk assessments of critical supply chains carried out in accordance with Article 22 of Directive (EU) 2022/2555, including circumstances relating to non-technical risk factors. ENISA should submit proposals for categories of products with digital elements for which sweeps could be organised to the market surveillance authorities, based, inter alia, on the notifications of vulnerabilities and incidents it receives.
Recital 115 Role of ENISA
In light of its expertise and mandate, ENISA should be able to support the process for implementation of this Regulation. In particular, ENISA should be able to propose joint activities to be conducted by market surveillance authorities based on indications or information regarding potential non-compliance with this Regulation of products with digital elements across several Member States or identify categories of products for which sweeps should be organised. In exceptional circumstances, ENISA should be able, at the request of the Commission, to conduct evaluations in respect of specific products with digital elements that present a significant cybersecurity risk, where an immediate intervention is required to preserve the proper functioning of the internal market.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
incident
Definition
vulnerability
Definition
component
Definition
cyber threat
Definition
manufacturer
Definition
product with digital elements
Definition
consumer
Definition
significant cybersecurity risk
Definition
remote data processing
Definition
cybersecurity risk
Definition
electronic information system
Definition
market surveillance authority
Definition
hardware
Definition
software