Source: OJ L 2024/2847, 20.11.2024Current language: EN
- Cyber resilience for products with digital elements
Basic legislative acts
- CRA regulation
Article 70 Evaluation and review
Summary What does Article 70 of the CRA regulation say?
This article sets out the Commission's obligations to review and report on the regulation's implementation and effectiveness.
It establishes two distinct reporting duties: a broader evaluation of the regulation as a whole, and a more targeted assessment of the single reporting platform established under Article 16, which is the centralised mechanism for manufacturers to notify vulnerabilities and incidents.
Important points:
- The Commission is required to submit a general evaluation and review report to the European Parliament and Council by 11 December 2030, and every four years after that, with all reports made public.
- The Commission must also submit a separate, earlier report by 11 September 2028, specifically assessing the effectiveness of the single reporting platform referenced in Article 16.
- The second report must be prepared after consulting ENISA and the CSIRTs network, and must examine how CSIRTs designated as coordinators have applied cybersecurity-related grounds to delay dissemination of notifications.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
By 11 December 2030 and every four years thereafter, the Commission shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council. Those reports shall be made public.
By 11 September 2028, the Commission shall, after consulting ENISA and the CSIRTs network, submit a report to the European Parliament and to the Council, assessing the effectiveness of the single reporting platform set out in Article 16, as well as the impact of the application of the cybersecurity-related grounds referred to Article 16(2) by the CSIRTs designated as coordinators on the effectiveness of the single reporting platform as regards the timely dissemination of received notifications to other relevant CSIRTs.
Relevant recitals
Recital 125 Periodic evaluation and review of this Regulation
The Commission should periodically evaluate and review this Regulation, in consultation with relevant stakeholders, in particular with a view to determining the need for modification in the light of changes to societal, political, technological or market conditions. This Regulation will facilitate the compliance with supply chain security obligations of entities that fall within the scope of Regulation (EU) 2022/2554 and Directive (EU) 2022/2555 that use products with digital elements. The Commission should evaluate, as part of that periodic review, the combined effects of the Union cybersecurity framework.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
component
Definition
cybersecurity
Definition
manufacturer
Definition
CSIRT designated as coordinator
Definition
product with digital elements
Definition
remote data processing
Definition
electronic information system
Definition
hardware
Definition
software