Beta

Source: OJ L 2024/2847, 20.11.2024

EN

Article 54 Procedure at national level concerning products with digital elements presenting a significant cybersecurity risk

    1. Where the market surveillance authority means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; of a Member State has sufficient reason to consider that a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, including its vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; handling, presents a significant cybersecurity risk means a cybersecurity risk which, based on its technical characteristics, can be assumed to have a high likelihood of an incident that could lead to a severe negative impact, including by causing considerable material or non-material loss or disruption;, it shall, without undue delay and, where appropriate, in cooperation with the relevant CSIRT, carry out an evaluation of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; concerned in respect of its compliance with all the requirements laid down in this Regulation. The relevant economic operators means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; shall cooperate with the market surveillance authority means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; as necessary.

    2. Where, in the course of that evaluation, the market surveillance authority means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; finds that the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; does not comply with the requirements laid down in this Regulation, it shall without delay require the relevant economic operator means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; to take all appropriate corrective actions to bring the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; into compliance with those requirements, to withdraw it from the market, or to recall means recall as defined in Article 3, point (22), of Regulation (EU) 2019/1020; it within a reasonable period, commensurate with the nature of the cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, as the market surveillance authority means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; may prescribe.

    3. The market surveillance authority means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; shall inform the relevant notified body means a conformity assessment body designated in accordance with Article 43 and other relevant Union harmonisation legislation; accordingly. Article 18 of Regulation (EU) 2019/1020 shall apply to the corrective actions.

    1. When determining the significance of a cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; referred to in paragraph 1 of this Article, the market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; shall also consider non-technical risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; factors, in particular those established as a result of Union level coordinated security risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessments of critical supply chains carried out in accordance with Article 22 of Directive (EU) 2022/2555. Where a market surveillance authority means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; has sufficient reason to consider that a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; presents a significant cybersecurity risk means a cybersecurity risk which, based on its technical characteristics, can be assumed to have a high likelihood of an incident that could lead to a severe negative impact, including by causing considerable material or non-material loss or disruption; in light of non-technical risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; factors, it shall inform the competent authoritiesas defined in Article 46 designated or established pursuant to Article 8 of Directive (EU) 2022/2555 and cooperate with those authorities as necessary.

    1. Where the market surveillance authority means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; considers that non-compliance is not restricted to its national territory, it shall inform the Commission and the other Member States of the results of the evaluation and of the actions which it has required the economic operator means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; to take.

    1. The economic operator means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; shall ensure that all appropriate corrective action is taken in respect of all the products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; concerned that it has made available on the market throughout the Union.

    1. Where the economic operator means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; does not take adequate corrective action within the period referred to in paragraph 1, second subparagraph, the market surveillance authority means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; shall take all appropriate provisional measures to prohibit or restrict that product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; from being made available on its national market, to withdraw it from that market or to recall means recall as defined in Article 3, point (22), of Regulation (EU) 2019/1020; it.

    2. That authority shall notify the Commission and the other Member States, without delay, of those measures.

    1. The information referred to in paragraph 5 shall include all available details, in particular the data necessary for the identification of the non-compliant product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, the origin of that product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, the nature of the alleged non-compliance and the risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; involved, the nature and duration of the national measures taken and the arguments put forward by the relevant economic operator means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation;. In particular, the market surveillance authority means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; shall indicate whether the non-compliance is due to one or more of the following:

      1. a failure of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; or of the processes put in place by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; to meet the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Annex I;

      2. shortcomings in the harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;, European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes or common specifications, as referred to in Article 27.

    1. The market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; of the Member States other than the market surveillance authority means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; of the Member State initiating the procedure shall without delay inform the Commission and the other Member States of any measures adopted and of any additional information at their disposal relating to the non-compliance of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; concerned, and, in the event of disagreement with the notified national measure, of their objections.

    1. Where, within three months of receipt of the notification referred to in paragraph 5 of this Article, no objection has been raised by either a Member State or the Commission in respect of a provisional measure taken by a Member State, that measure shall be deemed to be justified. This is without prejudice to the procedural rights of the economic operator means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; concerned in accordance with Article 18 of Regulation (EU) 2019/1020.

    1. The market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; of all Member States shall ensure that appropriate restrictive measures are taken in respect of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; concerned, such as withdrawal means withdrawal as defined in Article 3, point (23), of Regulation (EU) 2019/1020; of that product from their market, without delay.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod