EU digital legislation
CRA-Update – Episode 9: Surveillance authorities
The Commission's draft for the Cyber Resilience Act (CRA-E) mentions different authorities with different tasks for monitoring and compliance with the standards of the regulation.
National market surveillance authorities
The national market surveillance authorities form the core of the regulatory system in the CRA-E. According to Art. 41 (2) CRA-E, the Member States must appoint one or more market surveillance authorities and can also select existing authorities for this purpose. In Germany, for example, the Federal Office for Information Security (BSI) or the Federal Network Agency (BNetzA) could be considered due to their competencies.
The market surveillance authorities are responsible for drawing up guidelines and giving advice on the implementation of the CRA-E as well as for creating an annual activity report. On top of that, market surveillance authorities are obliged to carry out a review of a product with digital elements in accordance with Art. 43 (1) CRA-E if a significant cybersecurity risk is assumed and may request documentation and information from manufacturers. If a cybersecurity risk exists, the market surveillance authority may request the manufacturer to withdraw or recall the respective product from the market. In addition, the market surveillance authorities can conduct simultaneous coordinated control actions on certain products with digital elements in accordance with Art. 49 (1) CRA-E. In principle, however, these are coordinated by the European Commission and the ENISA also has the right to make proposals regarding the product categories to be checked. The regulation leaves open what exactly is meant by "sweeps", i.e. coordinated control actions. This could include simulated cyber attacks, for example, as this is probably the most effective way of identifying vulnerabilities in products with digital elements.
In addition, the national market surveillance authorities also have the investigative powers listed in Art. 41 - 43, 46 and 47 CRA-E. These include requesting access to the data of products with digital elements, requesting the implementation of corrective measures with regard to a product that does not meet the requirements of the CRA or requesting the manufacturer to remedy the formal non-conformity (e.g. affixing the conformity marking).
In addition, Art. 41 CRA-E provides for cooperation between the market surveillance authorities and other authorities, such as the national cybersecurity certification authorities, the ENISA and the European data protection authorities. This includes, in particular, the exchange of information or documents.
European Commission
The main task of the European Commission is to promote cooperation and the exchange of information between the national market surveillance authorities, as set out in Art. 41 (7) CRA-E.
In addition, according to Art. 45 (1) CRA-E, the Commission can also take action itself and request the inspection of a product with digital elements by the market surveillance authorities if it has reasons to believe that a product with digital elements poses a significant cybersecurity risk.
In exceptional circumstances that justify immediate intervention to ensure the good functioning of the internal market and where the market surveillance authorities have not taken effective action, the Commission may request the ENISA to assess compliance and request a corrective or restrictive measure at Union level, such as the withdrawal or recalling of a product with digital elements from the market.
ADCO
Art. 41 (11) CRA-E provides for the establishment of a special Administrative Cooperation Group (ADCO) made up of representatives of the market surveillance authorities and the single liaison bodies. According to Recital 56 sentence 1 CRA-E, the ADCO is to ensure uniform application of the CRA.
ENISA
The ENISA can carry out a conformity assessment at the request of the European Commission and also submit proposals to the market surveillance authorities for product categories for which sweeps could be organized. In addition, manufacturers are obliged to notify the ENISA immediately of any actively exploited vulnerability of a product with digital elements. The ENISA then forwards the notification to the Computer Security Incident Response Team (CSIRT) designated under Article 12 NIS 2 Directive for the coordinated disclosure of vulnerabilities.
Possible changes in the final version of the CRA-E
Based on the Commission's proposal for a regulation, the European Parliament's Committee on Industry, Research and Energy (ITRE) and the Council of the European Union have also published drafts. The legislative process is currently undergoing final coordination.
While the Council's draft is largely based on that of the Commission, the ITRE's proposal contains some interesting additions. For example, in Art. 43 and 45 CRA-E, it has been added that market surveillance authorities and, if necessary, the European Commission can also require economic operators to take corrective action if there is a non-technical risk, such as undue influence by third countries on suppliers. In addition, the provisions on sweeps were specified in Art. 49 CRA-E. This includes, for example, the inspection of products with digital elements that were acquired under a cover identity.
Practical recommendations
As the European Commission grants the member states the authority to decide on the designation of market surveillance authorities, it remains to be seen which authorities the national legislator will select or possibly create for this purpose. Companies should therefore continue to monitor the further legislative process and news relating to the CRA. The exact manner in which official measures will be implemented will only become clear once the CRA comes into force. We will inform about possible sanctions for violations in Episode 10.
In our CRA-Update series, we regularly present information on the proposed Cyber Resilience Act and keep you informed about changes in the ongoing legislative process. In each of our articles, we give you a brief overview of a specific topic, presenting the most important aspects and practical implications.
CRA-Update
CRA-Update – Episode 10: Penalties under the CRA-E
With the proposed Cyber Resilience Act (CRA-E), the European Commission has set itself the goal of strengthening the security of products with digital elements with horizontal legal requirements in order to better protect the European internal market from growing cyber threats. Concerning this matter, the regulation contains a large number of obligations that apply to all economic operators in a product supply chain, namely manufacturers, importers and distributors.
CRA-Update – Episode 9: Surveillance authorities
The Commission's draft for the Cyber Resilience Act (CRA-E) mentions different authorities with different tasks for monitoring and compliance with the standards of the regulation.
CRA-Update – Episode 8: The conformity assessment procedure
In order to demonstrate the conformity of products with digital elements with the requirements of the proposed Cyber Resilience Act (CRA-E), manufacturers must carry out a so-called conformity assessment procedure in accordance with Art. 24 (1) CRA-E. For this purpose, the CRA-E basically provides for three different types of procedures, for each of which information can be found in Annex VI. The procedures mentioned there are based on Decision 768/2008/EC, which aims to establish a common framework for legislation harmonizing the conditions for the marketing of products and provides for conformity assessment procedures for this purpose.
CRA-Update – Episode 7: What are vulnerability handling processes put in place by manufacturers and when are they compliant under the CRA?
According to Art. 1 (c) of the planned Cyber Resilience Act (CRA-E) this regulation should also include provisions for vulnerability handling processes put in place by manufacturers. The purpose of these processes is to ensure the cybersecurity of products with digital elements during the whole life cycle.
CRA-Update – Episode 6: When is a product with digital elements in conformity with the requirements of the CRA-E?
The planned Cyber Resilience Act (CRA-E) aims to establish uniform EU cybersecurity requirements for products with digital elements in order to handle the growing threat of cyberattacks. For this purpose, the regulation stipulates numerous obligations that primarily affect the manufacturers of such products.
CRA-Update – Episode 5: What are the obligations of the distributor under the CRA-E?
Being the last economic operator in the supply chain of products with digital elements, the distributor falls within the scope of the proposed Cyber Resilience Act (CRA-E) as well.
According to the definition in Art. 3 (21) CRA-E, a (legal) person can only fall under the term of the distributor if it makes a product with digital elements available on the Union market without affecting its properties and without being already qualified as a manufacturer or importer.
CRA-Update – Episode 4: What are the obligations of the importer under the CRA-E?
The role of the importer becomes relevant within the proposed Cyber Resilience Act (CRA-E) when he makes available a product with digital elements bearing the name or trademark of a (legal) person and being established outside the European Union on the Union market for the first time.
CRA-Update – Episode 3: What are the obligations of the manufacturer under the CRA-E?
In comparison to the other economic operators, the manufacturer is subject to the most comprehensive obligations of the proposed CRA (CRA-E). This is probably because the manufacturer significantly controls the development of the product with digital elements, determines its characteristics and can thus influence the inherent cybersecurity risks. The specific obligations for manufacturers are set out in Art. 10 and 11 of the proposed CRA.
CRA-Update – Episode 1: Which products fall within the scope of the proposed CRA?
The current proposal for a new European Cyber Resilience Act by the European Commission from 15th September 2022 (CRA) applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network (see recital 7 and Art. 2 (1) of the proposed CRA).