Cyber Resilience Act

About

Recitals

Chapter I – General provisions (Art. 1-12)
Art. 1CRA - Subject matter
Art. 2CRA - Scope
Art. 3CRA - Definitions
Art. 4CRA - Free movement
Art. 5CRA - Procurement or use of products with digital elements
Art. 6CRA - Requirements for products with digital elements
Art. 7CRA - Important products with digital elements
Art. 8CRA - Critical products with digital elements
Art. 9CRA - Stakeholder consultation
Art. 10CRA - Enhancing skills in a cyber resilient digital environment
Art. 11CRA - General product safety
Art. 12CRA - High-risk AI systems
Chapter II – Obligations of economic operators and provisions in relation to free and open-source software (Art. 13-26)
Art. 13CRA - Obligations of manufacturers
Art. 14CRA - Reporting obligations of manufacturers
Art. 15CRA - Voluntary reporting
Art. 16CRA - Establishment of a single reporting platform
Art. 17CRA - Other provisions related to reporting
Art. 18CRA - Authorised representatives
Art. 19CRA - Obligations of importers
Art. 20 CRA - Obligations of distributors
Art. 21CRA - Cases in which obligations of manufacturers apply to importers and distributors
Art. 22 CRA - Other cases in which obligations of manufacturers apply
Art. 23 CRA - Identification of economic operators
Art. 24CRA - Obligations of open-source software stewards
Art. 25CRA - Security attestation of free and open-source software
Art. 26CRA - Guidance
Chapter III – Conformity of the product with digital elements (Art. 27-34)
Art. 27CRA - Presumption of conformity
Art. 28CRA - EU declaration of conformity
Art. 29CRA - General principles of the CE marking
Art. 30 CRA - Rules and conditions for affixing the CE marking
Art. 31CRA - Technical documentation
Art. 32CRA - Conformity assessment procedures for products with digital elements
Art. 33CRA - Support measures for microenterprises and small and medium-sized enterprises, including start-ups
Art. 34CRA - Mutual recognition agreements
Chapter IV – Notification of conformity assessment bodies (Art. 35-51)
Art. 35CRA - Notification
Art. 36CRA - Notifying authorities
Art. 37CRA - Requirements relating to notifying authorities
Art. 38CRA - Information obligation on notifying authorities
Art. 39CRA - Requirements relating to notified bodies
Art. 40 CRA - Presumption of conformity of notified bodies
Art. 41CRA - Subsidiaries of and subcontracting by notified bodies
Art. 42CRA - Application for notification
Art. 43CRA - Notification procedure
Art. 44CRA - Identification numbers and lists of notified bodies
Art. 45CRA - Changes to notifications
Art. 46CRA - Challenge of the competence of notified bodies
Art. 47CRA - Operational obligations of notified bodies
Art. 48CRA - Appeal against decisions of notified bodies
Art. 49CRA - Information obligation on notified bodies
Art. 50CRA - Exchange of experience
Art. 51CRA - Coordination of notified bodies
Chapter V – Market surveillance and enforcement (Art. 52-60)
Art. 52CRA - Market surveillance and control of products with digital elements in the Union market
Art. 53CRA - Access to data and documentation
Art. 54CRA - Procedure at national level concerning products with digital elements presenting a significant cybersecurity risk
Art. 55CRA - Union safeguard procedure
Art. 56CRA - Procedure at Union level concerning products with digital elements presenting a significant cybersecurity risk
Art. 57 CRA - Compliant products with digital elements which present a significant cybersecurity risk
Art. 58 CRA - Formal non-compliance
Art. 59CRA - Joint activities of market surveillance authorities
Art. 60 CRA - Sweeps
Chapter VI – Delegated powers and committee procedure (Art. 61-62)
Art. 61CRA - Exercise of the delegation
Art. 62 CRA - Committee procedure
Chapter VII – Confidentiality and penalties (Art. 63-65)
Art. 63CRA - Confidentiality
Art. 64CRA - Penalties
Art. 65CRA - Representative actions
Chapter VIII – Transitional and final provisions (Art. 66-71)
Art. 66CRA - Amendment to Regulation (EU) 2019/1020
Art. 67CRA - Amendment to Directive (EU) 2020/1828
Art. 68 CRA - Amendment to Regulation (EU) No 168/2013
Art. 69CRA - Transitional provisions
Art. 70CRA - Evaluation and review
Art. 71CRA - Entry into force and application
Annexes
Art. Annex I CRA - Essential cybersecurity requirements
Art. Annex II CRA - Information and instructions to the user
Art. Annex IIICRA - Important products with digital elements
Art. Annex IVCRA - Critical products with digital elements
Art. Annex VCRA - EU declaration of conformity
Art. Annex VI CRA - Simplified EU declaration of conformity
Art. Annex VII CRA - Content of the technical documentation
Art. Annex VIIICRA - Conformity assessment procedures

Chapter VII – Confidentiality and penalties (Art. 63-65)

Art. 63 CRA – Confidentiality
1. All parties involved in the application of this Regulation shall respect the confidentiality of information and data obtained in carrying out their tasks and activities in such a manner as to protect, in particular:

(a) intellectual property rights and confidential business information or trade secrets of a natural or legal person, including source code, except the cases referred to in Article 5 of Directive (EU) 2016/943 of the European Parliament and of the Council⁽³⁷⁾;

(b) the effective implementation of this Regulation, in particular for the purposes of inspections, investigations or audits;

(c) public and national security interests;

(d) integrity of criminal or administrative proceedings.

2. Without prejudice to paragraph 1, information exchanged on a confidential basis between the market surveillance authorities and between market surveillance authorities and the Commission shall not be disclosed without the prior agreement of the originating market surveillance authority.

3. Paragraphs 1 and 2 shall not affect the rights and obligations of the Commission, Member States and notified bodies with regard to the exchange of information and the dissemination of warnings, nor the obligations of the persons concerned to provide information under criminal law of the Member States.

4. The Commission and Member States may exchange, where necessary, sensitive information with relevant authorities of third countries with which they have concluded bilateral or multilateral confidentiality arrangements guaranteeing an adequate level of protection.

^{(37) Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (OJ L 157, 15.6.2016, p. 1).}
Show Related Recitals
- Recital CRA 119
  In order to ensure trusting and constructive cooperation of market surveillance authorities at Union and national level, all parties involved in the application of this Regulation should respect the confidentiality of information and data obtained in carrying out their tasks.
Art. 64 CRA – Penalties
1. Member States shall lay down the rules on penalties applicable to infringements of this Regulation and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive. Member States shall, without delay, notify the Commission of those rules and measures and shall notify it, without delay, of any subsequent amendment affecting them.

2. Non-compliance with the essential cybersecurity requirements set out in Annex I and the obligations set out in Articles 13 and 14 shall be subject to administrative fines of up to EUR 15 000 000 or, if the offender is an undertaking, up to 2,5 % of the its total worldwide annual turnover for the preceding financial year, whichever is higher.

3. Non-compliance with the obligations set out in Articles 18 to 23, Article 28, Article 30(1) to (4), Article 31(1) to (4), Article 32(1), (2) and (3), Article 33(5), and Articles 39, 41, 47, 49 and 53 shall be subject to administrative fines of up to EUR 10 000 000 or, if the offender is an undertaking, up to 2 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.

4. The supply of incorrect, incomplete or misleading information to notified bodies and market surveillance authorities in reply to a request shall be subject to administrative fines of up to EUR 5 000 000 or, if the offender is an undertaking, up to 1 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.

5. When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation shall be taken into account and due regard shall be given to the following:

(a) the nature, gravity and duration of the infringement and of its consequences;

(b) whether administrative fines have been already applied by the same or other market surveillance authorities to the same economic operator for a similar infringement;

(c) the size, in particular with regard to microenterprises and small and medium sized-enterprises, including start-ups, and the market share of the economic operator committing the infringement.

6. Market surveillance authorities that apply administrative fines shall communicate that application to the market surveillance authorities of other Member States through the information and communication system referred to in Article 34 of Regulation (EU) 2019/1020.

7. Each Member State shall lay down rules on whether and to what extent administrative fines may be imposed on public authorities and public bodies established in that Member State.

8. Depending on the legal system of the Member States, the rules on administrative fines may be applied in such a manner that the fines are imposed by competent national courts or other bodies according to the competences established at national level in those Member States. The application of such rules in those Member States shall have an equivalent effect.

9. Administrative fines may be imposed, depending on the circumstances of each individual case, in addition to any other corrective or restrictive measures applied by the market surveillance authorities for the same infringement.

10. By way of derogation from paragraphs 3 to 9, the administrative fines referred to in those paragraphs shall not apply to the following:

(a) manufacturers that qualify as microenterprises or small enterprises with regard to any failure to meet the deadline referred to in Article 14(2), point (a), or Article 14(4), point (a);

(b) any infringement of this Regulation by open-source software stewards.
Show Related Recitals
- Recital CRA 120
  In order to ensure effective enforcement of the obligations laid down in this Regulation, each market surveillance authority should have the power to impose or request the imposition of administrative fines. Maximum levels for administrative fines to be provided for in national law for non-compliance with the obligations laid down in this Regulation should therefore be established. When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation should be taken into account and, as a minimum, those explicitly established in this Regulation, including whether the manufacturer is a microenterprise or a small or medium-sized enterprise, including a start-up, and whether administrative fines have been already applied by the same or other market surveillance authorities to the same economic operator for a similar infringement. Such circumstances could be either aggravating, in situations where the infringement by the same economic operator persists on the territory of Member States other than that where an administrative fine has already been applied, or mitigating, in ensuring that any other administrative fine considered by another market surveillance authority for the same economic operator or the same type of infringement should already take account, along with other relevant specific circumstances, of a penalty and the quantum thereof imposed in other Member States. In all such cases, the cumulative administrative fine that could be applied by market surveillance authorities of several Member States to the same economic operator for the same type of infringement should ensure the respect of the principle of proportionality. Given that administrative fines do not apply to microenterprises or small enterprises for a failure to meet the 24-hour deadline for the early warning notification of actively exploited vulnerabilities or severe incidents having an impact on the security of the product with digital elements, nor to open-source software stewards for any infringement of this Regulation, and subject to the principle that penalties should be effective, proportionate and dissuasive, Member States should not impose other kinds of penalties with pecuniary character on those entities.
- Recital CRA 121
  Where administrative fines are imposed on a person that is not an undertaking, the competent authority should take account of the general level of income in the Member State as well as the economic situation of the person when considering the appropriate amount of the fine. It should be for the Member States to determine whether and to what extent public authorities should be subject to administrative fines.
- Recital CRA 122
  Member States should examine, taking into account national circumstances, the possibility of using the revenues from the penalties as provided for in this Regulation or their financial equivalent to support cybersecurity policies and increase the level of cybersecurity in the Union by, inter alia, increasing the number of qualified cybersecurity professionals, strengthening capacity building for microenterprises and small and medium-sized enterprises and improving public awareness of cyber threats.
Art. 65 CRA – Representative actions
Directive (EU) 2020/1828 shall apply to the representative actions brought against infringements by economic operators of provisions of this Regulation that harm, or may harm, the collective interests of consumers.
Show Related Recitals
- Recital CRA 124
  Consumers should be entitled to enforce their rights in relation to the obligations imposed on economic operators under this Regulation through representative actions pursuant to Directive (EU) 2020/1828 of the European Parliament and of the Council⁽³³⁾. For that purpose, this Regulation should provide that Directive (EU) 2020/1828 is applicable to the representative actions concerning infringements of this Regulation that harm or can harm the collective interests of consumers. Annex I to that Directive should therefore be amended accordingly. It is for the Member States to ensure that those amendments are reflected in the transposition measures adopted pursuant to that Directive, although the adoption of national transposition measures in that regard is not a condition for the applicability of that Directive to those representative actions. The applicability of that Directive to the representative actions brought with regard to infringements of provisions of this Regulation by economic operators that harm or could harm the collective interests of consumers should start from 11 December 2027.
  
  ^{(33) Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC (OJ L 409, 4.12.2020, p. 1).}

Chapter VI – Delegated powers and committee procedure (Art. 61-62)

Chapter VIII – Transitional and final provisions (Art. 66-71)

AI

Proposal

Final

Consumer & E-commerce

Proposal

Final

Cybersecurity

Proposal

Final

Data

Proposal

Final

Digital Privacy

Proposal

Final

Digital Services

Proposal

Final

Cyber Resilience Act

About

Chapter VII – Confidentiality and penalties (Art. 63-65)