Market Surveillance and CRA Enforcement
National market surveillance authorities enforce the CRA in each EU member state. This post explains their powers, how enforcement actions work, the penalties manufacturers face, and what triggers investigations.
Who Enforces the CRA?
Enforcement of the CRA is the responsibility of national market surveillance authorities (MSAs) — one designated per EU member state. Each MSA has the power to investigate manufacturers, importers, and distributors operating in their territory. ENISA plays a coordination role at EU level, particularly around vulnerability intelligence.
MSA Powers
Market surveillance authorities have broad investigative and enforcement powers:
- Document requests: demand technical files, EU DoCs, test reports, SBOMs, and internal communications
- Product testing: order independent technical testing of products
- Manufacturer interviews: require manufacturers or their representatives to attend meetings and provide information
- On-site inspections: visit manufacturing or operations facilities
- Product sampling: purchase products from the market for testing
If a product is found non-compliant, MSAs can:
- Order the manufacturer to bring the product into conformity within a specified period
- Restrict or prohibit the product being made available on the market
- Require withdrawal or recall of the product
- Impose financial penalties
Penalty Structure
The CRA penalty framework is tiered:
| Violation | Maximum Penalty |
|---|---|
| Violation of essential requirements (Annex I) | €15 million or 2.5% of global annual turnover |
| Other CRA obligations (article-level violations) | €10 million or 2% of global annual turnover |
| Providing false information to authorities | €5 million or 1% of global annual turnover |
Penalties are applied by national MSAs according to national administrative law, but the maximums are set at EU level to ensure consistency.
What Triggers Investigations
MSAs are resourced for risk-based surveillance — they do not audit every product. Investigations are typically triggered by:
- Consumer complaints about product security failures
- Security researcher disclosures of vulnerabilities in products lacking CE marking
- Media reporting about significant security incidents involving EU-sold products
- ENISA intelligence from Article 14 reports suggesting under-reporting
- Notified body escalations where a product fails third-party assessment
Safe Harbour: Good-Faith Engagement
Manufacturers that proactively engage with MSAs when they discover non-conformity, cooperate with investigations, and remediate issues promptly are treated more favourably than those who obstruct enquiries. Document all CRA compliance activities — this evidence is invaluable if you are ever investigated.
Ready to assess your CRA compliance obligations?
Try the Free Applicability Checker