This document is under active development and has not been finalised.
CRA Compliance

English

Deutsch
简体中文

English

Deutsch
简体中文

Appearance

Market Surveillance (Art. 52-58)

Overview

Market Surveillance ensures that products on the EU market meet the CRA requirements. Regulation (EU) 2019/1020 (Market Surveillance Regulation) applies. Manufacturers must respond to requests from Market Surveillance authorities and cooperate with corrective measures.

LEGAL BASIS

Art. 52 CRA: Regulation (EU) 2019/1020 applies to products with digital elements falling under the CRA.

Art. 53-58 CRA: Specific procedures for corrective measures, safeguard clause, formal non-conformity, and Union safeguard clause.

Competent Authorities

CountryCompetent Market Surveillance Authority
GermanyFederal Network Agency (BNetzA) / BSI
AustriaTelecommunications Office / RTR
EU-wideCoordination by the EU Commission

The exact distribution of competences will be determined by the Member States by 11.06.2026.

Powers of Market Surveillance Authorities

Information Requests (Art. 52)

Authorities may require from the Manufacturer:

  • Technical documentation (Annex VII) -- typical deadline: 10 working days
  • EU declaration of conformity
  • SBOM
  • Results of the conformity assessment
  • Source code or access to source code (in justified cases)

Product Testing

Authorities may:

  • Purchase products from the market and test them
  • Order laboratory tests and security assessments
  • Commission penetration tests
  • Check SBOM against known vulnerabilities

Order Corrective Measures

  • Warning to users
  • Recall of the product from the market
  • Distribution stop
  • Destruction of the product (in severe cases)

Procedures

Art. 53 -- Corrective Measures at National Level 

Authority determines non-conformity
    |
    +-- Manufacturer informed (with deadline)
    |
    +-- Manufacturer has [reasonable deadline] for correction
    |   +-- Correction made --> Procedure closed
    |   +-- Correction not made --> Measure ordered
    |       +-- Distribution stop
    |       +-- Recall
    |       +-- EU Commission + other Member States informed
    |
    +-- In case of serious danger --> Immediate measures (without deadline)

Art. 54 -- Safeguard Clause Procedure (EU-wide)

When a Member State takes measures and other Member States are affected:

  1. Member State informs the EU Commission
  2. Commission examines whether the measure is justified
  3. If confirmed: All Member States take the same measures
  4. If rejected: Member State must lift the measure

Art. 55 -- Compliant Products Posing a Risk

Even a compliant product can pose a risk (e.g., new threat landscape). In this case:

  • Authority may order provisional measures
  • Manufacturer must provide a remedy (patch, warning, recall)
  • Commission may adopt implementing acts

Art. 56 -- Formal Non-Conformity

Formal violations (without substantive risk):

  • Missing CE marking
  • CE incorrectly affixed
  • EU declaration of conformity not prepared or defective
  • Technical documentation not available

Manufacturer must establish formal conformity In case of non-compliance: distribution stop or recall

BAUER GROUP Obligations

Preparation for Market Surveillance

MeasureDescriptionStatus
Documentation archiveAll technical documentation retrievable (10 years)This repository
SBOM archiveSBOMs archived and signed per releaseSBOM & Signing
Contact personDesignated person for authority requestsTo be designated
EU declarations of conformityAvailable for all productsProduct-specific
Recall processDocumented process for product recallsTo be created

Response Process for Authority Requests

StepDeadlineAction
1ImmediatelyForward request to CISO and management
22 working daysAssess request content, identify responsible team
35 working daysCompile requested documentation
410 working daysSubmit documentation to authority
5As per deadlineImplement corrective measures (if required)
6OngoingDocument measures and inform authority

Recall Process

If a recall is ordered or carried out voluntarily:

  1. Risk assessment -- Severity and scope of the problem
  2. Customer notification -- Through all known channels
  3. Provide patch -- Publish security update
  4. Inform authority -- Communicate measures and timeline
  5. Documentation -- Record all steps without gaps
  6. Follow-up -- Monitor patch adoption

See also: Communication Plan

Checklist: Readiness for Market Surveillance

  • [ ] Technical documentation of all products up to date and retrievable
  • [ ] EU declarations of conformity available for all products
  • [ ] SBOMs archived for all active product versions
  • [ ] Contact person for authority requests designated
  • [ ] Response process documented and known
  • [ ] Recall process documented
  • [ ] All documents available in English (authority language)
  • [ ] Source code access technically possible (for justified requests)

Documentation licensed under CC BY-NC 4.0 · Code licensed under MIT

© 2026 BAUER GROUP. Commercial use of the documentation is not permitted.

Documentation licensed under CC BY-NC 4.0 · Code licensed under MIT

© 2026 BAUER GROUP. Commercial use of the documentation is not permitted.