Article 45 - Procedure at EU level concerning products with digital elements presenting a significant cybersecurity risk
1. Where the Commission has sufficient reasons to consider, including based on information provided by ENISA, that a product with digital elements that presents a significant cybersecurity risk is non-compliant with the requirements laid down in this Regulation, it may request the relevant market surveillance authorities to carry out an evaluation of compliance and follow the procedures referred to in Article 43.
2. In exceptional circumstances which justify an immediate intervention to preserve the good functioning of the internal market and where the Commission has sufficient reasons to consider that the product referred to in paragraph 1 remains non-compliant with the requirements laid down in this Regulation and no effective measures have been taken by the relevant market surveillance authorities, the Commission may request ENISA to carry out an evaluation of compliance. The Commission shall inform the relevant market surveillance authorities accordingly. The relevant economic operators shall cooperate as necessary with ENISA.
3. Based on ENISA’s evaluation, the Commission may decide that a corrective or restrictive measure is necessary at Union level. To this end, it shall without delay consult the Member States concerned and the relevant economic operator or operators.
4. On the basis of the consultation referred to in paragraph 3, the Commission may adopt implementing acts to decide on corrective or restrictive measures at Union level, including ordering withdrawal from the market, or recalling, within a reasonable period, commensurate with the nature of the risk. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 51(2).
5. The Commission shall immediately communicate the decision referred to in paragraph 4 to the relevant economic operator or operators. Member States shall implement the acts referred to in paragraph 4 without delay and shall inform the Commission accordingly.
6. Paragraphs 2 to 5 are applicable for the duration of the exceptional situation that justified the Commission’s intervention and for as long as the respective product is not brought in compliance with this Regulation.
Cyber Resilience Act Text 15.9.2022
You may also visit:
Digital Operational Resilience Act (DORA)