Skip to main content

Who's Watching? ENISA & National Authorities in CRA Compliance

So, who actually makes sure your software (games, apps, tools) meets the Cyber Resilience Act rules? It's a team effort between national bodies and an EU agency.

National Market Surveillance Authorities (MSAs)

Think of these as the CRA's local enforcement. Each EU Member State designates them (Article 52 Paragraph 2).

  • Their job: To check if software products on their market comply with the CRA. They can investigate your software, request technical documentation, and order tests (Articles 53, 54).
  • Their powers: If your software isn't compliant, they can demand fixes, restrict its sale, order recalls, and issue those hefty fines we talked about (Article 54, Article 64). They work with other authorities, including data protection bodies (Article 52).

ENISA (The EU Agency for Cybersecurity)

ENISA plays a crucial support and coordination role at the EU level.

  • Central Reporting Hub: It manages the single platform where manufacturers report actively exploited vulnerabilities and severe security incidents (Article 14, Article 16 Paragraph 1).
  • Information & Analysis: ENISA analyzes reported vulnerabilities, can add them to a public EU database (once fixed), and produces reports on cyber risk trends (Article 17 Paragraphs 3, 5).
  • Support & Coordination: It supports national authorities, can propose joint market surveillance activities (like "sweeps" to check specific software categories), and may be asked by the European Commission to evaluate high-risk products in exceptional cases (Article 56 Paragraph 3, Article 59 Paragraph 2, Article 60 Paragraph 3).
  • It also provides helpdesk support for reporting (Article 17 Paragraph 6).

CSIRTs (Computer Security Incident Response Teams)

National CSIRTs (specifically those designated as coordinators) are your first point of contact for reporting vulnerabilities and incidents via ENISA's platform (Article 14 Paragraph 7). They work with MSAs and ENISA.

The European Commission

The Commission oversees the whole system. It can adopt further rules (delegated/implementing acts) to specify details of the CRA, step in with EU-wide measures if national actions aren't enough for a serious widespread risk, and publishes guidance (Articles 26, 55, 56, 57).

Key Takeway

Your software will be under surveilance and control by national authorities. For you as a software developer, your main interactions will likely be with your national MSA if issues arise, and with CSIRTs/ENISA for mandatory vulnerability reporting.