Take corrective action and report significant cybersecurity risks

쉬운 설명

If you discover after the fact that a product you have been selling is non-compliant, you must act immediately: fix the issue, pull unsold stock, or recall products from customers as appropriate. If there is a significant cybersecurity risk, you also must notify the national regulator straight away — do not wait for the manufacturer to act first.

Legal text

Article 20(4) of Regulation (EU) 2024/2847 provides that distributors who consider or have reason to believe that a product with digital elements which they have made available on the market is not in conformity with this Regulation shall immediately take the corrective measures necessary to bring that product into conformity, to withdraw it or to recall it, if appropriate.

Furthermore, where the product with digital elements poses a significant cybersecurity risk, distributors shall immediately inform the market surveillance authorities of the Member States in which they have made the product available on the market, giving details of, in particular, the non-compliance and of any corrective measures taken.

Key requirements

Immediate action — no delay once non-conformity is identified post-market
Proportionate response — remediation, withdrawal from sale, or recall depending on severity
Significant risk notification — notify national market surveillance authority immediately, with full details of the issue and corrective measures
Multi-market coverage — notify all member states where the product has been made available

Evidence you may need

Product recall and withdrawal procedure
Corrective action records and decision log
Notifications sent to market surveillance authorities
Communication to customers, retailers, or upstream supply chain