Take corrective measures and cooperate with market surveillance

Article 13(17) of Regulation (EU) 2024/2847 requires that manufacturers who have reason to consider that a product is not in conformity with this Regulation shall immediately take the necessary corrective measures to:

• bring the product into conformity, or
• withdraw it from the market, or
• recall it

and shall inform the market surveillance authorities and distributors accordingly.

Article 13(18) requires manufacturers to provide market surveillance authorities, upon request, with all the information and documentation necessary to demonstrate conformity, in a language easily understood by those authorities.

1. Immediate action — no delay once non-conformity is identified; the response must be proportionate to the risk level
2. Corrective measure selection — choose the appropriate measure:
   • Software update: for vulnerabilities or non-conformities addressable by patch
   • Withdrawal: stop making the product available (future sales)
   • Recall: for products already in the supply chain or with end users where risk is serious
3. Notify authorities — inform market surveillance authorities in affected Member States without undue delay
4. Notify distributors — inform downstream distributors so they can stop selling or pass on information to customers
5. Documentation on demand — provide technical file, test records, and EU DoC to market surveillance authorities on request, within deadlines set by authorities

This corrective obligation is triggered not only by authority action but by the manufacturer's own knowledge — including:

• Internal test results
• User vulnerability reports
• CVE disclosures affecting the product
• Post-market surveillance data

• Post-market surveillance process documentation
• Corrective action records (updates issued, withdrawals, recalls)
• Notifications sent to market surveillance authorities
• Notifications sent to distributors and users
• Market surveillance authority correspondence records