Take corrective action and report significant cybersecurity risks
- 適用於
- Importer
- 來源引用
- Art. 19(5)
- 產品類別
- default, important-class-i, important-class-ii, critical
通俗語言
If you discover that a product you have already sold or distributed is non-compliant, you must act immediately: remediate the issue, withdraw unsold stock, or recall products from customers — whichever is necessary. If the non-compliance creates a significant cybersecurity risk, you must also notify the national authority responsible for market surveillance without delay.
Legal text
Article 19(5) of Regulation (EU) 2024/2847 provides that importers who consider or have reason to believe that a product with digital elements which they have placed on the market is not in conformity with this Regulation shall immediately take the corrective measures necessary to bring that product into conformity, to withdraw it or to recall it, if appropriate.
Furthermore, where the product with digital elements poses a significant cybersecurity risk, importers shall immediately inform the market surveillance authorities of the Member States in which they have made the product available on the market, giving details, in particular, of the non-compliance and of any corrective measures taken.
Key requirements
- Immediate corrective action — no delay once non-conformity is identified
- Proportionate response — remediation, withdrawal, or recall depending on severity
- Significant risk threshold — notify national market surveillance authority immediately where a significant cybersecurity risk exists
- Detail in notification — include nature of non-compliance and corrective measures taken
Evidence you may need
- Corrective action or product recall procedure
- Written record of the decision and actions taken
- Notification letters to market surveillance authorities (where applicable)
- Communication to customers or downstream distributors regarding recalled products