Article 27 establishes the framework for coordinating market surveillance activities across EU member states. Because the EU single market means products flow freely across borders, a non-compliant product identified in one member state may be on sale in 26 others. Article 27 ensures national surveillance authorities share information, coordinate investigations, and apply consistent enforcement standards so that manufacturers cannot exploit differences in national enforcement capacity.
The Need for Coordinated Market Surveillance
Market surveillance of CRA-regulated products faces an inherent challenge: the single market means products are sold across all 27 member states simultaneously. A non-compliant IoT device manufactured in China, imported through the Netherlands, and sold in France, Germany, and Spain presents a coordination challenge for national authorities with jurisdictional limits.
Article 27 addresses this by establishing coordination mechanisms through which national market surveillance authorities (MSAs) share information about products under investigation, coordinate corrective action requests, and ensure that a product withdrawn from sale in one member state is also addressed in others where it is sold.
The Information and Communication System for Market Surveillance (ICSMS) is the EU-wide database through which authorities share product compliance information, inspection results, and enforcement actions. National MSAs are required to use ICSMS to record CRA-related actions, providing a shared intelligence picture across the EU.
Information Sharing Obligations
Article 27 requires national market surveillance authorities to share information with each other and with the Commission when they identify non-compliant products or products presenting a risk. Key information-sharing obligations include:
Safety Gate notifications: Where a product presents a serious risk, authorities must notify the Safety Gate (formerly RAPEX) database, alerting all other member states immediately. Safety Gate notifications for CRA-relevant products trigger automatic review by other national MSAs.
ICSMS entries: All market surveillance activities — inspections, investigations, test results, corrective action orders — should be recorded in ICSMS to enable coordination.
Direct communications: For urgent or sensitive cases, direct communication between national MSAs may precede formal database entries. Article 27 encourages informal information sharing as a complement to formal notification systems.
Manufacturers subject to enforcement action in one member state should anticipate that the action will be visible to authorities across the EU and that parallel actions in other member states may follow.
ENISA's Role in Market Surveillance Coordination
Article 27 gives ENISA a coordination role in CRA market surveillance activities. ENISA's specific cybersecurity expertise positions it to provide technical support to national MSAs that may lack in-house cybersecurity assessment capacity.
ENISA's coordination functions include:
- Developing common testing methodologies and assessment guidelines for national MSAs
- Maintaining and operating the European Vulnerability Database to support surveillance activities
- Coordinating joint market surveillance campaigns targeting high-risk product categories
- Supporting capacity building for national MSAs in less advanced member states
- Facilitating information sharing between national cybersecurity agencies and MSAs
ENISA's role does not replace national MSA authority — enforcement remains a national responsibility. But ENISA provides the technical and coordination infrastructure that makes consistent enforcement across 27 member states feasible.
Joint Market Surveillance Actions
Article 27 enables national MSAs to conduct joint market surveillance actions — coordinated campaigns in which multiple member states simultaneously investigate the same product category or manufacturer. Joint actions are particularly effective against manufacturers who might otherwise play member states off against each other by cooperating minimally in high-enforcement jurisdictions and continuing sales in lower-enforcement jurisdictions.
Joint actions can include coordinated sampling of products for testing, simultaneous requests for technical documentation, and coordinated corrective action orders that prevent a manufacturer from withdrawing a product in one country while continuing to sell it in others.
For manufacturers, the possibility of joint market surveillance actions means that compliance cannot be geo-targeted. A manufacturer who invests in compliance for the German market but not the Romanian market may find that German MSA findings trigger EU-wide enforcement.
Safeguard Procedures for Disputed Products
Article 27 establishes safeguard procedures for situations where a national MSA requires corrective action for a product that bears a CE marking. If a manufacturer disputes the MSA's finding of non-compliance, the regulation provides for Commission review of the national measure.
Where the Commission agrees with the national MSA that the product is non-compliant, it can adopt an implementing act confirming the measure, which then applies EU-wide. Where the Commission finds the product is compliant, the national measure must be withdrawn.
These safeguard procedures protect manufacturers from incorrectly applied national enforcement while ensuring that confirmed non-compliance is addressed uniformly. Manufacturers facing disputed enforcement actions should engage legal counsel familiar with EU administrative proceedings and be prepared for the possibility of Commission involvement.
CVD Portal helps you comply with Article 27 automatically.
Public submission portal, 48-hour acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever.
Start your free portalFrequently asked
Can a manufacturer in one member state be fined by authorities in another member state?+
Fines under the CRA are imposed by national authorities in the jurisdiction where the violation occurs. However, because products are typically sold in multiple member states, parallel enforcement actions in multiple countries are possible. A manufacturer could theoretically face enforcement proceedings — and separate fines — in several member states simultaneously for the same underlying non-compliance.
Is Safety Gate only for physical product safety or does it cover CRA cybersecurity issues?+
Safety Gate (formerly RAPEX) covers all products presenting serious risks to health and safety, which the EU has clarified includes cybersecurity risks that could harm users. National authorities must notify Safety Gate for products presenting serious cybersecurity risks under the CRA, just as they would for physical safety hazards. The database is publicly accessible, meaning Safety Gate notifications about your product are visible to consumers and business customers.
What does a joint market surveillance action involve for the manufacturer?+
In a joint market surveillance action, the manufacturer may receive coordinated requests for technical documentation, product samples, and compliance evidence from multiple national MSAs simultaneously or in rapid succession. The manufacturer must respond to each national authority's request within the applicable timeframes, even if the requests are substantively identical. Manufacturers should ensure that their compliance infrastructure can handle multiple parallel authority interactions.
How does the ICSMS database affect manufacturers?+
Manufacturers do not directly access or input into ICSMS — it is an authority-to-authority coordination tool. However, any enforcement action taken against a manufacturer's products will be recorded in ICSMS and visible to all EU national MSAs. A history of enforcement actions in one member state will be known to MSAs in other member states, which may affect how they prioritise surveillance activities targeting that manufacturer's products.
Need a CVD policy that satisfies Article 27?
Download a free CRA-compliant template and deploy it in minutes.