Market Surveillance Authority (MSA)

A Market Surveillance Authority (MSA) is a government agency designated by an EU member state to monitor whether products placed on the national market comply with applicable EU legislation. Under the Cyber Resilience Act, each member state must designate one or more MSAs with responsibility for CRA enforcement. MSAs have the power to request technical documentation, conduct product assessments, order corrective measures, and withdraw or recall non-compliant products. They act as the primary enforcement arm that gives the CRA its legal teeth. Manufacturers, importers, and distributors operating in the EU must cooperate fully with MSA investigations, providing access to records, source code documentation, and vulnerability handling processes on request.

The CRA grants MSAs significant investigative and enforcement powers. They can require economic operators to provide all technical documentation and conformity assessment records. They may order manufacturers to bring non-compliant products into conformity within a defined timeframe, restrict or prohibit the product's availability on the market, and arrange for its withdrawal or recall. MSAs can also impose administrative fines — up to €15 million or 2.5% of global annual turnover for the most serious violations. When a product poses a significant cybersecurity risk, MSAs can act immediately without prior notice. MSAs coordinate through the EU's ADCO (Administrative Cooperation) group and notify the European Commission via the RAPEX/ICSMS notification systems when significant risks are identified.

MSA investigations are typically triggered by several routes: complaints from security researchers or affected users, notifications via ENISA's European Vulnerability Database, alerts raised by other member state MSAs through RAPEX, proactive market surveillance sweeps, or incidents reported under the CRA's mandatory notification obligations. A manufacturer that fails to acknowledge a vulnerability report, fails to issue a security advisory within required timeframes, or places a product on the market without a valid declaration of conformity is at elevated risk of MSA scrutiny. PSIRT teams and compliance officers should treat MSA correspondence as urgent legal matters requiring senior management escalation.

Manufacturers can reduce MSA investigation risk by maintaining audit-ready compliance artefacts at all times. Key preparations include: keeping technical documentation current and accessible per Annex VII requirements; maintaining a published CVD policy with verifiable response records; ensuring the declaration of conformity is signed by an authorised representative; retaining vulnerability handling logs with timestamps; and conducting annual internal compliance reviews. When an MSA does make contact, manufacturers should respond promptly and constructively, provide requested documentation without delay, and engage legal counsel familiar with EU product regulation. Demonstrating a good-faith effort to comply significantly influences MSA enforcement discretion.