SkarpSkarp
Get the App

Chapter 9 of 10

Module 9 – Enforcement, Supervision, and Market Surveillance in the EU

Looks at how EU rules are enforced in practice: the role of national authorities, EU agencies, and coordinated enforcement mechanisms for both products and digital services.

15 min readen

Step 1 – From Rule‑Making to Enforcement: Who Does What?

In the EU, making rules and enforcing rules are not the same thing.

Rule‑making (legislative phase)

  • EU level:
  • European Parliament + Council: adopt Regulations and Directives (e.g. Market Surveillance Regulation (EU) 2019/1020, Digital Services Act, AI Act).
  • European Commission: proposes legislation, adopts delegated and implementing acts, issues guidelines.

Enforcement (implementation & supervision phase)

  • Member States (MS):
  • Designate national authorities to enforce EU rules (e.g. market surveillance authorities, Digital Services Coordinators, AI supervisory authorities).
  • Organise inspections, investigations, sanctions.
  • EU level:
  • European Commission: oversees application, can launch infringement procedures against MS.
  • EU agencies / boards / networks (e.g. ENISA for cybersecurity, European Board for Digital Services, European AI Office) support coordination and sometimes have direct or joint powers.

Key distinction

  • Rule‑making: creates the legal framework (what must be done).
  • Enforcement: ensures real‑world compliance (is it actually done, and what happens if not?).

Keep this distinction in mind: in the next steps we focus on how enforcement and supervision work in practice, especially for products (New Legislative Framework, NLF) and digital services (DSA/DMA, AI Act).

Step 2 – Market Surveillance under Regulation (EU) 2019/1020

Since July 2021 (about 4 years ago), Regulation (EU) 2019/1020 on market surveillance and compliance of products has been the horizontal backbone for product enforcement in the EU.

What is market surveillance?

Market surveillance is what public authorities do to ensure that products on the EU market:

  • comply with applicable EU harmonisation legislation (e.g. machinery, toys, radio equipment, low voltage, Cyber Resilience Act when fully applicable), and
  • do not endanger health, safety, or other public interests (environment, cybersecurity, consumer protection, etc.).

Key features of Regulation (EU) 2019/1020

  • Applies to most CE‑marked products and other harmonised products.
  • Requires each Member State to have market surveillance authorities (MSAs) with adequate powers and resources.
  • Introduces the concept of an economic operator in the EU responsible for products from outside the EU (manufacturer, importer, authorised representative, or fulfilment service provider).
  • Strengthens cooperation and information‑sharing between authorities, including via:
  • the Information and Communication System for Market Surveillance (ICSMS),
  • the Safety Gate/RAPEX system for dangerous products.
  • Allows for joint activities and coordinated checks across Member States.

In short: 2019/1020 is the enforcement engine behind many of the product rules you saw in earlier modules about the NLF and sectoral legislation.

Step 3 – Example: How a Dangerous Smart Toy Is Handled

Imagine a smart connected toy sold online across the EU. It has two issues:

  1. It can overheat and cause burns (classic safety risk).
  2. It has weak cybersecurity: default password is "1234", no encryption.

Here is how market surveillance under Regulation (EU) 2019/1020 typically works:

  1. Detection
  • A consumer in France reports a burn incident to the national authority.
  • A cybersecurity lab in Germany reports that the toy is easily hackable.
  1. National market surveillance authority (MSA) actions
  • The French MSA buys samples ("mystery shopping") and tests them.
  • It checks compliance with:
  • Toy Safety Directive (for physical safety),
  • Radio Equipment Directive or Cyber Resilience Act (once fully applicable) for cybersecurity requirements.
  1. Non‑compliance found
  • Tests show the toy overheats and fails cybersecurity essential requirements.
  • The MSA orders the distributor/importer to stop sales and recall products already sold.
  1. EU‑wide coordination
  • The case is uploaded into ICSMS and a notice is published via Safety Gate.
  • Other MSAs (e.g. Spain, Poland) receive the alert and check if the toy is sold in their territory.
  • They adopt similar measures, so the toy is effectively removed across the EU, not just in France.
  1. Follow‑up with the manufacturer
  • The MSA asks the manufacturer to fix the design and update the technical documentation.
  • If the manufacturer does not cooperate, authorities can impose fines, destroy products, or ban the product.

This example shows how national authorities act locally but rely on EU‑level tools (ICSMS, Safety Gate, harmonised rules) to ensure consistent enforcement across the internal market.

Step 4 – Accreditation, Notified Bodies, and Their Supervision

Under the New Legislative Framework (NLF), not all products are checked directly by public authorities before entering the market. Instead, the system relies heavily on conformity assessment.

1. Accreditation

  • Each Member State has a national accreditation body (NAB), designated under Regulation (EC) No 765/2008.
  • The NAB evaluates and confirms that a conformity assessment body (CAB) is competent to carry out specific tests or certifications.
  • Accreditation is based on harmonised standards (e.g. EN ISO/IEC 17065 for product certification bodies).

2. Notified bodies (NBs)

  • When an accredited CAB is officially recognised by a Member State to carry out tasks under a specific EU act (e.g. Machinery Regulation, Medical Devices Regulation), it becomes a notified body.
  • The Member State notifies it to the Commission and other MS via the NANDO database.
  • Manufacturers sometimes must use a notified body for third‑party conformity assessment, instead of relying only on self‑declaration.

3. Supervision of notified bodies

  • National authorities must monitor their notified bodies:
  • regular audits,
  • observing tests,
  • checking impartiality and competence.
  • If a notified body fails (e.g. issues CE certificates too easily), the notifying authority can suspend or withdraw its notification.

4. Interaction with market surveillance

  • Market surveillance authorities do not replace notified bodies, but they:
  • check products after they are on the market,
  • can question or challenge a notified body’s assessment,
  • may trigger an investigation of a notified body by its notifying authority.

So, the chain is: accreditation body → notified body → manufacturer’s conformity assessment → market surveillance authority. Weakness in any link can undermine the whole system.

Step 5 – Coordinated Enforcement for the DSA and DMA

For digital services and online platforms, the EU moved to a more centralised and coordinated model with the Digital Services Act (DSA) and Digital Markets Act (DMA).

Digital Services Act (DSA)

Most DSA obligations started applying between February and February 2024, depending on provider type.

Key enforcement actors

  • Digital Services Coordinators (DSCs): one per Member State.
  • Main national authority for DSA enforcement.
  • Handles complaints, investigates, can impose fines.
  • European Board for Digital Services (EBDS):
  • Network of DSCs + Commission.
  • Issues guidance, coordinates cross‑border cases.
  • European Commission:
  • Directly supervises Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) (45+ million users in the EU).
  • Can conduct dawn raids, request data, and impose very high fines.

Example of coordinated DSA enforcement

  • A recommender system of a VLOP is suspected of amplifying illegal content across several Member States.
  • National DSCs receive complaints and share them in the EBDS.
  • The Commission opens a formal investigation into the VLOP, while DSCs handle related local issues (e.g. transparency to users, handling of user notices).

Digital Markets Act (DMA)

The DMA targets "gatekeepers" (large platforms with entrenched market power). It entered into application in 2023–2024.

Enforcement structure

  • European Commission is the sole enforcer of the DMA.
  • National competition authorities can support but do not enforce DMA obligations directly.

Why this centralisation?

  • Gatekeepers and VLOPs/VLOSEs operate across all Member States.
  • A central enforcer (Commission) helps avoid fragmentation and inconsistent obligations.

Compare this to 2019/1020: there, Member States lead enforcement with EU coordination; under DSA/DMA, the Commission has much stronger direct powers, especially for the largest players.

Step 6 – Coordinated Supervision for the AI Act and Other Digital Laws

The AI Act (Regulation (EU) 2024/1689) was adopted in 2024 and its obligations are being phased in over several years. It introduces yet another hybrid enforcement model.

1. National AI authorities

  • Each Member State must designate one or more national competent authorities for the AI Act.
  • One of them acts as the market surveillance authority for AI systems (especially high‑risk AI).
  • They can:
  • inspect AI systems and documentation,
  • order corrective actions or withdrawal,
  • impose fines.

2. European AI Office (within the Commission)

  • Coordinates enforcement for general‑purpose AI models and cross‑border issues.
  • Supports consistent application of the AI Act.
  • Can investigate and impose corrective measures for certain high‑impact AI models.

3. Coordinated enforcement mechanisms

  • Similar to DSA structures:
  • a European AI Board (or equivalent coordination body) with national authorities + Commission,
  • joint investigations and coordinated risk assessments.

4. Links to other digital laws

  • Cyber Resilience Act (CRA): MSAs under 2019/1020 will also enforce cybersecurity requirements for products with digital elements (including some AI‑enabled products).
  • DORA (financial sector): enforced by financial supervisors (e.g. ECB, national competent authorities) with a Joint Oversight Forum for critical third‑party ICT providers.
  • Interoperable Europe Act: focuses more on cooperation between public administrations, with governance structures to steer implementation rather than classical “policing".

Across these laws, a pattern emerges:

  • National authorities: first line of enforcement.
  • EU‑level bodies (Boards, Offices, Commission): coordinate, issue guidance, and sometimes directly enforce for the largest or most cross‑border actors.

Step 7 – Map the Right Enforcer (Thought Exercise)

Match each scenario to the main enforcement actor(s). Think first, then check the suggested answers below.

Scenario A

A medium‑sized EU manufacturer sells industrial sensors with embedded software. There is a serious safety defect and cyber vulnerability discovered after the product is already on the market.

> Who leads enforcement?

> - A1: National market surveillance authority under Regulation (EU) 2019/1020 and relevant sectoral laws (e.g. Machinery, CRA).

> - A2: Digital Services Coordinator.

> - A3: European Commission as DMA enforcer.

Scenario B

A Very Large Online Platform fails to provide an effective system for users to report illegal content and does not assess systemic risks properly.

> Who leads enforcement?

> - B1: Digital Services Coordinator in the platform’s country of establishment.

> - B2: European Commission under the DSA.

> - B3: National data protection authority.

Scenario C

A high‑risk AI system used for credit scoring is found to be biased and non‑compliant with documentation and data governance requirements.

> Who leads enforcement?

> - C1: National AI authority/market surveillance authority under the AI Act.

> - C2: European AI Office.

> - C3: European Central Bank.

---

Suggested answers (compare with your reasoning)

  • Scenario A: Mainly A1. The national market surveillance authority coordinates recalls, bans, etc., often working with other MSAs via ICSMS.
  • Scenario B: For a VLOP, the European Commission (B2) is the primary enforcer, with support from DSCs.
  • Scenario C: Primarily C1 (national AI authority). C2 may be involved if the issue concerns a general‑purpose AI model or cross‑border systemic risks.

Step 8 – Quick Check: Market Surveillance Basics

Test your understanding of market surveillance and accreditation.

Which statement best describes the relationship between accreditation, notified bodies, and market surveillance authorities in the EU product rules framework?

  1. Accreditation bodies enforce product rules directly, while market surveillance authorities only provide technical advice.
  2. Notified bodies certify products before they are placed on the market, and market surveillance authorities check products already on the market and can challenge notified bodies’ work if necessary.
  3. Market surveillance authorities must always use notified bodies before they can order a recall of a product.
Show Answer

Answer: B) Notified bodies certify products before they are placed on the market, and market surveillance authorities check products already on the market and can challenge notified bodies’ work if necessary.

Accreditation bodies assess the competence of conformity assessment bodies; some of these become notified bodies and perform pre-market conformity assessments. Market surveillance authorities act post-market, checking products in real conditions and may question or trigger review of a notified body’s assessments. They do not need a notified body’s approval to order recalls.

Step 9 – Quiz: DSA, DMA, and AI Act Enforcement

Now focus on coordinated enforcement for digital laws.

Who has primary direct enforcement powers over Very Large Online Platforms (VLOPs) under the Digital Services Act?

  1. The Digital Services Coordinator of the Member State where the platform is established
  2. The European Commission, supported by the European Board for Digital Services
  3. The European Data Protection Board
Show Answer

Answer: B) The European Commission, supported by the European Board for Digital Services

Under the DSA, the European Commission directly supervises and enforces obligations on VLOPs and VLOSEs, working with national Digital Services Coordinators through the European Board for Digital Services. DSCs remain key for other providers and local aspects, but the Commission leads for the largest platforms.

Step 10 – Key Terms Review

Flip the cards (mentally) to review essential concepts from this module.

Market Surveillance (Regulation (EU) 2019/1020)
Activities carried out by national authorities to ensure products on the EU market comply with EU harmonisation legislation and do not endanger health, safety, or other public interests. It includes inspections, sampling, testing, corrective measures, and coordination across Member States.
Accreditation
A procedure by which a national accreditation body formally recognises that a conformity assessment body is competent to perform specific conformity assessment tasks (e.g. testing, certification) according to harmonised standards.
Notified Body
A conformity assessment body designated by a Member State and notified to the European Commission and other Member States to carry out specific conformity assessment tasks under EU harmonisation legislation (e.g. medical devices, machinery). Listed in the NANDO database.
Digital Services Coordinator (DSC)
The national authority designated in each Member State as the main enforcer of the Digital Services Act for providers under its jurisdiction, responsible for supervision, investigations, and cooperation with other DSCs and the European Commission.
European Board for Digital Services (EBDS)
A body composed of Digital Services Coordinators and the European Commission that supports consistent application of the DSA, facilitates cooperation, issues opinions and guidance, and assists in cross-border cases.
European AI Office
A structure within the European Commission created under the AI Act to coordinate enforcement, especially for general-purpose AI models, support national authorities, and help ensure consistent application of the AI Act across the EU.
Infringement Procedure
A process by which the European Commission takes action against a Member State that is believed not to have correctly implemented or applied EU law, potentially leading to a case before the Court of Justice of the EU.
Coordinated Enforcement
Mechanisms and processes (e.g. boards, joint investigations, shared IT systems) that allow national authorities and EU institutions to enforce EU rules consistently across Member States, especially in cross-border or digital contexts.

Step 11 – Apply It: Explain Enforcement vs Rule‑Making

Try to summarise in your own words (2–3 sentences) the difference between rule‑making and enforcement in the EU, and give one concrete example from this module.

Use this simple structure:

  1. Rule‑making in the EU is …
  2. Enforcement in the EU is …
  3. Example: [e.g. DSA, AI Act, or 2019/1020]

Write your answer (on paper or in a document), then check against this model answer:

> Rule‑making in the EU is the process by which the Parliament, Council, and Commission create general rules (Regulations, Directives, etc.). Enforcement is how national authorities and EU bodies apply those rules in practice, through supervision, inspections, and sanctions. For example, the DSA was adopted by the Parliament and Council, but it is enforced by Digital Services Coordinators and, for Very Large Online Platforms, by the European Commission.

Key Terms

AI Act
Regulation (EU) 2024/1689, the EU’s horizontal framework for artificial intelligence, using a risk-based approach and introducing obligations for high-risk AI systems and general-purpose AI models.
Accreditation
Formal recognition by a national accreditation body that a conformity assessment body is competent to carry out specific tasks according to harmonised standards.
Notified Body
A conformity assessment body designated by a Member State and notified to the European Commission to perform specified assessment tasks under EU harmonisation legislation.
European AI Office
A body within the European Commission tasked with coordinating enforcement of the AI Act, especially for general-purpose AI, and supporting national authorities.
Market Surveillance
Activities by national authorities to ensure that products on the EU market comply with EU harmonisation legislation and do not endanger health, safety, or other public interests.
Infringement Procedure
The formal process by which the European Commission can take a Member State to the Court of Justice of the EU for failing to comply with EU law.
Digital Markets Act (DMA)
Regulation (EU) 2022/1925, which imposes obligations on large online platforms designated as gatekeepers to ensure fair and contestable digital markets, enforced centrally by the European Commission.
Regulation (EU) 2019/1020
The EU Market Surveillance and Compliance of Products Regulation, in force since July 2021, which harmonises and strengthens market surveillance and enforcement rules across the EU.
Digital Services Act (DSA)
Regulation (EU) 2022/2065, which sets horizontal rules for online intermediaries and platforms, including obligations for content moderation, transparency, and risk management, with special rules for Very Large Online Platforms and Search Engines.
Digital Services Coordinator
The main national authority in each Member State responsible for supervising and enforcing the DSA for providers under its jurisdiction.
New Legislative Framework (NLF)
A set of EU instruments and principles that harmonise how product legislation is designed and enforced, including rules on conformity assessment, accreditation, CE marking, and market surveillance.
European Board for Digital Services
A body bringing together Digital Services Coordinators and the European Commission to support consistent application and coordinated enforcement of the DSA.