CRA market surveillance: the ANFR perspective

ANFR is not DGCCRF. That distinction, self-evident to specialists, poorly understood at board level, structures the entire enforcement risk for connected radio product manufacturers. For the RED directive: ANFR. For the CRA: ANFR. Understanding how ANFR works, what it looks for in a CRA technical file, and how CRA enforcement will be structured in the years ahead is the purpose of this article, written from inside a manufacturer that built its compliance plan under that same scrutiny.

ANFR: the reference authority for radio products and the CRA

France has designated ANFR (Agence nationale des fréquences) as the market surveillance authority for the Radio Equipment Directive (2014/53/EU). For the CRA, the pending DDADUE Bill, currently in the legislative process, confers investigation powers on ANFR from 11 June 2026 and sanction powers from 11 December 2027. Concentrating both regulations under the same authority makes sense: a manufacturer of radio alarm systems or IoT equipment that must comply with RED and CRA has a single enforcement counterpart for both.

DGCCRF has general competence over product safety but has no CRA mandate. It does not run sectoral investigations into CRA compliance for radio equipment. If a DGCCRF inspector incidentally encounters a RED infringement during a control on another subject, they are empowered to pursue it, but this is marginal and for now it won't be possible for the CRA. For manufacturers of connected radio products, ANFR is the enforcement interlocutor.

The resource ratio is striking: ANFR has approximately 4 to 5 inspectors nationally for these controls. According to its 2024 activity report, approximately 300 RED-related controls were conducted during the year, equivalent in volume to three DGCCRF agents (each DGCCRF inspector averages roughly 100 controls per year). Of the 95 products sent for laboratory testing, the vast majority were phones tested for radiofrequency exposure (SAR). This numbers covers 2024, one year before the RED cybersecurity requirements entered into force (August 2025), the absence of cyber testing in that period is expected.

The open question is whether volume will grow significantly as RED cyber becomes enforceable and CRA approaches. This is a structural constraint, not a criticism of ANFR. With these resources, enforcement cannot be systematic. It will be selective, and inevitably organised around exemplary cases: the first manufacturers whose violations are detected will be pushed in the spotlight, with heavy sanctions and forced publication.

What triggers an ANFR control

The trigger mechanisms for an ANFR CRA control differ significantly from DGCCRF's. DGCCRF operates on a model of recurring sectoral surveillance calibrated to operator turnover (CPMM), or sectorial sweeps. ANFR has a similar model for RED, but the CRA creates an investigation channel that did not exist before.

Article 14 as a direct trigger. When a manufacturer notifies ENISA and ANSSI of an actively exploited vulnerability in one of its products, this notification is visible to ANFR. For the first time, a product regulation creates an obligatory reporting channel that makes the manufacturer visible to the enforcement authority through the very act of compliance. This is not a problem in itself: the manufacturer who notifies is fulfilling its obligation. But that visibility can trigger a control on the technical file, remediation measures, and compliance with deadlines.

The inverse is more serious. When a flaw in a product becomes public, through a security researcher, a national CERT, or a media incident, and no Article 14 notification was filed, ANFR can ask why. That scenario, a public flaw with no prior notification, will be the primary trigger for the first formal CRA procedures. Failure to notify does not remain an administrative oversight: it transforms a technical incident into evidence of intent.

EUVD alerts and European coordination. The EUVD (European Vulnerability Database) aggregates CVEs and can be cross-referenced with products commercialised in the EU. A published vulnerability with a product identifier allows ANFR to identify affected manufacturers and initiate a control. Article 52 of the CRA establishes coordination mechanisms between market surveillance authorities: an investigation opened by a German or Dutch MSA on a specific product can trigger a follow-up by ANFR for the same product sold in France.

Sectoral sweeps. ANFR already conducts targeted category-level investigations for RED. The same logic will apply to CRA: high-risk categories, toys, IoT gateways, routers, connected security products, will likely be prioritised in the first CRA sweeps.

Disgruntled former employees. This vector is not exclusive to DGCCRF. A former employee who knows which products have incomplete technical files, which vulnerabilities were identified internally and never notified, can bring that information to ANFR as easily as to DGCCRF. In the context of a redundancy process or a contentious departure, this risk is concrete and systematically underestimated.

The CRA maturity assessment

Before examining a single document, the inspector evaluates whether the company understands its CRA obligations. This is an unwritten test, but it shapes the entire control. For CRA, the maturity markers have a specific dimension. The inspector will be looking at whether the company:

• Has documented its classification decision (standard / Class I / Class II) and can justify it;
• Has selected and documented the conformity assessment module consistent with that classification;
• Has published an accessible CVD policy before placing products on the market;
• Is registered on the ENISA Single Reporting Platform;
• Has an operational internal vulnerability handling procedure and an Article 14 notification chain;
• Can produce an SBOM on request.

A company that answers these questions confidently, even if some documentary elements are still being finalised, is in a fundamentally different position from one that encounters these questions for the first time. The CRA is still recent; early controls will include a significant pedagogical component. But that tolerance will narrow rapidly as the December 2027 full conformity deadline approaches.

The CRA technical file: what ANFR examines

The CRA technical file (Annex VII) has a different structure from a classic CE technical file. ANFR will examine it in a specific order.

The EU Declaration of Conformity is the entry point. Is the product class stated? Is the assessment module consistent with the class? Are the cited standards pertinent in the CRA context? A delicate point: harmonised CRA standards are not yet available. EN 40000-1-2/3/4 and EN 304 632 for example are in development but not yet harmonised under the regulation. A declaration of conformity that relies on these standards as though they were harmonised, or that cites standards manifestly unsuited to the CRA scope, will be an immediate warning signal.

The risk assessment (Annex I) is the central piece of the file. It must be product-specific, not generic. An assessment produced once for an entire product line, not broken down by product, does not satisfy the regulation's requirement. It must address the specific threat model for this product: its connection interfaces, its deployment context (residential, professional, industrial), its user population. This failure will be one of the most frequent non-conformity findings in the first years of CRA enforcement.

The vulnerability management procedure (Annex I Part II). ANFR will verify that an operational procedure is in place, not merely documented. Concrete indicators: a CVD policy published and publicly accessible (referenced in the manufacturer's security.txt file); an internal vulnerability handling procedure; Article 14 notification records for products already in service after September 2026.

The SBOM. Accessible on request by the authority under Article 13(14). ANFR will ask for it. An absent or incomplete SBOM signals that the 24-hour Article 14 deadline is not operationally sustainable for this manufacturer, which ANFR will interpret as a systemic failure, not a documentary one.

Test reports. Same reading grid as any CE file: have the correct clauses been tested? Are non-applicable clauses credibly justified? Was the laboratory accredited specifically for these tests? Is the norm version tested consistent with the market placement date?

The hardest case: a vulnerability with no possible fix

The most difficult scenario for a manufacturer facing ANFR is not incomplete documentation. It is this: a vulnerability is discovered in a product, and the manufacturer's response is that the available memory on the microcontroller cannot accommodate the required software patch.

This response — "we cannot patch because the hardware does not support it" — is entirely unacceptable from a regulatory standpoint. The only acceptable answer is to change the microcontroller, which implies a hardware revision and potentially a product recall. The authority will not offer this as a suggestion during the inspection: it is simply the only legally available path.

This is what secure by design means in the CRA context: the capacity to correct future vulnerabilities must be built into the hardware design before those vulnerabilities are known. An under-specified microcontroller with insufficient flash memory, chosen for cost reasons at design time, is a regulatory time bomb. The economic argument that justified that choice in 2020 will not be admissible before ANFR in 2027.

What ANFR will focus on in a post-vulnerability situation: not proving that the original product was imperfect, the regulation does not demand perfection, but verifying that a remediation procedure exists, is operational, and that the manufacturer can provide patches within the required timeframes. That is where scrutiny will concentrate, not on the initial conformity assessment. Except if it was particularly lackluster.

ANFR enforcement escalation

For ANFR, RED directive today; CRA: investigation powers from 11 June 2026, sanctions from 11 December 2027, pending enactment of the DDADUE Bill:

• Formal notice (mise en demeure) — after an adversarial procedure, ANFR formally requests compliance within a specified period. This is a mandatory prerequisite to any financial sanction, and formal evidence that the problem is known. A mise en demeure establishes intentionality for any persistent non-conformity;
• Administrative fine — two radically different regimes depending on the regulation: a cap of €7,500 for the RED directive (no real deterrent effect on a company). For CRA violations from December 2027: three tiers: up to €15 million or 2.5% of global turnover for breaches of essential requirements (Annex I) and manufacturer obligations (Art. 13-14 of the CRA); up to €10 million or 2% of turnover for process obligation failures (vulnerability management, notification, documentation, cooperation with authorities); up to €5 million or 1% of turnover for inaccurate or misleading information provided to authorities or notified bodies;
• Civil court referral — ANFR can refer to the civil court to order, under daily penalty, any measure to end the non-compliance;
• Product withdrawal or recall — by decision of the competent authority under Article L34-9 II 9° of the Electronic Communications Code (for radio equipment), and through the restriction and recall measures provided for under Article 54 of the CRA. This is the measure with the most immediate operational consequences;
• Trade secrets, CRA-specific rule: in the context of CRA investigations, trade secrets cannot be invoked against ANFR or the competent state services (future Art. L43 I quinquies para. 2 CPCE, Art. 32 DDADUE Bill). This rule does not apply to RED enforcement;
• Forced publication — decisions may be published at the non-compliant party's expense. Reputational consequences are often more severe than the fine itself.

A critical point on post-inspection management: an inspection that ends without apparent incident is not over. The cold review of the technical file takes place at the inspector's desk after the visit. Requests for additional documents may follow, along with product sampling sent to a laboratory. The first priority after the inspector's departure is an internal risk assessment: what non-conformities are known to R&D teams on the inspected product? If a non-conformity is identified, initiating corrective action immediately, before any formal procedure opens, is consistently viewed favourably.

For investors: the CRA changes the due diligence calculus

Under the RED directive, the ANFR administrative fine cap was €7,500 for a legal entity, a figure with no real deterrent effect, easily absorbed in compliance costs. Under the CRA, the maximum reaches €15 million or 2.5% of global turnover. This order-of-magnitude shift structurally changes the regulatory risk calculation in any acquisition due diligence involving a connected product manufacturer.

There is no public registry of ANFR controls, though there is an open data portal on lab results. But several public indicators allow an assessment of a target's CRA maturity level:

• Is a CVD policy published on the manufacturer's website and referenced in a security.txt file? (Verifiable in two minutes);
• Is the manufacturer registered on the ENISA Single Reporting Platform?
• Do the commercialised products have a documented classification decision?
• Have any Article 14 notifications been filed since September 2026?

The most effective documentary request remains all exchanges with @anfr.fr and @*.gouv.fr email addresses, which surfaces correspondence with ANFR as with any other authority. But for ANFR, the absence of correspondence is less informative than for DGCCRF: with 4 to 5 national inspectors, many companies have never had contact with the authority. The absence of an ANFR file cannot be interpreted as an absence of risk, it is the absence of information.

CRA due diligence must combine classic documentary research with a direct check of public indicators (CVD policy, ENISA registration, documented product classification) to form a realistic assessment of a target's state of readiness.

Thomas Cutuil served as a DGCCRF officer from 2013 to 2024, specialising in CE compliance across the Machinery Directive, RED, Medical Devices Regulation, RoHS and WEEE. Since 2025 he has been Head of Regulatory Compliance at a manufacturer of radio-linked fire and intruder alarm systems, where he led the CRA compliance plan including scoping the Article 14 obligations across a multi-generation product portfolio.