The CRA Is Not Just the Manufacturer's Problem: What Importers and Distributors Must Do
If you import or distribute connected products in the EU, the Cyber Resilience Act (Regulation (EU) 2024/2847) creates direct obligations for you - not just for the company that built the product. Assuming otherwise is one of the most common and costly misreadings of the law.
Key points
- Importers and distributors are named economic operators under the CRA, each with their own duties.
- Importers must verify manufacturer compliance before placing a product on the EU market.
- Distributors must check that CE marking and documentation are present before making a product available.
- If you sell under your own brand or substantially modify a product, you become the manufacturer - with the full obligation set that entails.
- Reporting obligations apply from 11 September 2026; full application of the CRA begins 11 December 2027.
The three roles: manufacturer, importer, distributor
The CRA splits responsibility across three economic operators. Understanding which box you sit in is the first step.
Manufacturer - the entity that designs, develops, or produces a product with digital elements (or has it made) and places it on the market under its own name or trademark. Manufacturers carry the heaviest burden: conformity assessment, technical documentation, CE marking, EU Declaration of Conformity, vulnerability handling, and incident reporting.
Importer - a natural or legal person established in the EU who places on the market a product with digital elements manufactured outside the EU. Importers are the gateway for non-EU products. Their job is to verify that the manufacturer has done its homework before the product crosses into the single market.
Distributor - a natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the EU market without affecting its properties. Distributors sit further down the chain - resellers, retailers, wholesalers - and have a lighter but still real set of checks to perform.
Not sure which role applies to you? Use the CRA scope & role checker to find out quickly.
What importers must verify (Article 19)
Before placing any product on the EU market, importers must ensure that the appropriate conformity assessment procedures have been carried out by the manufacturer, that the manufacturer has drawn up the technical documentation, that the product bears the CE marking and is accompanied by the EU Declaration of Conformity, and that the manufacturer has complied with requirements including designating a contact point for vulnerability reporting.
In plain English, you need to confirm four things from your supplier:
- Conformity assessment done - the manufacturer has completed the correct assessment procedure for the product's risk class (self-assessment for most default products; third-party involvement for important and critical products).
- Technical documentation exists - the manufacturer can produce the technical file if a market surveillance authority asks for it.
- CE marking and EU Declaration of Conformity present - the CE mark is on the product or packaging, and the signed Declaration of Conformity accompanies it.
- Vulnerability contact point in place - the manufacturer has a published way for users and researchers to report security issues.
If any of these are missing, the importer shall not place the product on the market until the product or the manufacturer's processes have been brought into conformity with the Regulation. Where the product presents a significant cybersecurity risk, the importer must also inform the manufacturer and the relevant market surveillance authorities.
Importers must also put their own name and contact details on the product or its packaging, and keep a copy of the EU Declaration of Conformity for at least 10 years after the product has been placed on the market, or for the support period, whichever is longer.
If a manufacturer ceases operations and can no longer meet its CRA obligations, the importer must inform the relevant market surveillance authorities and, as far as possible, the product's users.
Importer pre-market checklist
What distributors must verify (Article 20)
Distributors have a narrower but still mandatory set of checks. Before making a product with digital elements available on the market, distributors shall verify that the CE marking is present, that the required instructions and information accompany the product, and that the manufacturer and importer have complied with their key obligations and provided all necessary documents.
The practical difference from importers: distributors are not expected to audit the manufacturer's technical file in depth. They are expected to confirm that the visible compliance signals - CE marking, documentation, instructions - are present and correct.
If a distributor suspects non-compliance, the rules are clear. Where a distributor considers or has reason to believe that a product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential cybersecurity requirements, the distributor shall not make the product available on the market until it has been brought into conformity. Where the product poses a significant cybersecurity risk, the distributor shall inform, without undue delay, the manufacturer and the market surveillance authorities.
If a distributor discovers a vulnerability in a product it has already made available, it must inform the manufacturer without undue delay.
Distributor pre-distribution checklist
| Check | What to look for |
|---|---|
| CE marking | Visible on product, packaging, or accompanying document |
| EU Declaration of Conformity | Present or accessible (e.g. via QR code / URL) |
| User instructions | In a language understood by the target market |
| Manufacturer contact details | Name, address, and security contact on product or packaging |
| Importer details (if applicable) | EU importer name and contact present |
The rule that catches people off guard: when you become the manufacturer
This is the provision most importers and distributors overlook. An importer or distributor shall be considered to be a manufacturer for the purposes of the CRA, and shall be subject to the full manufacturer obligations under Articles 13 and 14, where that importer or distributor places a product with digital elements on the market under its own name or trademark, or carries out a substantial modification of a product with digital elements already placed on the market.
Two scenarios trigger this:
- Own-brand / white-label products - you source a product from a third-party manufacturer and sell it under your own brand. You are now the manufacturer.
- Substantial modification - you make significant changes to a product's hardware, firmware, or software after it has already been placed on the market. The CRA treats this as a new product placement, and you take on full manufacturer duties.
If either applies to you, read the full obligations guide - the requirements are significantly more demanding.
The timeline
The CRA entered into force on 10 December 2024. The key dates for importers and distributors are:
| Date | What happens |
|---|---|
| 10 December 2024 | CRA entered into force |
| 11 June 2026 | Rules for conformity assessment bodies apply |
| 11 September 2026 | Reporting obligations (Article 14) begin - applies to all products on the market |
| 11 December 2027 | Full CRA application - all products placed on market must comply |
Note that reporting obligations apply to all products with digital elements that have been made available on the EU market, including those already placed on the market before 11 December 2027. This means the September 2026 deadline is relevant to importers and distributors now, not just manufacturers.
Products placed on the market before 11 December 2027 are not required to comply with the full post-2027 requirements - unless they undergo a substantial modification after that date.
For a full breakdown of every confirmed date, see the CRA deadlines page and the overview on the European Commission's CRA pages.
What to do now
If you import or distribute products with digital elements in the EU, the practical steps are:
- Identify your role - importer, distributor, or (if you white-label or modify) manufacturer. Use the scope checker if you are unsure.
- Audit your current supplier documentation - request EU Declarations of Conformity, CE marking evidence, and vulnerability contact details from every manufacturer you work with.
- Update your procurement contracts - require suppliers to provide and maintain CRA-compliant documentation as a contractual condition.
- Build a non-compliance response process - know in advance what you will do if a product fails your checks or a vulnerability is reported to you.
- Watch the September 2026 reporting deadline - even if your products are already on the market, the vulnerability reporting obligations will apply.
Read the full CRA overview for context on the broader regulation, and subscribe to The CRA Brief for updates as harmonised standards and guidance documents are published.
This article is general guidance on the Cyber Resilience Act, not legal advice. Confirm specifics against Regulation (EU) 2024/2847 and seek qualified legal counsel for your specific situation.
Related reading
CRA Penalties Explained: The Three Fine Tiers, Who Can't Be Fined, and What Else Authorities Can Do
Article 64 of the Cyber Resilience Act sets three tiers of fines - up to €15M or 2.5% of global turnover at the top. Here's exactly what each tier covers, who is exempt, and what else authorities can do beyond fining.
CRA Conformity Assessment in 2026: Notified Bodies Are Open, But the Standards Aren't Ready Yet
Chapter IV of the CRA switched on 11 June 2026 - notified bodies can now be designated. But no harmonised standards are published yet. Here's what that gap means for your conformity assessment route.
The CRA and Open Source: What Maintainers, Foundations, and Integrators Actually Need to Know
The EU Cyber Resilience Act treats open source carefully. Individual contributors are generally out of scope. Foundations may be "stewards" with lighter duties. Integrators carry the compliance weight.