EU Cyber Resilience Act FAQ Economic Operators

Under the CRA, an economic operator means the manufacturer, authorised representative, importer, distributor, or another natural or legal person that is subject to obligations relating to the manufacture of products with digital elements or to their making available on the market under the Regulation.

The CRA defines them as separate roles:

- the manufacturer develops, manufactures, or has the product designed, developed or manufactured, and markets it under its own name or trademark

- the authorised representative is an EU-established person with a written mandate from the manufacturer to act on specified tasks

- the importer is an EU-established person who places on the market a product bearing the name or trademark of a person established outside the Union

- the distributor is a person in the supply chain, other than the manufacturer or importer, who makes the product available on the Union market without affecting its properties

Yes.

The CRA recognises that the same business can perform different functions depending on the product and the service it provides. A business that only provides online intermediation for one product may not be a CRA economic operator for that product, while the same business could still be a distributor or a manufacturer for other products that it actually sells or brands.

Yes.

Under the CRA definition, what matters is not only who physically developed or assembled the product, but also who markets it under its own name or trademark. If a business places the product on the market under its own brand, it takes the manufacturer role for CRA purposes.

Not in every case.

Article 18 says a manufacturer may appoint an authorised representative by written mandate, so the appointment is optional under the CRA itself. But where the manufacturer is established outside the Union, a CRA-covered product can only be placed on the Union market if there is an EU-established operator performing the tasks required by Article 4 of Regulation (EU) 2019/1020.

No.

The Commission FAQ explains that a non-EU manufacturer needs an economic operator established in the Union to perform the Article 4 tasks under Regulation (EU) 2019/1020. Depending on the setup, that can be an importer, an authorised representative or, where no other such operator exists, a fulfilment service provider.

The authorised representative performs the tasks specified in the written mandate from the manufacturer. At minimum, that mandate must allow it to:

- keep the EU declaration of conformity and technical documentation at the disposal of market surveillance authorities

- provide the relevant information and documentation to market surveillance authorities on request

The authorised representative must also provide a copy of its mandate to market surveillance authorities on request.

The authorised representative cannot take over the manufacturer's core product-compliance obligations listed in Article 13(1) to (11), Article 13(12), first subparagraph, and Article 13(14).

That means the authorised representative can help with documentation and authority-facing tasks, but it does not supersede the manufacturer for the core design, risk assessment, conformity assessment and ongoing compliance duties that the CRA keeps with the manufacturer.

Before placing a product on the market, the importer must ensure that:

- the manufacturer carried out the appropriate conformity assessment

- the manufacturer drew up the technical documentation

- the product bears the CE marking and is accompanied by the declaration of conformity and Annex II information and instructions in an understandable language

- the manufacturer complied with the identification, contact-detail and support-period-end-date obligations in Article 13(15), (16) and (19)

If the importer considers or has reason to believe that the product or the manufacturer's processes are not in conformity, it must not place the product on the market until conformity is restored.

If the product presents a significant cybersecurity risk, the importer must inform the manufacturer and the market surveillance authorities. After placement on the market, if the importer becomes aware of a vulnerability, it must inform the manufacturer without undue delay and, where there is a significant cybersecurity risk, also inform the relevant market surveillance authorities.

The importer must keep a copy of the EU declaration of conformity at the disposal of market surveillance authorities for at least 10 years after placement on the market or for the support period, whichever is longer. It must also ensure that the technical documentation can be made available and must provide the necessary information and documentation further to a reasoned request.

Before making a product available on the market, the distributor must verify that:

- the product bears the CE marking

- the manufacturer and the importer complied with the documentation and traceability obligations listed in Article 20(2)

- the necessary documents have been provided to the distributor

The distributor must also act with due care in relation to the CRA's requirements.

If the distributor considers or has reason to believe that the product or the manufacturer's processes are not in conformity, it must not make the product available until conformity is restored.

If the distributor later knows or has reason to believe that a product it has made available is not in conformity, it must make sure that corrective measures, withdrawal or recall are taken as appropriate. Upon becoming aware of a vulnerability, it must inform the manufacturer without undue delay and, where there is a significant cybersecurity risk, immediately inform the relevant market surveillance authorities.

Further to a reasoned request, the distributor must provide the information and documentation necessary to demonstrate conformity and cooperate with the market surveillance authority on measures to eliminate cybersecurity risks.

If the distributor becomes aware that the manufacturer has ceased operations and can no longer comply with the CRA, it must inform the relevant market surveillance authorities without undue delay and, to the extent possible, also inform the users of the products placed on the market.

An importer or distributor becomes the manufacturer for CRA purposes if it:

- places the product on the market under its own name or trademark, or

- carries out a substantial modification of a product already placed on the market

In that case it becomes subject to Articles 13 and 14 as manufacturer.

A natural or legal person other than the manufacturer, importer or distributor that carries out a substantial modification and makes the product available on the market is also treated as the manufacturer.

That person becomes subject to the CRA manufacturer obligations for the affected part of the product or, if the substantial modification affects the cybersecurity of the product as a whole, for the entire product.

On request, economic operators must provide the market surveillance authorities with the name and address of the operator who supplied them with the product and, where available, the operator to whom they supplied it.

They must be able to present that information for 10 years after they were supplied with the product and for 10 years after they supplied it.

Not as a named CRA operator category in Articles 18 to 23.

But the Commission FAQ explains that, for CRA-covered products, a fulfilment service provider established in the Union can act as the Article 4 responsible operator under Regulation (EU) 2019/1020 where there is no Union manufacturer, importer or authorised representative.

No.

The CRA says that where an entity only provides online intermediation services for a given product and is merely a provider of an online marketplace, it does not qualify as one of the CRA economic operators for that product. But if the same entity also distributes that product, sells it under its own brand, or otherwise acts in an economic-operator role, it must comply with the obligations of that role.

No.

The CRA says the sole act of hosting products with digital elements on open repositories, package managers or collaboration platforms does not by itself amount to making them available on the market. A provider of such a service is treated as a distributor only if it actually makes the software available on the Union market in the course of a commercial activity.

As a rule, they apply from 11 December 2027.

That is the CRA's general application date for the main economic-operator obligations in Chapter II. Earlier application dates in Article 71 concern other parts of the Regulation, such as notified bodies and reporting obligations, not the ordinary importer, distributor and authorised representative obligations as such.

Yes.

The CRA FAQ explains that a product with digital elements can be placed on the Union market only if there is an economic operator established in the Union performing the Article 4 tasks under Regulation (EU) 2019/1020. In direct third-country sales there may be no traditional importer in the usual commercial sense, but that does not remove the requirement. Depending on the setup, the role can be fulfilled by an authorised representative or, if none exists, a fulfilment service provider established in the Union.

No, not as a general CRA retention duty.

Under the CRA, the explicit long-term declaration-retention duty is imposed on manufacturers, authorised representatives within their mandate, and importers. Distributors must verify before making the product available that the required marking and documentation obligations have been met, and they must provide necessary information and documentation to authorities further to a reasoned request, but Article 20 does not impose the same express 10-year copy-retention duty on distributors that Article 19(6) imposes on importers.

No.

Importers and distributors have real due-care and verification duties, but the CRA does not turn them into second manufacturers by default. Importers must check that the manufacturer has carried out the conformity assessment, drawn up the technical documentation, affixed the CE marking, and supplied the required declaration and Annex II information. Distributors must verify the marking and the listed documentation and traceability elements before making the product available. Those roles must react when they have reason to believe there is non-compliance, but they are not required by Articles 19 or 20 to repeat the manufacturer's risk assessment or conformity assessment from scratch.

Yes.

The Blue Guide explains that an authorised representative of a third-country manufacturer is no longer acting merely as an authorised representative if it supplies the product to a distributor or directly to a consumer within the Union. In that case it becomes the importer and is subject to the importer's obligations.

No, unless they substantially modify them.

The Commission FAQ says products with digital elements placed on the market before 11 December 2027 are not subject to the CRA requirements, apart from the earlier reporting obligation timing rules, unless they are substantially modified. A distributor is therefore not required to retrofit those pre-application products into CRA compliance merely because it continues making them available on or after 11 December 2027.

Keep evidence by product and by operator role, not only in a generic CRA folder. The file should show who placed the product on the market, who made it available, whether a non-EU manufacturer has an EU-established Article 4 operator, and whether any importer, distributor or other person triggered manufacturer status by branding the product or substantially modifying it.

For the manufacturer role, keep the EU declaration of conformity, technical documentation, conformity-assessment record, cybersecurity risk assessment, support-period statement, Annex II user information, vulnerability-handling process, and Article 14 reporting evidence. For an authorised representative, keep the signed mandate, the declaration and technical-documentation custody record, authority-request log, and any task limits showing which Article 13 duties remain with the manufacturer.

For importers, keep the pre-placement check that the manufacturer completed conformity assessment, technical documentation, CE marking, declaration, Annex II information and required contact details; keep the importer's own contact details, manufacturer access assurance, declaration copy retention control, and escalation records for non-conformity, vulnerabilities or significant cybersecurity risk. For distributors, keep the due-care check before making the product available, evidence that required documents were supplied, traceability records for suppliers and recipients, and logs of corrective actions, withdrawal, recall, authority cooperation or manufacturer-cessation notices.