FAQEUCyber Resilience Act

EU Cyber Resilience Act FAQ Economic Operators

Use this CRA FAQ to understand who counts as a manufacturer, authorised representative, importer, distributor, or other responsible operator, and what each role must do before and after placing products on the Union market.

Built for legal, compliance, supply-chain, marketplace, and go-to-market teams allocating CRA responsibilities.

Back to main artifactReview sources
Author
Sorena AI
Published
Mar 10, 2026
Updated
Mar 10, 2026
Sections
26

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Mar 10, 2026
Updated Mar 10, 2026
Overview

CRA economic-operator rules determine who must handle conformity, documentation, traceability, and authority-facing obligations across the Union supply chain. This FAQ focuses on operator roles, handoffs, due-care checks, role changes, and the extra EU-based responsible-operator requirement for non-EU products.

Search this module

Find a question or answer quickly

26 of 26 sections
Section 1

What is an economic operator under the CRA?

Under the CRA, an economic operator means the manufacturer, authorised representative, importer, distributor, or another natural or legal person that is subject to obligations relating to the manufacture of products with digital elements or to their making available on the market under the Regulation.

Citations
Recommended next step

Use EU Cyber Resilience Act FAQ Economic Operators as a cited research workflow

Research Copilot can turn EU Cyber Resilience Act FAQ Economic Operators into a reusable cited workflow for teams implementing EU Cyber Resilience Act FAQ.

Research workflow
Open Research Copilot

Start from EU Cyber Resilience Act FAQ Economic Operators and move to source-backed decisions and evidence workflows.

Explore next step
Talk to Sorena
Talk through your EU Cyber Resilience Act FAQ implementation

Review evidence gaps, ownership, and next steps for EU Cyber Resilience Act FAQ.

Explore next step
Section 2

How does the CRA distinguish manufacturers, authorised representatives, importers and distributors?

The CRA defines them as separate roles:

- the manufacturer develops, manufactures, or has the product designed, developed or manufactured, and markets it under its own name or trademark

- the authorised representative is an EU-established person with a written mandate from the manufacturer to act on specified tasks

- the importer is an EU-established person who places on the market a product bearing the name or trademark of a person established outside the Union

- the distributor is a person in the supply chain, other than the manufacturer or importer, who makes the product available on the Union market without affecting its properties

Citations
Section 3

Can the same company have different CRA roles for different products or sales channels?

Yes.

The CRA recognises that the same business can perform different functions depending on the product and the service it provides. A business that only provides online intermediation for one product may not be a CRA economic operator for that product, while the same business could still be a distributor or a manufacturer for other products that it actually sells or brands.

Citations
Section 4

If a company sells a product under its own brand, is it the manufacturer even if someone else designed or built it?

Yes.

Under the CRA definition, what matters is not only who physically developed or assembled the product, but also who markets it under its own name or trademark. If a business places the product on the market under its own brand, it takes the manufacturer role for CRA purposes.

Citations
Section 5

Is an authorised representative mandatory under the CRA?

Not in every case.

Article 18 says a manufacturer may appoint an authorised representative by written mandate, so the appointment is optional under the CRA itself. But where the manufacturer is established outside the Union, a CRA-covered product can only be placed on the Union market if there is an EU-established operator performing the tasks required by Article 4 of Regulation (EU) 2019/1020.

Citations
Section 6

Can a third-country manufacturer place CRA products on the Union market without any EU-based operator?

No.

The Commission FAQ explains that a non-EU manufacturer needs an economic operator established in the Union to perform the Article 4 tasks under Regulation (EU) 2019/1020. Depending on the setup, that can be an importer, an authorised representative or, where no other such operator exists, a fulfilment service provider.

Citations
Section 7

What can an authorised representative do under the CRA?

The authorised representative performs the tasks specified in the written mandate from the manufacturer. At minimum, that mandate must allow it to:

- keep the EU declaration of conformity and technical documentation at the disposal of market surveillance authorities

- provide the relevant information and documentation to market surveillance authorities on request

The authorised representative must also provide a copy of its mandate to market surveillance authorities on request.

Citations
Section 8

What can an authorised representative not take over from the manufacturer?

The authorised representative cannot take over the manufacturer's core product-compliance obligations listed in Article 13(1) to (11), Article 13(12), first subparagraph, and Article 13(14).

That means the authorised representative can help with documentation and authority-facing tasks, but it does not replace the manufacturer for the core design, risk assessment, conformity assessment and ongoing compliance duties that the CRA keeps with the manufacturer.

Citations
Section 9

What are the importer's key CRA checks before placing a product on the market?

Before placing a product on the market, the importer must ensure that:

- the manufacturer carried out the appropriate conformity assessment

- the manufacturer drew up the technical documentation

- the product bears the CE marking and is accompanied by the declaration of conformity and Annex II information and instructions in an understandable language

- the manufacturer complied with the identification, contact-detail and support-period-end-date obligations in Article 13(15), (16) and (19)

Citations
Section 10

What must an importer do under the CRA if it doubts compliance or learns of a vulnerability?

If the importer considers or has reason to believe that the product or the manufacturer's processes are not in conformity, it must not place the product on the market until conformity is restored.

If the product presents a significant cybersecurity risk, the importer must inform the manufacturer and the market surveillance authorities. After placement on the market, if the importer becomes aware of a vulnerability, it must inform the manufacturer without undue delay and, where there is a significant cybersecurity risk, also inform the relevant market surveillance authorities.

Citations
Section 11

What must an importer keep and provide to authorities under the CRA?

The importer must keep a copy of the EU declaration of conformity at the disposal of market surveillance authorities for at least 10 years after placement on the market or for the support period, whichever is longer. It must also ensure that the technical documentation can be made available and must provide the necessary information and documentation further to a reasoned request.

Citations
Section 12

What are the distributor's key CRA checks before making a product available on the market?

Before making a product available on the market, the distributor must verify that:

- the product bears the CE marking

- the manufacturer and the importer complied with the documentation and traceability obligations listed in Article 20(2)

- the necessary documents have been provided to the distributor

The distributor must also act with due care in relation to the CRA's requirements.

Citations
Section 13

What must a distributor do under the CRA if it suspects non-compliance or learns of a vulnerability?

If the distributor considers or has reason to believe that the product or the manufacturer's processes are not in conformity, it must not make the product available until conformity is restored.

If the distributor later knows or has reason to believe that a product it has made available is not in conformity, it must make sure that corrective measures, withdrawal or recall are taken as appropriate. Upon becoming aware of a vulnerability, it must inform the manufacturer without undue delay and, where there is a significant cybersecurity risk, immediately inform the relevant market surveillance authorities.

Citations
Section 14

What must a distributor provide to authorities under the CRA, and what if the manufacturer ceases operations?

Further to a reasoned request, the distributor must provide the information and documentation necessary to demonstrate conformity and cooperate with the market surveillance authority on measures to eliminate cybersecurity risks.

If the distributor becomes aware that the manufacturer has ceased operations and can no longer comply with the CRA, it must inform the relevant market surveillance authorities without undue delay and, to the extent possible, also inform the users of the products placed on the market.

Citations
Section 15

When does an importer or distributor become the manufacturer under the CRA?

An importer or distributor becomes the manufacturer for CRA purposes if it:

- places the product on the market under its own name or trademark, or

- carries out a substantial modification of a product already placed on the market

In that case it becomes subject to Articles 13 and 14 as manufacturer.

Citations
Section 16

What if a company that is not the manufacturer, importer or distributor substantially modifies the product?

A natural or legal person other than the manufacturer, importer or distributor that carries out a substantial modification and makes the product available on the market is also treated as the manufacturer.

That person becomes subject to the CRA manufacturer obligations for the affected part of the product or, if the substantial modification affects the cybersecurity of the product as a whole, for the entire product.

Citations
Section 17

What traceability information must economic operators keep?

On request, economic operators must provide the market surveillance authorities with the name and address of the operator who supplied them with the product and, where available, the operator to whom they supplied it.

They must be able to present that information for 10 years after they were supplied with the product and for 10 years after they supplied it.

Citations
Section 18

Is a fulfilment service provider an economic operator under the CRA itself?

Not as a named CRA operator category in Articles 18 to 23.

But the Commission FAQ explains that, for CRA-covered products, a fulfilment service provider established in the Union can act as the Article 4 responsible operator under Regulation (EU) 2019/1020 where there is no Union manufacturer, importer or authorised representative.

Citations
Section 19

Does running an online marketplace automatically make a business a distributor or another CRA economic operator?

No.

The CRA says that where an entity only provides online intermediation services for a given product and is merely a provider of an online marketplace, it does not qualify as one of the CRA economic operators for that product. But if the same entity also distributes that product, sells it under its own brand, or otherwise acts in an economic-operator role, it must comply with the obligations of that role.

Citations
Section 20

Does hosting software on a repository or package manager automatically make the platform a distributor?

No.

The CRA says the sole act of hosting products with digital elements on open repositories, package managers or collaboration platforms does not by itself amount to making them available on the market. A provider of such a service is treated as a distributor only if it actually makes the software available on the Union market in the course of a commercial activity.

Citations
Section 21

When do the CRA operator obligations for authorised representatives, importers and distributors start applying?

As a rule, they apply from 11 December 2027.

That is the CRA's general application date for the main economic-operator obligations in Chapter II. Earlier application dates in Article 71 concern other parts of the Regulation, such as notified bodies and reporting obligations, not the ordinary importer, distributor and authorised representative obligations as such.

Citations
Section 22

If a third-country manufacturer sells directly to an EU end user, must there still be an EU-based responsible operator?

Yes.

The CRA FAQ explains that a product with digital elements can be placed on the Union market only if there is an economic operator established in the Union performing the Article 4 tasks under Regulation (EU) 2019/1020. In direct third-country sales there may be no traditional importer in the usual commercial sense, but that does not remove the requirement. Depending on the setup, the role can be fulfilled by an authorised representative or, if none exists, a fulfilment service provider established in the Union.

Citations
Section 23

Does a distributor have to keep its own 10-year copy of the declaration of conformity like an importer does?

No, not as a general CRA retention duty.

Under the CRA, the explicit long-term declaration-retention duty is imposed on manufacturers, authorised representatives within their mandate, and importers. Distributors must verify before making the product available that the required marking and documentation obligations have been met, and they must provide necessary information and documentation to authorities further to a reasoned request, but Article 20 does not impose the same express 10-year copy-retention duty on distributors that Article 19(6) imposes on importers.

Citations
Section 24

Must importers and distributors redo the manufacturer's full CRA assessment themselves?

No.

Importers and distributors have real due-care and verification duties, but the CRA does not turn them into second manufacturers by default. Importers must check that the manufacturer has carried out the conformity assessment, drawn up the technical documentation, affixed the CE marking, and supplied the required declaration and Annex II information. Distributors must verify the marking and the listed documentation and traceability elements before making the product available. Those roles must react when they have reason to believe there is non-compliance, but they are not required by Articles 19 or 20 to repeat the manufacturer's risk assessment or conformity assessment from scratch.

Citations
Section 25

Can an authorised representative become the importer if it actually supplies the product in the Union?

Yes.

The Blue Guide explains that an authorised representative of a third-country manufacturer is no longer acting merely as an authorised representative if it supplies the product to a distributor or directly to a consumer within the Union. In that case it becomes the importer and is subject to the importer's obligations.

Citations
Section 26

Are distributors required to bring into CRA compliance products that were already placed on the market before 11 December 2027?

No, unless they substantially modify them.

The Commission FAQ says products with digital elements placed on the market before 11 December 2027 are not subject to the CRA requirements, apart from the earlier reporting obligation timing rules, unless they are substantially modified. A distributor is therefore not required to retrofit those pre-application products into CRA compliance merely because it continues making them available on or after 11 December 2027.

Citations
Primary sources

References and citations

Cyber Resilience Act
data.europa.eu23 citations
Referenced sections
  • Article 3(12)
  • Article 3(13), Article 3(15)-(17)
  • recital 78
Show 19 more
  • Article 3(13), recital 78
  • Article 18(1)
  • Article 18(3)
  • Article 18(2)-(3)
  • Article 19(1)-(2)
  • Article 19(3), Article 19(5)
  • Article 19(6)-(7)
  • Article 20(1)-(2)
  • Article 20(3)-(4)
  • Article 20(5)-(6)
  • Article 21
  • Article 22
  • Article 23
  • Article 3(12), Articles 18-23
  • recital 19
  • Articles 18-23, Article 71(2)
  • Article 13(13), Article 18(3)(a), Article 19(6)-(7), Article 20(2) and Article 20(5)
  • Article 19(2)-(3), Article 20(1)-(3)
  • Article 71(2)
Related guides

Explore more topics

Applicability Test | EU Cyber Resilience Act, CRA Product Security and CE Marking
Use this CRA applicability test to confirm product scope, exclusions, remote data processing boundaries, operator role, product classification.
Checklist | EU Cyber Resilience Act, CRA Product Security and CE Marking
Use this Cyber Resilience Act checklist to assign owners, deadlines, evidence, and release gates for scope, Annex I controls, support period operations.
Compliance Program | EU Cyber Resilience Act, CRA Product Security and CE Marking
Build a CRA compliance program that covers product scope, governance, engineering controls, support period operations, Article 14 reporting.
Conformity Assessment and CE Marking | EU Cyber Resilience Act, CRA Product Security and CE Marking
Choose the right CRA conformity route, prepare the declaration of conformity, structure the technical file.
CRA Blue Guide Concepts FAQ | Placing on the Market, Making Available, Distance Sales
CRA FAQ on Blue Guide concepts used in Cyber Resilience Act interpretation: placing on the market, making available, putting into service, online sales.
CRA CE Marking FAQ | Meaning, Placement Rules, Software Labeling, Notified Bodies
CRA CE marking FAQ covering what the mark means, when it is mandatory, software and website placement rules, packaging fallback, notified body numbers.
CRA Component Due Diligence FAQ | Third-Party Components, FOSS, SBOM, Vulnerabilities
CRA component due diligence FAQ covering third-party components, FOSS, CE-marked components, SBOM review, risk-based checks, upstream vulnerability reporting.
CRA Conformity Assessment Routes FAQ | Module A, Module B+C, Module H, Critical and Important Products
CRA FAQ on conformity assessment routes covering module A, module B+C, module H, important and critical products, harmonised standards, certification schemes.
CRA Core Functionality FAQ | Important Products, Critical Products, Classification
CRA FAQ on core functionality covering classification of important and critical products, ancillary functions, integrated components.
CRA Cybersecurity Risk Assessment FAQ | Article 13, Threat Modelling, Variants, Constraints
CRA FAQ on cybersecurity risk assessment covering Article 13, threat modelling, intended purpose, foreseeable misuse, external dependencies, documentation.
CRA Declaration of Conformity FAQ | Full vs Simplified, Languages, Updates, Duties
CRA FAQ on the EU declaration of conformity covering full and simplified formats, required contents, languages, updates, single declarations across EU laws.
CRA Essential Cybersecurity Requirements FAQ | Annex I Part I and Part II
CRA FAQ on the essential cybersecurity requirements covering Annex I Part I and Part II, applicability, evidence, interoperability constraints.
CRA FAQ Hub | Blue Guide Concepts, CE Marking, Component Due Diligence
Browse the CRA FAQ hub for Blue Guide market-access concepts, CE marking, and component due diligence.
CRA Hardware and Software Boundaries FAQ | Product Scope, Combined Products, Source Code
CRA FAQ on hardware and software boundaries covering combined products, standalone software, source code, companion apps, remote data processing.
CRA Harmonised Standards and Common Specifications FAQ | Presumption of Conformity, OJ Publication
CRA FAQ on harmonised standards, common specifications, and certification schemes covering presumption of conformity, Official Journal publication.
CRA Important and Critical Products FAQ | Annex III, Annex IV, Core Functionality
CRA FAQ on important and critical products covering Annex III and Annex IV classification, core functionality, conformity routes, FOSS rule limits.
CRA Integrated Components and Dependencies FAQ | Due Diligence, RDPS, Third-Party Components
CRA FAQ on integrated components and dependencies covering due diligence, third-party components, RDPS, cloud dependencies, upstream fixes, FOSS dependencies.
CRA Interplay With Other EU Laws FAQ | RED, AI Act, GDPR, Data Act, EHDS, Machinery
CRA FAQ on interplay with other EU laws covering exclusions, overlap with RED, AI Act, GDPR, Data Act, EHDS, Machinery, GPSR, NIS2, aviation, marine.
CRA Known Exploitable Vulnerabilities at Launch FAQ | Placement on the Market, CVEs, Late Discoveries
CRA FAQ on known exploitable vulnerabilities at launch covering the launch-time rule, exploitability, known vulnerabilities, CVEs, compensating controls.
CRA Legacy Products FAQ | Pre-2027 Products, Reporting, Grandfathering, Substantial Modification
CRA FAQ on legacy products covering pre-11 December 2027 products, Article 14 reporting, continued sale, substantial modification, spare parts, old designs.
CRA Manufacturer Obligations FAQ | Article 13 Duties, Support Period, Reporting, Documentation
CRA FAQ on manufacturer obligations covering Article 13 duties, risk assessment, support periods, vulnerability handling, reporting, documentation.
CRA Market Surveillance and Enforcement FAQ | Authorities, Safeguards, Sweeps, Formal Non-Compliance
CRA FAQ on market surveillance and enforcement covering authorities, investigations, safeguard procedures, formal non-compliance, sweeps, joint activities.
CRA Module A FAQ | Internal Control, Self-Assessment, Eligibility, Documentation
CRA FAQ on module A covering internal control, eligible products, class I limits, FOSS exception, technical documentation, testing, CE marking.
CRA Module B+C FAQ | EU-Type Examination, Conformity to Type, Notified Bodies
CRA FAQ on module B+C covering EU-type examination, conformity to type, notified-body role, certificate changes, production control, CE marking.
CRA Module H FAQ | Full Quality Assurance, Notified Body Surveillance, CE Marking
CRA FAQ on module H covering full quality assurance, quality-system approval, notified-body surveillance, scope changes, CE marking, language rules, records.
CRA Notified Bodies FAQ | Notification, Scope, NANDO, Independence, Competence
CRA FAQ on notified bodies covering notification, competence, independence, NANDO scope, accreditation, cross-border choice, subcontracting.
CRA Open-Source Software FAQ | FOSS, Commercial Activity, Stewards, Donations, Paid Editions
CRA FAQ on open-source software covering FOSS qualification, commercial activity, donations, paid support, stewards, contributors, repositories.
CRA Over-the-Air Updates FAQ | OTA, Automatic Updates, Secure Distribution, Offline Paths
CRA FAQ on over-the-air updates covering OTA versus automatic updates, secure distribution, screenless products, gateways, offline update paths.
CRA Penalties and Fines FAQ | Fine Tiers, Turnover Caps, SME Carve-Outs, Stewards
CRA FAQ on penalties and fines covering Article 64 fine tiers, turnover caps, SME carve-outs, steward exemptions, cumulative fines, criminal sanctions.
CRA Product Families FAQ | Variants, Shared Assessments, Family Reuse, Conformity Scope
CRA FAQ on product families covering shared risk assessments, family-wide documentation reuse, cybersecurity-relevant variant differences.
CRA Remote Data Processing Solutions FAQ | RDPS Scope, Cloud Services, SaaS Boundaries, Documentation
CRA FAQ on remote data processing solutions covering Article 3(2) RDPS tests, cloud-service boundaries, websites and portals, third-party SaaS, backend scope.
CRA Repairs and Spare Parts FAQ | Repairs, Refurbishment, Spare-Part Exemption, Compatibility
CRA FAQ on repairs and spare parts covering substantial modification, Article 2(6) identical spare parts, non-identical replacements.
CRA Reporting Obligations FAQ | Article 14 Deadlines, CSIRT Filing, User Notices, Legacy Products
CRA FAQ on reporting obligations covering Article 14 deadlines, actively exploited vulnerabilities, severe incidents, CSIRT routing, user notifications.
CRA Scope FAQ | Products with Digital Elements, Connections, Software, Exclusions
CRA FAQ on scope and products with digital elements covering software, firmware, components, direct and indirect connections, offline products, exclusions.
CRA Secure-by-Default FAQ | Default Configuration, Auto Updates, Tailor-Made Limits
CRA FAQ on secure by default covering Annex I default configuration, automatic security updates, opt-outs, components, inapplicability.
CRA Security Updates vs Functionality Updates FAQ | Separation, Free Updates, Article 13(10)
CRA FAQ on security updates versus functionality updates covering separation where technically feasible, free security updates, automatic updates.
CRA Substantial Modification FAQ | Post-Market Changes, New Manufacturer, Legacy Products
CRA FAQ on substantial modification covering Article 3(30), software updates, repairs, new manufacturer status, conformity reassessment.
CRA Support Period FAQ | Placement on the Market, Unit-Level Timing, Update Availability
CRA FAQ on support periods covering Article 13(8), placement on the market timing, unit-level support periods, standalone software, update availability.
CRA Tailor-Made Products FAQ | Business-User Exception, Paid Updates, Evidence
CRA FAQ on tailor-made products covering the narrow business-user carve-out, secure-by-default and paid-update deviations, required evidence.
CRA Technical Documentation FAQ | Annex VII, Languages, Authority Access, Updates
CRA FAQ on technical documentation covering Annex VII content, timing, languages, versioning, authority access, reused documentation, simplified formats.
CRA Transition Period FAQ | Key Dates, Legacy Products, Pre-CRA Stock, RED Interplay
CRA FAQ on the transition period covering entry into force, phased application dates, legacy products, stock and customs timing, standalone software.
CRA Update Availability and Archives FAQ | Article 13(9), Archives, Historical Versions
CRA FAQ on update availability and software archives covering Article 13(9), Article 13(10), Article 13(11), retention of issued security updates.
CRA User Information and Transparency FAQ | Annex II, Support Disclosure, User Notices
CRA FAQ on user information and transparency covering Annex II instructions, support-period disclosure, end-of-support notices, vulnerability notices.
CRA vs RED Cybersecurity Delegated Act | EU Cyber Resilience Act, CRA Product Security and CE Marking
Compare the Cyber Resilience Act with the RED cybersecurity delegated act so you can decide which products fall under which rule, what dates apply.
CRA vs UK PSTI Act | EU Cyber Resilience Act, CRA Product Security and CE Marking
Compare the EU Cyber Resilience Act with the UK PSTI product security regime so your team can plan dual market compliance without mixing two different rule.
CRA Vulnerability Handling FAQ | Lifecycle Duties, Components, Disclosure, Fix Sharing
CRA FAQ on vulnerability handling covering Annex I Part II duties, component vulnerabilities, upstream reporting and fix sharing.
Deadlines and Compliance Calendar | EU Cyber Resilience Act, CRA Product Security and CE Marking
Track the CRA entry into force date, the notified body date, the reporting start date, and the main application date.
Essential Cybersecurity Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking
Understand the CRA essential cybersecurity requirements in Annex I.
Penalties and Fines | EU Cyber Resilience Act, CRA Product Security and CE Marking
Understand the CRA administrative fine tiers in Article 64, the conduct that attracts the highest penalties, and the evidence that reduces enforcement exposure.
Products with Digital Elements Scope | EU Cyber Resilience Act, CRA Product Security and CE Marking
Understand what counts as a product with digital elements under the CRA, how remote data processing fits, and where the scope boundary usually causes mistakes.
Reporting Obligations | EU Cyber Resilience Act, CRA Product Security and CE Marking
Prepare for CRA Article 14 reporting, including the twenty four hour early warning, the seventy two hour notification, final reports, CSIRT routing.
Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking
Review the full CRA requirement set, including manufacturer duties, operator duties, support period rules, user information, corrective action, reporting.
SBOM and Vulnerability Management Template | EU Cyber Resilience Act, CRA Product Security and CE Marking
Use this CRA SBOM and vulnerability management template to structure dependency records, triage, remediation, advisory publication, and support period evidence.
Technical Documentation and Audit File | EU Cyber Resilience Act, CRA Product Security and CE Marking
Build a CRA technical documentation file that covers product definition, risk assessment, support period, Annex I mapping, standards use, test evidence.
Vulnerability Handling and Disclosure | EU Cyber Resilience Act, CRA Product Security and CE Marking
Build a CRA vulnerability handling system that covers SBOM, intake, triage, remediation, coordinated vulnerability disclosure, secure updates.