Search every question across CRA sub-FAQs

An importer or distributor becomes the manufacturer for CRA purposes if it:

- places the product on the market under its own name or trademark, or

- carries out a substantial modification of a product already placed on the market

In that case it becomes subject to Articles 13 and 14 as manufacturer.

A natural or legal person other than the manufacturer, importer or distributor that carries out a substantial modification and makes the product available on the market is also treated as the manufacturer.

That person becomes subject to the CRA manufacturer obligations for the affected part of the product or, if the substantial modification affects the cybersecurity of the product as a whole, for the entire product.

On request, economic operators must provide the market surveillance authorities with the name and address of the operator who supplied them with the product and, where available, the operator to whom they supplied it.

They must be able to present that information for 10 years after they were supplied with the product and for 10 years after they supplied it.

Not as a named CRA operator category in Articles 18 to 23.

But the Commission FAQ explains that, for CRA-covered products, a fulfilment service provider established in the Union can act as the Article 4 responsible operator under Regulation (EU) 2019/1020 where there is no Union manufacturer, importer or authorised representative.

No.

The CRA says that where an entity only provides online intermediation services for a given product and is merely a provider of an online marketplace, it does not qualify as one of the CRA economic operators for that product. But if the same entity also distributes that product, sells it under its own brand, or otherwise acts in an economic-operator role, it must comply with the obligations of that role.

No.

The CRA says the sole act of hosting products with digital elements on open repositories, package managers or collaboration platforms does not by itself amount to making them available on the market. A provider of such a service is treated as a distributor only if it actually makes the software available on the Union market in the course of a commercial activity.

As a rule, they apply from 11 December 2027.

That is the CRA's general application date for the main economic-operator obligations in Chapter II. Earlier application dates in Article 71 concern other parts of the Regulation, such as notified bodies and reporting obligations, not the ordinary importer, distributor and authorised representative obligations as such.

Yes.

The CRA FAQ explains that a product with digital elements can be placed on the Union market only if there is an economic operator established in the Union performing the Article 4 tasks under Regulation (EU) 2019/1020. In direct third-country sales there may be no traditional importer in the usual commercial sense, but that does not remove the requirement. Depending on the setup, the role can be fulfilled by an authorised representative or, if none exists, a fulfilment service provider established in the Union.

No, not as a general CRA retention duty.

Under the CRA, the explicit long-term declaration-retention duty is imposed on manufacturers, authorised representatives within their mandate, and importers. Distributors must verify before making the product available that the required marking and documentation obligations have been met, and they must provide necessary information and documentation to authorities further to a reasoned request, but Article 20 does not impose the same express 10-year copy-retention duty on distributors that Article 19(6) imposes on importers.

No.

Importers and distributors have real due-care and verification duties, but the CRA does not turn them into second manufacturers by default. Importers must check that the manufacturer has carried out the conformity assessment, drawn up the technical documentation, affixed the CE marking, and supplied the required declaration and Annex II information. Distributors must verify the marking and the listed documentation and traceability elements before making the product available. Those roles must react when they have reason to believe there is non-compliance, but they are not required by Articles 19 or 20 to repeat the manufacturer's risk assessment or conformity assessment from scratch.

Yes.

The Blue Guide explains that an authorised representative of a third-country manufacturer is no longer acting merely as an authorised representative if it supplies the product to a distributor or directly to a consumer within the Union. In that case it becomes the importer and is subject to the importer's obligations.

No, unless they substantially modify them.

The Commission FAQ says products with digital elements placed on the market before 11 December 2027 are not subject to the CRA requirements, apart from the earlier reporting obligation timing rules, unless they are substantially modified. A distributor is therefore not required to retrofit those pre-application products into CRA compliance merely because it continues making them available on or after 11 December 2027.

The CRA splits the essential cybersecurity requirements into two parts:

- Part I of Annex I covers the cybersecurity properties the product itself must have

- Part II of Annex I covers the vulnerability-handling processes the manufacturer must put in place

Yes.

Under Article 6, products may only be made available on the market where the product meets the Part I requirements and the manufacturer's processes comply with the Part II requirements.

No.

Part I focuses on the product as placed on the market. Part II contains vulnerability-handling obligations that manufacturers must comply with when the product is placed on the market and throughout the support period.

No.

The requirements are objective-oriented and technology-neutral. The CRA does not mandate one specific cybersecurity risk-assessment methodology. Manufacturers can choose their methodology, but it must support identifying, evaluating and treating the relevant risks and documenting how the essential requirements are met.

Not in exactly the same way.

For Part II, manufacturers need to comply with all vulnerability-handling requirements. For Part I, Article 13(3) requires the manufacturer to determine through the cybersecurity risk assessment which point (2) requirements are applicable to the product and how they are implemented. If a specific requirement is not applicable, the manufacturer must include a clear justification in the technical documentation.

It is the general product-level requirement to ensure an appropriate level of cybersecurity based on the risks.

The March 2026 draft guidance explains that this point is meant to catch additional cybersecurity risks identified by the risk assessment that are not otherwise adequately addressed by the other specific Part I requirements. In most cases, complying with the other applicable Part I requirements will also satisfy point (1), but if additional relevant risks remain, the manufacturer still has to address them at product level.

No.

The CRA does not require a product to be free from all vulnerabilities. For placement on the market, the relevant product requirement is that, on the basis of the cybersecurity risk assessment and where applicable, the product is made available without known exploitable vulnerabilities. After placement on the market, the manufacturer must address and remediate relevant vulnerabilities without delay in line with Part II of Annex I.

No.

The draft guidance says residual cybersecurity risk is assessed against the CRA's regulatory threshold, not against the manufacturer's internal risk tolerance, commercial strategy or cost preferences. If identified risks are not adequately addressed, the product cannot simply be placed on the market anyway.