What product identification and contact information must the manufacturer provide?
The manufacturer must ensure that the product bears a type, batch, serial number, or other identifying element. It must also indicate its name, trade name or trademark, and postal address and email address or other digital contact details and, where applicable, website, on the product, packaging, or accompanying document.
That same contact information must also be included in the information and instructions to the user.
Must the manufacturer provide a single point of contact for vulnerability reporting?
Yes.
The manufacturer must designate a single point of contact so users can communicate directly and rapidly with it, including for vulnerability reporting. The single point of contact must be easily identifiable, must let users choose their preferred means of communication, and must not limit communication to automated tools.
Must the manufacturer provide information and instructions to users?
Yes.
The manufacturer must ensure that the product is accompanied by the Annex II information and instructions, in paper or electronic form, in a language easily understood by users and market surveillance authorities. They must be clear, understandable, intelligible, and legible and must allow secure installation, operation, and use.
Must the manufacturer disclose the support-period end date to buyers?
Yes.
The manufacturer must clearly and understandably specify the end date of the support period, at least month and year, at the time of purchase in an easily accessible manner and, where applicable, on the product, packaging, or by digital means. Where technically feasible, it must also notify users when the product has reached the end of its support period.
Must the manufacturer include the EU declaration of conformity with the product?
Yes, either in full or in simplified form.
The manufacturer must provide either a copy of the full EU declaration of conformity or a simplified EU declaration of conformity with the product. If the simplified version is used, it must contain the exact internet address where the full declaration can be accessed.
Must the manufacturer report actively exploited vulnerabilities and severe incidents?
Yes.
Under Article 14, the manufacturer must notify actively exploited vulnerabilities and severe incidents having an impact on the security of the product. The key CRA deadlines are an early warning within 24 hours of becoming aware and a fuller notification within 72 hours. After that, the final report deadline differs: for an actively exploited vulnerability it is no later than 14 days after a corrective or mitigating measure is available, while for a severe incident it is within one month after the incident notification.
After becoming aware of an actively exploited vulnerability or severe incident, must the manufacturer also inform users?
Yes.
Article 14(8) requires the manufacturer to inform impacted users, and where appropriate all users, of the vulnerability or incident and any risk-mitigation or corrective measures users can deploy. If the manufacturer does not inform users in a timely manner, the notified CSIRTs may do so where necessary and proportionate.
Can the manufacturer shift its core Article 13 duties to an authorised representative?
No.
Article 18(2) says the obligations in Article 13(1) to (11), Article 13(12) first subparagraph, and Article 13(14) cannot form part of the authorised representative's mandate. Those remain the manufacturer's own responsibilities.
What must the manufacturer do if it knows or has reason to believe the product is not in conformity?
From placing on the market and for the support period, the manufacturer must immediately take the corrective measures necessary to bring the product or the manufacturer's processes into conformity, or withdraw or recall the product as appropriate.
What must the manufacturer do if a market surveillance authority asks for evidence?
The manufacturer must provide, in paper or electronic form and in a language easily understood by the authority, all information and documentation necessary to demonstrate conformity. It must also cooperate with the authority on measures taken to eliminate cybersecurity risks posed by the product.
What happens under the CRA if the manufacturer is going to cease operations?
Before the cessation takes effect, the manufacturer must inform the relevant market surveillance authorities and, by any means available and to the extent possible, the users of the relevant products placed on the market.
Can the manufacturer use one risk assessment for the CRA and other applicable EU product laws?
Yes.
The Commission FAQ says the manufacturer may carry out a single risk assessment covering different applicable legislation or separate assessments for each instrument. What matters is that the manufacturer remains able to demonstrate compliance with each individual act. For CRA purposes, the assessment still has to cover the entire product with digital elements, including any in-scope remote data processing and supporting functions that form part of the product.
If the manufacturer outsources design, development, assembly, or similar work, can it shift its CRA responsibility to the subcontractor?
No.
Under the CRA definition, a manufacturer can still be the manufacturer where it has the product designed, developed, or manufactured and places it on the market under its own name or trademark. The Blue Guide adds that where subcontracting takes place, the manufacturer must retain overall control and cannot discharge its responsibilities to an authorised representative, distributor, user, or subcontractor.
Must the manufacturer have procedures to process vulnerability reports coming from internal and external sources?
Yes.
Article 13(8) expressly requires appropriate policies and procedures, including coordinated vulnerability disclosure policies, to process and remediate potential vulnerabilities reported from internal or external sources. The March 2026 draft guidance repeats that requirement when explaining how manufacturers are expected to organise their handling of potential vulnerabilities.
If the manufacturer provides the user information and instructions online, what extra obligation applies?
They must stay accessible, user-friendly, and available online for at least 10 years after the product is placed on the market or for the support period, whichever is longer.
So the CRA does not only require the manufacturer to provide Annex II information once. If those materials are hosted online, the manufacturer has an ongoing availability obligation for the same long-term period that applies to keeping them at the disposal of users and market surveillance authorities.
Must the manufacturer document how it determined the support period?
Yes.
Article 13(8) requires the manufacturer to include in the technical documentation the information taken into account to determine the support period. Annex VII repeats that requirement, so the support-period decision has to be documented, not just decided internally.
Can products already placed on the market continue to be made available after their support period has expired?
Yes.
The Commission FAQ says products already placed on the market can continue to be made available after the support period expires. But if the manufacturer later places additional units of that product on the market, it still has to determine the support period for those newly placed units in accordance with Article 13(8).
If a product was designed before the CRA applied, must the manufacturer redesign it or recreate historical design and test files before placing it on the market?
Not necessarily.
The March 2026 draft guidance says a product designed before the CRA applies may still be placed on the market without redesign if the manufacturer carries out a current cybersecurity risk assessment and can show through the technical documentation that the existing design already addresses the relevant risks. Where the manufacturer cannot show how the original design phase took the risk assessment into account, the guidance says it is not required to recreate historical design or test documentation that would not improve the product's cybersecurity. But the manufacturer still has to complete the CRA's current obligations before placement on the market, including the conformity assessment, declaration of conformity, and CE marking steps.
Member States do, through their designated market surveillance authorities.
The CRA requires each Member State to designate one or more market surveillance authorities, and it makes the general Union market-surveillance framework in Regulation (EU) 2019/1020 applicable to products within the CRA's scope.
Does the CRA create a separate enforcement system from general EU market-surveillance law?
No.
The CRA uses the existing Union market-surveillance framework rather than creating a completely standalone enforcement system. Article 52(1) expressly makes Regulation (EU) 2019/1020 applicable to products with digital elements covered by the CRA.