Cyber Resilience Act FAQ Manufacturer Obligations

A CRA manufacturer is the natural or legal person that develops or manufactures a product with digital elements, or has that product designed, developed, or manufactured, and markets it under its own name or trademark.

That means a brand owner can be the manufacturer even when engineering, assembly, testing, hosting, or component work is outsourced. The Blue Guide position is consistent with this: subcontracting does not remove the manufacturer's overall responsibility for the product.

Article 13 has two anchor duties. When placing the product on the market, the manufacturer must ensure the product is designed, developed, and produced in accordance with the essential cybersecurity requirements in Annex I Part I. When placing the product on the market and during the support period, the manufacturer must ensure that vulnerabilities, including vulnerabilities in components, are handled effectively in accordance with Annex I Part II.

Article 13 then adds the operating obligations needed to prove and maintain that position: risk assessment, component due diligence, technical documentation, conformity assessment, EU declaration of conformity, CE marking, production controls, identification and contact information, user instructions, support-period disclosure, corrective action, authority cooperation, and cessation notices.

Yes. The manufacturer must assess cybersecurity risks associated with the product with digital elements and use the outcome during planning, design, development, production, delivery, and maintenance. The assessment is not just a launch checklist; it is the basis for deciding how the product satisfies Annex I and how risks are minimized, incidents are prevented, and incident impact is reduced.

The Commission CRA FAQ says the CRA does not prescribe a single mandatory methodology. The important control is that the method supports identification, evaluation, treatment, and documentation of relevant risks so market surveillance authorities can verify the result.

Article 13(3) requires the risk assessment to consider at least the product's intended purpose, reasonably foreseeable use, conditions of use such as the operational environment or assets to be protected, and the length of time the product is expected to be in use.

The assessment must indicate whether and how Annex I Part I point (2) applies, how those requirements are implemented, and how the manufacturer applies Annex I Part I point (1) and Annex I Part II. The Commission FAQ also explains that the assessment covers the entire product with digital elements, including in-scope remote data processing and supporting functions that form part of the product.

No. For Annex I Part I product properties, the manufacturer determines relevance based on the cybersecurity risk assessment. If a particular essential cybersecurity requirement is not applicable, Article 13(4) requires a clear justification in the technical documentation.

That is not permission to ignore risk. The manufacturer still has to explain the non-applicability position and address any resulting risk through design, mitigation, limits on intended use, warnings, or user information where needed. Annex I Part II vulnerability-handling requirements apply throughout the support period.

The manufacturer must exercise due diligence when integrating components sourced from third parties so those components do not compromise the cybersecurity of the product with digital elements. This includes free and open-source software components where they are integrated into the manufacturer's product.

If the manufacturer identifies a vulnerability in an integrated component, Article 13(6) requires it to report the vulnerability to the person or entity manufacturing or maintaining that component. Where the manufacturer develops a software or hardware modification to address the vulnerability, it must share the relevant code or documentation with the component manufacturer or maintainer where appropriate.

During the support period, the manufacturer must handle vulnerabilities in accordance with Annex I Part II. In practical evidence terms, that means keeping procedures for coordinated vulnerability disclosure, vulnerability intake from internal and external sources, vulnerability assessment, remediation or mitigation decisions, security-update development and distribution, user notification where needed, and records showing why the response matched the risk.

The CRA does not require a dedicated patch for every vulnerability. The Commission FAQ explains that the manufacturer must assess the relevance and risk of the vulnerability and put an appropriate remedy in place without delay. Depending on the risk, that remedy may be a patch, another mitigation, revised instructions, or a different corrective measure.

Article 13(8) says the support period must reflect the time during which the product is expected to be in use. The manufacturer must take into account reasonable user expectations, the nature of the product including its intended purpose, and relevant Union law determining product lifetime. The support period must be at least five years unless the product is expected to be in use for less than five years.

The manufacturer must include in the technical documentation the information taken into account to determine the support period. Article 13(19) also requires the manufacturer to clearly and understandably specify the end date of the support period, at least month and year, at the time of purchase in an easily accessible manner and, where applicable, on the product, packaging, or by digital means.

Each security update made available during the support period must remain available for at least 10 years after it is issued or for the remainder of the support period, whichever is longer.

For evidence controls, keep the update identifier, affected product versions, vulnerability or risk addressed, release date, distribution channel, integrity mechanism, user notification, and archive or availability proof. Those records help connect Article 13(9), Annex I Part II, and user-instruction obligations.

Before placing the product on the market, the manufacturer must draw up technical documentation, carry out the applicable conformity assessment procedure or have it carried out, draw up the EU declaration of conformity once conformity is demonstrated, and affix the CE marking.

The manufacturer must keep the technical documentation and EU declaration of conformity for at least 10 years after placing the product on the market or for the support period, whichever is longer. Annex VII points the evidence set toward the product description, design and development information, production and vulnerability-handling information, the cybersecurity risk assessment, applied standards or specifications, conformity assessment material, and support-period determination.

CE marking is the manufacturer's visible declaration that the product satisfies the applicable Union harmonisation requirements requiring that marking and that the relevant conformity assessment procedure has been completed. Under the CRA, the manufacturer affixes the CE marking only after the applicable conformity assessment route has demonstrated conformity.

The CRA does not make CE marking a separate cybersecurity test result. It sits at the end of the manufacturer's evidence chain: risk assessment, Annex I implementation, vulnerability-handling procedures, technical documentation, conformity assessment, EU declaration of conformity, and continuing support-period controls.

The manufacturer must ensure product identification is available through a type, batch, serial number, or other identifying element. It must also provide its name, trade name or trademark, postal address, and email address or other digital contact details, and where applicable a website.

Article 13 also requires a single point of contact so users can communicate directly and rapidly with the manufacturer, including for vulnerability reporting. The product must be accompanied by Annex II information and instructions in a language easily understood by users and market surveillance authorities, with enough clarity to allow secure installation, operation, and use.

Article 14 requires manufacturers to notify actively exploited vulnerabilities and severe incidents having an impact on the security of the product with digital elements. The CRA reporting clock starts when the manufacturer becomes aware.

The staged deadlines are an early warning within 24 hours and a fuller notification within 72 hours. The final report deadline differs: for an actively exploited vulnerability, it is no later than 14 days after a corrective or mitigating measure is available; for a severe incident, it is within one month after the incident notification. Article 14 also requires impacted users, and where appropriate all users, to be informed about the vulnerability or incident and risk-mitigation or corrective measures users can deploy.

From market placement and during the support period, the manufacturer must immediately take the corrective measures necessary to bring the product or the manufacturer's processes into conformity, or withdraw or recall the product as appropriate.

The evidence record should show the trigger, affected product versions or batches, risk assessment update, corrective or mitigating measure, user and authority communications, disposition decision, and verification that the product or process was brought back into conformity.

On reasoned request, the manufacturer must provide all information and documentation necessary to demonstrate conformity, in paper or electronic form and in a language easily understood by the market surveillance authority. It must also cooperate with measures taken to eliminate cybersecurity risks posed by the product.

A useful CRA manufacturer evidence pack includes the product scope and role analysis, cybersecurity risk assessment and updates, Annex I applicability and implementation matrix, component due-diligence records, vulnerability-handling policy and cases, support-period rationale, technical documentation, conformity-assessment outputs, EU declaration of conformity, CE-marking evidence, user instructions, support-period disclosure, update availability records, Article 14 reporting records, and corrective-action records.

No for the core Article 13 duties. Article 18(2) says the obligations in Article 13(1) to (11), Article 13(12) first subparagraph, and Article 13(14) cannot form part of the authorised representative's mandate.

Authorised representatives, suppliers, hosted-service providers, subcontractors, distributors, and component maintainers can support the evidence chain, but the manufacturer still needs control over the product, documentation, conformity assessment, vulnerability handling, support-period decisions, and authority cooperation.

Treat product changes, dependency changes, vulnerability findings, support-period changes, new market placements, conformity-assessment changes, and user-instruction changes as evidence events. Each event should update the relevant CRA record rather than remain only in engineering tickets.

The minimum useful record is the affected product and version, manufacturer role, Article 13 or Annex I control affected, risk-assessment impact, component impact, conformity-assessment impact, user-information impact, support-period impact, release or remediation decision, source evidence, approver, and retained artifact location.