Distributor Duties under the CRA (Art. 20): Due Care in the Supply Chain
The EU Cyber Resilience Act (CRA, Regulation (EU) 2024/2847) does not burden only manufacturers — it also reaches the actors further down the supply chain. The distributor — in CRA terms whoever makes available on the market a product with digital elements without being the manufacturer or importer — carries a distinct, clearly defined responsibility. This page provides a technical-organisational orientation on distributor duties under Art. 20. It offers guidance, not binding individual advice; a legal assessment remains reserved for legal counsel.
The key point up front
The distributor is a gatekeeper, but a lighter one than the importer. Due care is expected of it: verify that the CE marking is present and that the manufacturer and importer have met their respective duties. It does not create product security itself, draw up technical documentation or carry out a conformity assessment. Even so, its role is not a mere formality — it is a genuine control function with liability consequences if neglected.
Who is a "distributor" under the CRA?
A distributor is an actor in the supply chain that makes available on the market — offers, supplies or resells — a product with digital elements, while being neither the manufacturer nor the importer. Typical examples are specialist retailers, system houses, distributors, resellers or online-marketplace sellers who pass on finished products that have already been placed on the market. The key point: the distributor receives a product that someone else developed and yet another party may have imported. Its task is not to re-assess security, but to prevent an obviously non-conforming product from reaching the market through it.
The due-care duty (Art. 20) in detail
The central yardstick is due care. Before making a product available, the distributor must verify:
- CE marking present: Does the product bear the CE marking? It is the visible signal that the manufacturer has declared conformity.
- Manufacturer and importer duties met: Have the manufacturer and — if one was involved — the importer met their respective duties? This includes in particular that the required documentation and information (for example user instructions and security information) are supplied with the product.
- Required accompanying information: Are the required documents and instructions actually present and supplied in the required form?
The verification depth is deliberately lower than the importer's. The importer (Art. 19) substantively verifies that the conformity assessment was carried out and the technical documentation drawn up; the distributor checks, more on a plausibility basis, the presence of the outward conformity markers and the accompanying documents. It is a due-care and plausibility check, not a re-assessment of conformity.
Important: Where the distributor has reason to believe that a product does not conform to the essential requirements, it must not make the product available on the market until it has been brought into conformity. The due-care duty is therefore not a pure visual check — it bites as soon as there are concrete indications of non-conformity.
Non-conforming products: do not make available
The second core duty is a prohibition: a product that the distributor knows or must assume to be non-conforming must not be made available on the market. Where non-conformity comes to light only after the product has been made available, the distributor must take corrective action — from bringing the product into conformity to, where necessary, withdrawal or recall. Here too: the distributor initiates and cooperates in corrections but does not itself bear the substantive rectification of the product, which rests with the manufacturer.
Storage and transport: do not compromise conformity
An often-overlooked but characteristic distributor duty concerns physical custody of the product: while the product is under its responsibility, the distributor must ensure that the storage and transport conditions do not compromise conformity with the essential requirements. For products with digital elements this can go beyond classic physical integrity — for instance where the as-delivered state, firmware level or supplied security information must remain intact. Anyone storing or transporting products in a way that degrades their security properties breaches their due-care duty.
Informing: manufacturer and authorities
The distributor is embedded in the information chain. Two directions are central here:
- Inform the manufacturer of vulnerabilities: Where the distributor becomes aware of a vulnerability in the product, it must inform the manufacturer (or importer).
- Inform authorities of significant risk: Where a product presents a significant risk, the market surveillance authorities must be informed — with details in particular of the non-conformity and of any corrective action taken.
This does not turn the distributor into a reporting body in the sense of the manufacturer's Art. 14 reporting obligations (the 24-hour / 72-hour / final-report deadlines via the Single Reporting Platform) — those remain the manufacturer's responsibility. The distributor's information duties are directed at passing information on to the manufacturer and the authorities.
Role change: when the distributor becomes a manufacturer
The decisive pitfall: Anyone who places a product on the market under their own name or trademark, or who substantially modifies a product already placed on the market, is as a general principle considered a manufacturer under the CRA — with the full duties under Art. 13 (essential requirements, vulnerability handling, technical documentation, conformity assessment, EU Declaration of Conformity, CE marking, reporting). A distributor (or importer) can thus unintentionally slip into the heaviest role — for example by re-labelling, rebranding or loading its own firmware. As a general principle: once you shape a product substantively or market it as your own, you are no longer merely a gatekeeper. Whether a specific modification is "substantial" is a question for the individual case.
Distributor duties checklist
The following checklist summarises the distributor's due-care duties under Art. 20 in practical terms:
- Verify the CE marking — is it present on the product?
- Verify manufacturer and importer duties — are the required documents, instructions and security information supplied?
- Do not make available when in doubt — where there is reason to believe non-conformity, keep the product off the market.
- Protect storage and transport conditions — do not compromise conformity while in your custody.
- Take corrective action — cooperate where non-conformity is later identified (bring into conformity, withdraw/recall if needed).
- Inform the manufacturer of vulnerabilities — pass on knowledge of security flaws.
- Inform market surveillance authorities of significant risk — including details of non-conformity and corrective action.
- Keep an eye on the role change — do not become a manufacturer unnoticed through rebranding or substantial modification.
- Document the verification steps — record due care so it can be demonstrated to the authorities.
In perspective: lighter than the importer, but real
The distributor role is deliberately lighter than the importer's — the distributor verifies less deeply and carries none of the original manufacturer duties. But "lighter" does not mean "without consequences": the due-care duty, the prohibition on making non-conforming products available, and the information duties are genuine control obligations. Breaching them risks market-surveillance measures and administrative fines. For how the roles interlock, see our overview of the CRA roles; the markedly more verification-intensive neighbouring role is covered in our page on the importer duties. Whether and in which role your products are affected at all is clarified by the scope assessment.
Note: These explanations are general technical-organisational information, not legal advice within the meaning of the German Legal Services Act (RDG). The allocation of roles and the resulting duties depend on the individual case and may be further specified by Commission guidance.
Frequently asked questions
What does a distributor owe under the CRA?
Must a distributor re-assess a product's CRA conformity itself?
How does the distributor differ from the importer under the CRA?
Must a distributor pay attention to storage and transport?
Can a distributor become a manufacturer through rebranding?
Let's talk about your CRA readiness
Unsure whether your products make you a distributor, an importer or actually a manufacturer under the CRA? We map your supply-chain and sales role technically and organisationally, build you a robust due-care and verification checklist and show where an unintended role change looms — talk to Blackfort Technology in Bonn.
Request a first call Check eligibility