Importer Duties under the CRA (Art. 19): the Gatekeeper to the EU Market
Anyone placing products with digital elements from a non-EU manufacturer on the Union market is an importer under the Cyber Resilience Act (CRA, Regulation (EU) 2024/2847) — and thus a gatekeeper. Its role under Art. 19 is not to create product security itself, but to ensure that only conforming products reach the EU market. This page provides a technical-organisational orientation on importer duties. It offers guidance, not binding individual advice; a legal assessment in the specific case remains reserved for legal counsel.
The key point up front
The importer is the last filter before the EU market. It may place only conforming products on the market and must verify that the manufacturer has done its homework: conformity assessment carried out, technical documentation drawn up, CE marking affixed. What the importer explicitly does not do: carry out the conformity assessment itself, draw up the technical documentation, or affix the CE marking — these remain the manufacturer's duties alone.
Why the importer role exists
The CRA primarily addresses the manufacturer (Art. 13). Where that manufacturer sits outside the EU, however, the European market surveillance authorities lack a direct point of contact and a responsible party inside the Union. The importer closes exactly this gap: it is the economic operator established in the EU that first places a product from a third country on the Union market. It therefore bears an independent responsibility — not for product design, but for the gatekeeper function at market entry. For how this differs from the other roles, see our roles overview (manufacturer, importer, distributor).
The verification duty: place only conforming products
The core of the importer's duty under Art. 19 is that only conforming products are placed on the market. Before an importer puts a product on the market, it must satisfy itself that the manufacturer has actually completed the central steps. Specifically, the importer verifies that:
- the conformity assessment was carried out under the relevant procedure (Art. 32),
- the manufacturer has drawn up the technical documentation (Annex VII),
- the product bears the CE marking and is accompanied by the required information and instructions,
- the manufacturer is identifiable and named with contact details.
This check is a verification, not a re-assessment: the importer does not re-evaluate whether the product meets the essential requirements of Annex I — it satisfies itself that the manufacturer's intended evidence and steps are in place. The substantive security responsibility remains with the manufacturer.
What the importer explicitly does NOT do
- It does not carry out the conformity assessment (that is a manufacturer duty under Art. 32).
- It does not draw up the technical documentation (that is a manufacturer duty under Annex VII).
- It does not affix the CE marking (that is a manufacturer duty under Art. 30).
Anyone who takes on these steps themselves, or places a product on the market under their own name or trademark, or substantially modifies it, is considered a manufacturer under the CRA and bears its full duties under Art. 13.
No placing on the market where non-conforming
If the importer finds during its check that a product is not conforming, it must not place it on the market as long as conformity has not been established. This is not a matter of discretion: where the CE marking is missing, the conformity assessment has not been carried out, or the technical documentation is not available, market entry must not proceed until the product has been brought into conformity. The importer is therefore not merely a passive pass-through but has a genuine duty to block.
Corrective action and escalation
If it emerges — including after the fact — that a product already placed on the market is not conforming, the importer must take corrective action. Depending on severity this ranges from bringing the product into conformity, through withdrawal from the market, to recall from the end user. Information duties apply in parallel:
- Where the importer becomes aware of a vulnerability in the product, it informs the manufacturer without undue delay.
- Where a product presents a significant cybersecurity risk, the importer additionally informs the market surveillance authorities.
An important clarification: the formal reporting deadlines (24 h / 72 h / final report) under Art. 14 are addressed to the manufacturer. The importer does not report via the Single Reporting Platform but channels its findings to the manufacturer and authorities — it is the wake-up call, not the reporter within the meaning of Art. 14.
Documentation and marking by the importer
Even though the importer does not draw up the technical documentation, it must keep a copy of the EU Declaration of Conformity available for the market surveillance authorities and ensure it can make the technical documentation accessible on reasoned request. In addition, it must ensure that — where provided for — its own contact details appear on the product, its packaging or an accompanying document. This keeps the importer findable for authorities and users as the responsible actor within the EU.
Importer duties checklist (Art. 19)
The following checklist summarises the operational duties. It does not replace an individual assessment but serves as a starting point for an internal check-and-release procedure before placing on the market.
| Duty | Verification / action step |
|---|---|
| Only conforming products | Before placing on the market, ensure the product is CRA-conforming |
| Verify conformity assessment | Check that the manufacturer carried out the procedure under Art. 32 |
| Verify technical documentation | Check that the manufacturer drew up the documentation (Annex VII) |
| Check CE marking | Inspect the CE marking plus required information/instructions |
| Block non-conformity | Where conformity is missing, do not place on the market until fixed |
| Corrective action | On non-conformity: establish conformity, withdraw/recall if needed |
| Vulnerability → manufacturer | Report known vulnerabilities without undue delay |
| Significant risk → authority | Inform market surveillance authorities of significant cybersecurity risk |
| EU Declaration of Conformity | Keep a copy available; make technical docs accessible on request |
| Contact details | Affix own details — where provided for — on the product |
Penalty exposure and distinction from the distributor
Importer duties fall under the middle penalty tier of Art. 64: up to €10 million or 2 % of total worldwide annual turnover of the preceding financial year — whichever is higher. That is lower than the top tier for manufacturer breaches (€15 million / 2.5 %) but substantial enough to justify a robust verification procedure.
The importer is to be distinguished from the distributor (Art. 20), which merely makes a product available in the supply chain without first placing it on the market from a third country. Its verification depth is lower — it owes due care (including checking the presence of the CE marking) but not a verification of the conformity assessment. Details in our article on the distributor duties. Whether and in which role you are affected at all is clarified by our scope assessment.
Note: These explanations are general technical-organisational information, not legal advice within the meaning of the German Legal Services Act (RDG). The specific allocation of roles and the resulting duties depend on the individual case and may change with Commission guidance.
Frequently asked questions
What is an importer under the CRA?
Must an importer carry out the conformity assessment itself?
What must an importer do if it discovers a vulnerability?
What fine does an importer risk for breaches?
How does the importer differ from the distributor?
Let's talk about your CRA readiness
Do you place products with digital elements from third countries on the EU market and want to set up your importer verification duties under Art. 19 on a robust footing? We structure your check-and-release procedure technically and organisationally, clarify the boundary with the manufacturer and distributor roles and develop a practical checklist — talk to Blackfort Technology in Bonn.
Request a first call Check eligibility