Blackfort TechnologyBlackfort Technology

Importer Duties under the CRA (Art. 19): the Gatekeeper to the EU Market

Blackfort Technology · Your role & obligations under the CRA

Note: This article provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and is not legal advice. The applicable text of the Regulation always prevails; this article does not replace a binding assessment of your individual case. Blackfort Technology provides technical/organizational IT-security and compliance consulting, not legal services within the meaning of the German RDG.

Anyone placing products with digital elements from a non-EU manufacturer on the Union market is an importer under the Cyber Resilience Act (CRA, Regulation (EU) 2024/2847) — and thus a gatekeeper. Its role under Art. 19 is not to create product security itself, but to ensure that only conforming products reach the EU market. This page provides a technical-organisational orientation on importer duties. It offers guidance, not binding individual advice; a legal assessment in the specific case remains reserved for legal counsel.

The key point up front

The importer is the last filter before the EU market. It may place only conforming products on the market and must verify that the manufacturer has done its homework: conformity assessment carried out, technical documentation drawn up, CE marking affixed. What the importer explicitly does not do: carry out the conformity assessment itself, draw up the technical documentation, or affix the CE marking — these remain the manufacturer's duties alone.

Why the importer role exists

The CRA primarily addresses the manufacturer (Art. 13). Where that manufacturer sits outside the EU, however, the European market surveillance authorities lack a direct point of contact and a responsible party inside the Union. The importer closes exactly this gap: it is the economic operator established in the EU that first places a product from a third country on the Union market. It therefore bears an independent responsibility — not for product design, but for the gatekeeper function at market entry. For how this differs from the other roles, see our roles overview (manufacturer, importer, distributor).

The verification duty: place only conforming products

The core of the importer's duty under Art. 19 is that only conforming products are placed on the market. Before an importer puts a product on the market, it must satisfy itself that the manufacturer has actually completed the central steps. Specifically, the importer verifies that:

  • the conformity assessment was carried out under the relevant procedure (Art. 32),
  • the manufacturer has drawn up the technical documentation (Annex VII),
  • the product bears the CE marking and is accompanied by the required information and instructions,
  • the manufacturer is identifiable and named with contact details.

This check is a verification, not a re-assessment: the importer does not re-evaluate whether the product meets the essential requirements of Annex I — it satisfies itself that the manufacturer's intended evidence and steps are in place. The substantive security responsibility remains with the manufacturer.

What the importer explicitly does NOT do

  • It does not carry out the conformity assessment (that is a manufacturer duty under Art. 32).
  • It does not draw up the technical documentation (that is a manufacturer duty under Annex VII).
  • It does not affix the CE marking (that is a manufacturer duty under Art. 30).

Anyone who takes on these steps themselves, or places a product on the market under their own name or trademark, or substantially modifies it, is considered a manufacturer under the CRA and bears its full duties under Art. 13.

No placing on the market where non-conforming

If the importer finds during its check that a product is not conforming, it must not place it on the market as long as conformity has not been established. This is not a matter of discretion: where the CE marking is missing, the conformity assessment has not been carried out, or the technical documentation is not available, market entry must not proceed until the product has been brought into conformity. The importer is therefore not merely a passive pass-through but has a genuine duty to block.

Corrective action and escalation

If it emerges — including after the fact — that a product already placed on the market is not conforming, the importer must take corrective action. Depending on severity this ranges from bringing the product into conformity, through withdrawal from the market, to recall from the end user. Information duties apply in parallel:

  • Where the importer becomes aware of a vulnerability in the product, it informs the manufacturer without undue delay.
  • Where a product presents a significant cybersecurity risk, the importer additionally informs the market surveillance authorities.

An important clarification: the formal reporting deadlines (24 h / 72 h / final report) under Art. 14 are addressed to the manufacturer. The importer does not report via the Single Reporting Platform but channels its findings to the manufacturer and authorities — it is the wake-up call, not the reporter within the meaning of Art. 14.

Documentation and marking by the importer

Even though the importer does not draw up the technical documentation, it must keep a copy of the EU Declaration of Conformity available for the market surveillance authorities and ensure it can make the technical documentation accessible on reasoned request. In addition, it must ensure that — where provided for — its own contact details appear on the product, its packaging or an accompanying document. This keeps the importer findable for authorities and users as the responsible actor within the EU.

Importer duties checklist (Art. 19)

The following checklist summarises the operational duties. It does not replace an individual assessment but serves as a starting point for an internal check-and-release procedure before placing on the market.

DutyVerification / action step
Only conforming productsBefore placing on the market, ensure the product is CRA-conforming
Verify conformity assessmentCheck that the manufacturer carried out the procedure under Art. 32
Verify technical documentationCheck that the manufacturer drew up the documentation (Annex VII)
Check CE markingInspect the CE marking plus required information/instructions
Block non-conformityWhere conformity is missing, do not place on the market until fixed
Corrective actionOn non-conformity: establish conformity, withdraw/recall if needed
Vulnerability → manufacturerReport known vulnerabilities without undue delay
Significant risk → authorityInform market surveillance authorities of significant cybersecurity risk
EU Declaration of ConformityKeep a copy available; make technical docs accessible on request
Contact detailsAffix own details — where provided for — on the product

Penalty exposure and distinction from the distributor

Importer duties fall under the middle penalty tier of Art. 64: up to €10 million or 2 % of total worldwide annual turnover of the preceding financial year — whichever is higher. That is lower than the top tier for manufacturer breaches (€15 million / 2.5 %) but substantial enough to justify a robust verification procedure.

The importer is to be distinguished from the distributor (Art. 20), which merely makes a product available in the supply chain without first placing it on the market from a third country. Its verification depth is lower — it owes due care (including checking the presence of the CE marking) but not a verification of the conformity assessment. Details in our article on the distributor duties. Whether and in which role you are affected at all is clarified by our scope assessment.

Note: These explanations are general technical-organisational information, not legal advice within the meaning of the German Legal Services Act (RDG). The specific allocation of roles and the resulting duties depend on the individual case and may change with Commission guidance.

Frequently asked questions

What is an importer under the CRA?
An importer within the meaning of the Cyber Resilience Act (Art. 19) is an economic operator established in the EU that first places a product with digital elements from a non-EU manufacturer on the Union market. It is a gatekeeper: it does not create product security itself but, before placing on the market, verifies that the manufacturer carried out the conformity assessment, drew up the technical documentation and affixed the CE marking.
Must an importer carry out the conformity assessment itself?
No. The conformity assessment (Art. 32), drawing up the technical documentation (Annex VII) and affixing the CE marking (Art. 30) are manufacturer duties. The importer does not perform these steps itself but verifies that the manufacturer has completed them. If it takes them on itself, or places the product on the market under its own name or trademark, it is considered a manufacturer under the CRA and bears its full duties under Art. 13.
What must an importer do if it discovers a vulnerability?
Where the importer becomes aware of a vulnerability in the product, it informs the manufacturer without undue delay. If the product additionally presents a significant cybersecurity risk, the importer also informs the market surveillance authorities. The formal reporting deadlines under Art. 14 (24 hours, 72 hours, final report) via the Single Reporting Platform, by contrast, are addressed to the manufacturer, not the importer.
What fine does an importer risk for breaches?
Breaches of importer duties fall under the middle penalty tier of Art. 64: up to €10 million or 2 % of total worldwide annual turnover of the preceding financial year, whichever is higher. That is below the top tier for manufacturer breaches (€15 million or 2.5 %) but high enough to justify a robust internal verification procedure before placing on the market.
How does the importer differ from the distributor?
Both are gatekeepers, but with different verification depth. The importer (Art. 19) first places a product from a third country on the Union market and verifies in detail that the conformity assessment, technical documentation and CE marking exist. The distributor (Art. 20) merely makes a product available in the supply chain and owes due care — for example checking whether the CE marking is present and whether the manufacturer or importer met their duties — but not a re-assessment of conformity.

Let's talk about your CRA readiness

Do you place products with digital elements from third countries on the EU market and want to set up your importer verification duties under Art. 19 on a robust footing? We structure your check-and-release procedure technically and organisationally, clarify the boundary with the manufacturer and distributor roles and develop a practical checklist — talk to Blackfort Technology in Bonn.

Request a first call Check eligibility
The content on this website provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and does not constitute legal advice. Blackfort Technology provides technical/organizational IT-security and compliance consulting, not legal services.