Manufacturer Duties under the CRA: What Art. 13 Really Requires
Under the EU Cyber Resilience Act (CRA, Regulation (EU) 2024/2847) the manufacturer is the role with the actual substantive responsibility. Importers and distributors are gatekeepers who verify; the manufacturer is the one who actually creates, documents and demonstrates product security. Anyone who places a product with digital elements on the market under their own name or trademark — or who substantially modifies an existing product — carries the full breadth of duties under Art. 13. This page orders them technically and organisationally, along the text of the Regulation and the article and annex numbers cited. It is general orientation, not legal advice within the meaning of the German Legal Services Act (RDG); the binding assessment of the individual case remains reserved for legal counsel.
The key point up front
The manufacturer (Art. 13) must: meet the essential requirements of Annex I Part I on the basis of a risk assessment, run vulnerability handling under Annex I Part II, draw up the technical documentation under Annex VII, carry out the conformity assessment under Art. 32, issue the EU Declaration of Conformity under Art. 28, affix the CE marking under Art. 30, and meet the reporting obligations under Art. 14. Two figures shape the effort: support period ≥ 5 years and retention of technical documentation and Declaration of Conformity for ≥ 10 years.
1. Meet the essential requirements (Annex I Part I)
The starting point of every manufacturer duty is a cybersecurity risk assessment. The product must be designed, developed and produced so that it ensures a level of cybersecurity appropriate to the risk — the "security by design and by default" principle familiar from other New Legislative Framework regulations. Annex I Part I lists a set of protection objectives that apply according to risk: delivery without known exploitable vulnerabilities, a secure default configuration with reset capability, protection against unauthorised access (e.g. through authentication), protection of the confidentiality and integrity of data (encryption where appropriate), data minimisation, availability of core functions (resilience against denial-of-service), minimisation of the attack surface, limitation of impact (defense in depth), logging of security-relevant events, and the ability to remediate vulnerabilities through security updates. Crucially, these requirements are risk-based — not every one applies equally to every product. The risk assessment decides which ones bite, and it becomes part of the technical documentation.
2. Vulnerability handling (Annex I Part II) — including SBOM and CVD
Unlike the one-off certification of some frameworks, vulnerability handling is a continuing duty across the whole support period. Annex I Part II requires the manufacturer, among other things, to:
- Identify and document vulnerabilities and components — including a software bill of materials (SBOM) in a commonly used, machine-readable format covering at least the top-level dependencies.
- Remediate vulnerabilities without delay, in particular through security updates — separating these from feature updates where feasible.
- Regularly test and review the product.
- Disclose fixed vulnerabilities once an update is available (public disclosure with descriptive information).
- Maintain and enforce a mandatory coordinated vulnerability disclosure (CVD) policy, together with a contact address for reporting.
- Distribute security updates securely and provide them without delay and free of charge.
Understanding the SBOM correctly: The Regulation requires an SBOM in a "commonly used, machine-readable format, at least top-level dependencies" — but no specific format. Statements like "the CRA requires CycloneDX" or "SPDX is mandatory" are wrong. Established formats such as CycloneDX, SPDX (ISO/IEC 5962) or SWID satisfy the requirement, but as guidance, not statutory text. The Commission may later specify a format by implementing act (none adopted so far). The SBOM is disclosed to authorities on reasoned request — it is not a document mandated for public publication.
3. Draw up the technical documentation (Annex VII)
The technical documentation is the written evidence that the essential requirements are met. Under Annex VII it contains, among other things: a general product description; the design, development and production processes as well as the vulnerability-handling processes (architecture, SBOM, CVD policy, update distribution); the cybersecurity risk assessment mapped to the requirements of Annex I; support-period information; the standards, specifications and certification schemes applied; test reports; and a copy of the EU Declaration of Conformity. It must be kept up to date. A deeper structure and content overview is in our article on CRA technical documentation.
4. Carry out the conformity assessment (Art. 32) — the class-dependent route
How conformity is demonstrated depends on the product class. The CRA knows four tiers; the assessment route differs markedly:
| Product class | Assessment route |
|---|---|
| Default / unclassified (the norm) | Self-assessment (Module A) — or optionally B+C, H or a certification scheme |
| Important, Class I (Annex III-I) | Self-assessment only if harmonised standards / common specifications / a certification scheme are fully applied; otherwise Module B (EU-type examination) + C, or Module H |
| Important, Class II (Annex III-II) | Always third party via a notified body — B+C, H or a certification scheme. No self-assessment. |
| Critical (Annex IV) | European cybersecurity certification scheme (Reg. 2019/881, ≥ "substantial") where mandated; otherwise as Class II |
Rule of thumb: A notified body is mandatory only for Class II and critical products. The large majority of products with digital elements can self-assess; Class I products can self-assess if the relevant standards are fully applied. "All products need a notified body" is a widespread misconception. Which class your product falls into is clarified on our page on CRA product classes.
5. Issue the EU Declaration of Conformity (Art. 28) and affix CE (Art. 30)
After a successful conformity assessment, the manufacturer issues the EU Declaration of Conformity (Art. 28, template in Annex V) under its sole responsibility. It identifies the product and the manufacturer, declares conformity, names the standards/specifications/schemes applied and — where relevant — the notified body (name, number, procedure, certificate), and is signed. The manufacturer then affixes the CE marking (Art. 30). The CE marking is the visible declaration that the product complies with the relevant Union legislation — here the CRA. It only becomes relevant from general application on 11 December 2027.
6. Reporting obligations (Art. 14) — from 11 September 2026
From 11 September 2026, the manufacturer must report actively exploited vulnerabilities and severe incidents to the coordinating CSIRT and ENISA — via the Single Reporting Platform (Art. 16). The cadence has several stages, and one detail is frequently confused:
| Step | Deadline |
|---|---|
| Early warning | 24 hours of awareness |
| Notification | 72 hours |
| Final report — vulnerabilities | ≤ 14 days after a fix is available |
| Final report — severe incidents | within one month of the notification |
⚠️ The final-report deadline differs: 14 days (vulnerability) versus one month (incident). Not "14 days for both".
The reporting obligations also apply to products already on the market. Micro and small enterprises cannot be fined for missing Art. 14 deadlines.
7. Support period and retention
Two periods are central and often confused:
- Support period ≥ 5 years: The manufacturer must provide vulnerability handling and security updates for at least five years — or for the shorter expected use, if the product is evidently used for less time.
- Retention ≥ 10 years: Technical documentation and the EU Declaration of Conformity must be retained for at least ten years after placing on the market — or for the support period, whichever is longer.
8. Corrective action, withdrawal, recall
If the manufacturer establishes that a product is (no longer) conforming, it must take corrective action without delay — bring the product into conformity, withdraw it from the market or recall it, depending on severity. It informs the competent authorities and, where a risk exists, the affected users. This duty is the counterpart to market surveillance: it ensures that conformity persists not only at the point of placing on the market but across the whole lifecycle.
Manufacturer duties checklist
- Clarify applicability: Is the product a product with digital elements in CRA scope? Which product class does it fall into?
- Carry out a cybersecurity risk assessment and map it to Annex I.
- Design the product "security by design and by default"; implement the essential requirements of Annex I Part I.
- Build a vulnerability-handling process under Annex I Part II: SBOM, CVD policy with contact address, secure and free update distribution.
- Draw up the technical documentation under Annex VII and keep it current.
- Carry out the conformity assessment under Art. 32 appropriate to the class (self-assessment or notified body).
- Issue the EU Declaration of Conformity (Art. 28) and affix the CE marking (Art. 30).
- Set up the reporting process under Art. 14 (24 h / 72 h / 14 days or one month) — from 11 September 2026.
- Define and communicate the support period (≥ 5 years); ensure retention (≥ 10 years).
- Establish a process for corrective action, withdrawal and recall.
Roadmap to 11 December 2027
There is time until general application on 11 December 2027 — but the substantive tasks (risk assessment, vulnerability process, documentation) need lead time, and the reporting obligations already bite from 11 September 2026.
- By Q3 2026: Complete the product-role register and classification; have the Art. 14 reporting process operational (mandatory from 11 Sep 2026).
- 2026: Carry out the risk assessment per product; build vulnerability handling including SBOM and CVD policy.
- 2026–2027: Implement the essential requirements; write the technical documentation under Annex VII; choose the appropriate conformity route and — for Class II / critical — engage a notified body early (capacity is scarce).
- By 11 Dec 2027: Complete the conformity assessment, issue the EU Declaration of Conformity, affix the CE marking.
Where you carry the manufacturer burden across your portfolio and where only the gatekeeper role is clarified by the comparison of CRA roles. The structured entry point is our scope assessment.
Note: These explanations are general technical-organisational information, not legal advice within the meaning of the RDG. Specific duties, product classes and deadlines depend on the individual case and may change with Commission guidance and implementing acts.
Frequently asked questions
What duties does a manufacturer have under the CRA?
Does every manufacturer need a notified body?
Does the CRA mandate a specific SBOM format?
How long must a manufacturer provide support and retain documentation?
When do the reporting and manufacturer duties apply?
Let's talk about your CRA readiness
You are a manufacturer and want to know which of the Art. 13 duties actually apply per product — from risk assessment through SBOM and CVD policy to conformity assessment? Blackfort Technology in Bonn maps your portfolio technically and organisationally, prioritises the gaps and develops a robust roadmap to 11 December 2027.
Request a first call Check eligibility