Blackfort TechnologyBlackfort Technology

Manufacturer Duties under the CRA: What Art. 13 Really Requires

Blackfort Technology · Your role & obligations under the CRA

Note: This article provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and is not legal advice. The applicable text of the Regulation always prevails; this article does not replace a binding assessment of your individual case. Blackfort Technology provides technical/organizational IT-security and compliance consulting, not legal services within the meaning of the German RDG.

Under the EU Cyber Resilience Act (CRA, Regulation (EU) 2024/2847) the manufacturer is the role with the actual substantive responsibility. Importers and distributors are gatekeepers who verify; the manufacturer is the one who actually creates, documents and demonstrates product security. Anyone who places a product with digital elements on the market under their own name or trademark — or who substantially modifies an existing product — carries the full breadth of duties under Art. 13. This page orders them technically and organisationally, along the text of the Regulation and the article and annex numbers cited. It is general orientation, not legal advice within the meaning of the German Legal Services Act (RDG); the binding assessment of the individual case remains reserved for legal counsel.

The key point up front

The manufacturer (Art. 13) must: meet the essential requirements of Annex I Part I on the basis of a risk assessment, run vulnerability handling under Annex I Part II, draw up the technical documentation under Annex VII, carry out the conformity assessment under Art. 32, issue the EU Declaration of Conformity under Art. 28, affix the CE marking under Art. 30, and meet the reporting obligations under Art. 14. Two figures shape the effort: support period ≥ 5 years and retention of technical documentation and Declaration of Conformity for ≥ 10 years.

1. Meet the essential requirements (Annex I Part I)

The starting point of every manufacturer duty is a cybersecurity risk assessment. The product must be designed, developed and produced so that it ensures a level of cybersecurity appropriate to the risk — the "security by design and by default" principle familiar from other New Legislative Framework regulations. Annex I Part I lists a set of protection objectives that apply according to risk: delivery without known exploitable vulnerabilities, a secure default configuration with reset capability, protection against unauthorised access (e.g. through authentication), protection of the confidentiality and integrity of data (encryption where appropriate), data minimisation, availability of core functions (resilience against denial-of-service), minimisation of the attack surface, limitation of impact (defense in depth), logging of security-relevant events, and the ability to remediate vulnerabilities through security updates. Crucially, these requirements are risk-based — not every one applies equally to every product. The risk assessment decides which ones bite, and it becomes part of the technical documentation.

2. Vulnerability handling (Annex I Part II) — including SBOM and CVD

Unlike the one-off certification of some frameworks, vulnerability handling is a continuing duty across the whole support period. Annex I Part II requires the manufacturer, among other things, to:

  • Identify and document vulnerabilities and components — including a software bill of materials (SBOM) in a commonly used, machine-readable format covering at least the top-level dependencies.
  • Remediate vulnerabilities without delay, in particular through security updates — separating these from feature updates where feasible.
  • Regularly test and review the product.
  • Disclose fixed vulnerabilities once an update is available (public disclosure with descriptive information).
  • Maintain and enforce a mandatory coordinated vulnerability disclosure (CVD) policy, together with a contact address for reporting.
  • Distribute security updates securely and provide them without delay and free of charge.

Understanding the SBOM correctly: The Regulation requires an SBOM in a "commonly used, machine-readable format, at least top-level dependencies" — but no specific format. Statements like "the CRA requires CycloneDX" or "SPDX is mandatory" are wrong. Established formats such as CycloneDX, SPDX (ISO/IEC 5962) or SWID satisfy the requirement, but as guidance, not statutory text. The Commission may later specify a format by implementing act (none adopted so far). The SBOM is disclosed to authorities on reasoned request — it is not a document mandated for public publication.

3. Draw up the technical documentation (Annex VII)

The technical documentation is the written evidence that the essential requirements are met. Under Annex VII it contains, among other things: a general product description; the design, development and production processes as well as the vulnerability-handling processes (architecture, SBOM, CVD policy, update distribution); the cybersecurity risk assessment mapped to the requirements of Annex I; support-period information; the standards, specifications and certification schemes applied; test reports; and a copy of the EU Declaration of Conformity. It must be kept up to date. A deeper structure and content overview is in our article on CRA technical documentation.

4. Carry out the conformity assessment (Art. 32) — the class-dependent route

How conformity is demonstrated depends on the product class. The CRA knows four tiers; the assessment route differs markedly:

Product classAssessment route
Default / unclassified (the norm)Self-assessment (Module A) — or optionally B+C, H or a certification scheme
Important, Class I (Annex III-I)Self-assessment only if harmonised standards / common specifications / a certification scheme are fully applied; otherwise Module B (EU-type examination) + C, or Module H
Important, Class II (Annex III-II)Always third party via a notified body — B+C, H or a certification scheme. No self-assessment.
Critical (Annex IV)European cybersecurity certification scheme (Reg. 2019/881, ≥ "substantial") where mandated; otherwise as Class II

Rule of thumb: A notified body is mandatory only for Class II and critical products. The large majority of products with digital elements can self-assess; Class I products can self-assess if the relevant standards are fully applied. "All products need a notified body" is a widespread misconception. Which class your product falls into is clarified on our page on CRA product classes.

5. Issue the EU Declaration of Conformity (Art. 28) and affix CE (Art. 30)

After a successful conformity assessment, the manufacturer issues the EU Declaration of Conformity (Art. 28, template in Annex V) under its sole responsibility. It identifies the product and the manufacturer, declares conformity, names the standards/specifications/schemes applied and — where relevant — the notified body (name, number, procedure, certificate), and is signed. The manufacturer then affixes the CE marking (Art. 30). The CE marking is the visible declaration that the product complies with the relevant Union legislation — here the CRA. It only becomes relevant from general application on 11 December 2027.

6. Reporting obligations (Art. 14) — from 11 September 2026

From 11 September 2026, the manufacturer must report actively exploited vulnerabilities and severe incidents to the coordinating CSIRT and ENISA — via the Single Reporting Platform (Art. 16). The cadence has several stages, and one detail is frequently confused:

StepDeadline
Early warning24 hours of awareness
Notification72 hours
Final report — vulnerabilities≤ 14 days after a fix is available
Final report — severe incidentswithin one month of the notification

⚠️ The final-report deadline differs: 14 days (vulnerability) versus one month (incident). Not "14 days for both".

The reporting obligations also apply to products already on the market. Micro and small enterprises cannot be fined for missing Art. 14 deadlines.

7. Support period and retention

Two periods are central and often confused:

  • Support period ≥ 5 years: The manufacturer must provide vulnerability handling and security updates for at least five years — or for the shorter expected use, if the product is evidently used for less time.
  • Retention ≥ 10 years: Technical documentation and the EU Declaration of Conformity must be retained for at least ten years after placing on the market — or for the support period, whichever is longer.

8. Corrective action, withdrawal, recall

If the manufacturer establishes that a product is (no longer) conforming, it must take corrective action without delay — bring the product into conformity, withdraw it from the market or recall it, depending on severity. It informs the competent authorities and, where a risk exists, the affected users. This duty is the counterpart to market surveillance: it ensures that conformity persists not only at the point of placing on the market but across the whole lifecycle.

Manufacturer duties checklist

  1. Clarify applicability: Is the product a product with digital elements in CRA scope? Which product class does it fall into?
  2. Carry out a cybersecurity risk assessment and map it to Annex I.
  3. Design the product "security by design and by default"; implement the essential requirements of Annex I Part I.
  4. Build a vulnerability-handling process under Annex I Part II: SBOM, CVD policy with contact address, secure and free update distribution.
  5. Draw up the technical documentation under Annex VII and keep it current.
  6. Carry out the conformity assessment under Art. 32 appropriate to the class (self-assessment or notified body).
  7. Issue the EU Declaration of Conformity (Art. 28) and affix the CE marking (Art. 30).
  8. Set up the reporting process under Art. 14 (24 h / 72 h / 14 days or one month) — from 11 September 2026.
  9. Define and communicate the support period (≥ 5 years); ensure retention (≥ 10 years).
  10. Establish a process for corrective action, withdrawal and recall.

Roadmap to 11 December 2027

There is time until general application on 11 December 2027 — but the substantive tasks (risk assessment, vulnerability process, documentation) need lead time, and the reporting obligations already bite from 11 September 2026.

  • By Q3 2026: Complete the product-role register and classification; have the Art. 14 reporting process operational (mandatory from 11 Sep 2026).
  • 2026: Carry out the risk assessment per product; build vulnerability handling including SBOM and CVD policy.
  • 2026–2027: Implement the essential requirements; write the technical documentation under Annex VII; choose the appropriate conformity route and — for Class II / critical — engage a notified body early (capacity is scarce).
  • By 11 Dec 2027: Complete the conformity assessment, issue the EU Declaration of Conformity, affix the CE marking.

Where you carry the manufacturer burden across your portfolio and where only the gatekeeper role is clarified by the comparison of CRA roles. The structured entry point is our scope assessment.

Note: These explanations are general technical-organisational information, not legal advice within the meaning of the RDG. Specific duties, product classes and deadlines depend on the individual case and may change with Commission guidance and implementing acts.

Frequently asked questions

What duties does a manufacturer have under the CRA?
The manufacturer (Art. 13) meets the essential requirements of Annex I Part I on the basis of a risk assessment, runs vulnerability handling under Annex I Part II (including SBOM and CVD policy), draws up the technical documentation under Annex VII, carries out the conformity assessment under Art. 32, issues the EU Declaration of Conformity under Art. 28, affixes the CE marking under Art. 30 and meets the reporting obligations under Art. 14. In addition it owes a support period of at least 5 years, retention of documentation and the Declaration of Conformity of at least 10 years, and corrective action in case of non-conformity.
Does every manufacturer need a notified body?
No. Under Art. 32 a notified body is mandatory only for important Class II products (Annex III-II) and for critical products (Annex IV). Default or unclassified products may be assessed by self-assessment (Module A). Class I products (Annex III-I) may also self-assess, provided harmonised standards, common specifications or a certification scheme are fully applied; otherwise third-party assessment is required there too. The statement "all products need a notified body" is wrong.
Does the CRA mandate a specific SBOM format?
No. Annex I Part II requires a software bill of materials (SBOM) in a commonly used, machine-readable format covering at least the top-level dependencies — but no specific format. Established formats such as CycloneDX, SPDX (ISO/IEC 5962) or SWID satisfy the requirement, but as recognised guidance, not statutory text. The Commission may later specify a format by implementing act; none has been adopted so far. The SBOM is disclosed to authorities on reasoned request and is not a document mandated for public publication.
How long must a manufacturer provide support and retain documentation?
The support period is at least 5 years — or the shorter expected use, if the product is evidently used for less time. During this period the manufacturer must provide vulnerability handling and security updates. Separately, the technical documentation and the EU Declaration of Conformity must be retained for at least 10 years after placing on the market — or for the support period, whichever is longer. The two periods (5 years support, 10 years retention) are frequently confused.
When do the reporting and manufacturer duties apply?
The reporting obligations under Art. 14 (actively exploited vulnerabilities and severe incidents) apply from 11 September 2026 — with the cadence of an early warning within 24 hours, a notification within 72 hours and a final report within 14 days after a fix is available (vulnerabilities) or within one month of the notification (severe incidents). The remaining manufacturer duties — essential requirements, conformity assessment and CE marking — apply with general application from 11 December 2027. Entry into force on 10 December 2024 does not yet trigger any of these duties.

Let's talk about your CRA readiness

You are a manufacturer and want to know which of the Art. 13 duties actually apply per product — from risk assessment through SBOM and CVD policy to conformity assessment? Blackfort Technology in Bonn maps your portfolio technically and organisationally, prioritises the gaps and develops a robust roadmap to 11 December 2027.

Request a first call Check eligibility
The content on this website provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and does not constitute legal advice. Blackfort Technology provides technical/organizational IT-security and compliance consulting, not legal services.