CRA Insights

Cyber Resilience Act

Distributor Duties under the CRA (Art. 20): Due Care in the Supply Chain

Distributor Duties under the CRA (Art. 20): Due Care in the Supply Chain

Last updated: 2026-07-18

The EU Cyber Resilience Act (CRA, Regulation (EU) 2024/2847) does not burden only manufacturers — it also reaches the actors further down the supply chain. The distributor — in CRA terms whoever makes available on the market a product with digital elements without being the manufacturer or importer — carries a distinct, clearly defined responsibility. This page provides a technical-organisational orientation on distributor duties under Art. 20. It offers guidance, not binding individual advice; a legal assessment remains reserved for legal counsel.

The key point up front

The distributor is a gatekeeper, but a lighter one than the importer. Due care is expected of it: verify that the CE marking is present and that the manufacturer and importer have met their respective duties. It does not create product security itself, draw up technical documentation or carry out a conformity assessment. Even so, its role is not a mere formality — it is a genuine control function with liability consequences if neglected.

Who is a "distributor" under the CRA?

A distributor is an actor in the supply chain that makes available on the market — offers, supplies or resells — a product with digital elements, while being neither the manufacturer nor the importer. Typical examples are specialist retailers, system houses, distributors, resellers or online-marketplace sellers who pass on finished products that have already been placed on the market. The key point: the distributor receives a product that someone else developed and yet another party may have imported. Its task is not to re-assess security, but to prevent an obviously non-conforming product from reaching the market through it.

The due-care duty (Art. 20) in detail

The central yardstick is due care. Before making a product available, the distributor must verify:

  • CE marking present: Does the product bear the CE marking? It is the visible signal that the manufacturer has declared conformity.
  • Manufacturer and importer duties met: Have the manufacturer and — if one was involved — the importer met their respective duties? This includes in particular that the required documentation and information (for example user instructions and security information) are supplied with the product.
  • Required accompanying information: Are the required documents and instructions actually present and supplied in the required form?

The verification depth is deliberately lower than the importer's. The importer (Art. 19) substantively verifies that the conformity assessment was carried out and the technical documentation drawn up; the distributor checks, more on a plausibility basis, the presence of the outward conformity markers and the accompanying documents. It is a due-care and plausibility check, not a re-assessment of conformity.

Important: Where the distributor has reason to believe that a product does not conform to the essential requirements, it must not make the product available on the market until it has been brought into conformity. The due-care duty is therefore not a pure visual check — it bites as soon as there are concrete indications of non-conformity.

Non-conforming products: do not make available

The second core duty is a prohibition: a product that the distributor knows or must assume to be non-conforming must not be made available on the market. Where non-conformity comes to light only after the product has been made available, the distributor must take corrective action — from bringing the product into conformity to, where necessary, withdrawal or recall. Here too: the distributor initiates and cooperates in corrections but does not itself bear the substantive rectification of the product, which rests with the manufacturer.

Storage and transport: do not compromise conformity

An often-overlooked but characteristic distributor duty concerns physical custody of the product: while the product is under its responsibility, the distributor must ensure that the storage and transport conditions do not compromise conformity with the essential requirements. For products with digital elements this can go beyond classic physical integrity — for instance where the as-delivered state, firmware level or supplied security information must remain intact. Anyone storing or transporting products in a way that degrades their security properties breaches their due-care duty.

Informing: manufacturer and authorities

The distributor is embedded in the information chain. Two directions are central here:

  • Inform the manufacturer of vulnerabilities: Where the distributor becomes aware of a vulnerability in the product, it must inform the manufacturer (or importer).
  • Inform authorities of significant risk: Where a product presents a significant risk, the market surveillance authorities must be informed — with details in particular of the non-conformity and of any corrective action taken.

This does not turn the distributor into a reporting body in the sense of the manufacturer's Art. 14 reporting obligations (the 24-hour / 72-hour / final-report deadlines via the Single Reporting Platform) — those remain the manufacturer's responsibility. The distributor's information duties are directed at passing information on to the manufacturer and the authorities.

Role change: when the distributor becomes a manufacturer

The decisive pitfall: Anyone who places a product on the market under their own name or trademark, or who substantially modifies a product already placed on the market, is as a general principle considered a manufacturer under the CRA — with the full duties under Art. 13 (essential requirements, vulnerability handling, technical documentation, conformity assessment, EU Declaration of Conformity, CE marking, reporting). A distributor (or importer) can thus unintentionally slip into the heaviest role — for example by re-labelling, rebranding or loading its own firmware. As a general principle: once you shape a product substantively or market it as your own, you are no longer merely a gatekeeper. Whether a specific modification is "substantial" is a question for the individual case.

Distributor duties checklist

The following checklist summarises the distributor's due-care duties under Art. 20 in practical terms:

  1. Verify the CE marking — is it present on the product?
  2. Verify manufacturer and importer duties — are the required documents, instructions and security information supplied?
  3. Do not make available when in doubt — where there is reason to believe non-conformity, keep the product off the market.
  4. Protect storage and transport conditions — do not compromise conformity while in your custody.
  5. Take corrective action — cooperate where non-conformity is later identified (bring into conformity, withdraw/recall if needed).
  6. Inform the manufacturer of vulnerabilities — pass on knowledge of security flaws.
  7. Inform market surveillance authorities of significant risk — including details of non-conformity and corrective action.
  8. Keep an eye on the role change — do not become a manufacturer unnoticed through rebranding or substantial modification.
  9. Document the verification steps — record due care so it can be demonstrated to the authorities.

In perspective: lighter than the importer, but real

The distributor role is deliberately lighter than the importer's — the distributor verifies less deeply and carries none of the original manufacturer duties. But "lighter" does not mean "without consequences": the due-care duty, the prohibition on making non-conforming products available, and the information duties are genuine control obligations. Breaching them risks market-surveillance measures and administrative fines. For how the roles interlock, see our overview of the CRA roles; the markedly more verification-intensive neighbouring role is covered in our page on the importer duties. Whether and in which role your products are affected at all is clarified by the scope assessment.

Note: These explanations are general technical-organisational information, not legal advice within the meaning of the German Legal Services Act (RDG). The allocation of roles and the resulting duties depend on the individual case and may be further specified by Commission guidance.

Frequently asked questions

What does a distributor owe under the CRA?+
The distributor (Art. 20) owes due care before making a product with digital elements available on the market. It verifies that the CE marking is present and that the manufacturer and importer have met their duties — for example that the required instructions and security information are supplied. It must not make non-conforming products available, protects storage and transport conditions, takes corrective action where needed, and informs the manufacturer of vulnerabilities and the authorities of significant risks.
Must a distributor re-assess a product's CRA conformity itself?+
No. The distributor does not carry out a conformity assessment, draw up technical documentation or affix the CE marking — those are manufacturer duties. Its check is a due-care and plausibility check: are the outward conformity markers (in particular the CE marking) and the required accompanying documents present? However, as soon as it has reason to believe a product is non-conforming, it must not make it available until conformity has been established.
How does the distributor differ from the importer under the CRA?+
Both are gatekeepers, but the distributor verifies less deeply. The importer (Art. 19) places products from outside the EU on the market and substantively verifies that the conformity assessment was carried out and the technical documentation drawn up. The distributor (Art. 20) makes already-placed products available and owes due care: verify the presence of the CE marking and accompanying documents, do not make non-conforming products available, protect storage, and inform. The distributor role is thus lighter, but it remains a genuine control duty.
Must a distributor pay attention to storage and transport?+
Yes. While the product is under the distributor's responsibility, it must ensure that the storage and transport conditions do not compromise conformity with the essential requirements. For products with digital elements this can go beyond physical integrity — for instance where the as-delivered state, firmware level or supplied security information must remain intact. Storage or transport that degrades the security properties breaches the due-care duty.
Can a distributor become a manufacturer through rebranding?+
As a general principle: yes. Anyone who places a product on the market under their own name or trademark, or who substantially modifies a product already placed on the market, is as a general principle considered a manufacturer under the CRA and takes on its full duties under Art. 13 — from the essential requirements through vulnerability handling to conformity assessment, EU Declaration of Conformity and CE marking. A distributor can thus, through re-labelling, rebranding or loading its own firmware, unintentionally slip into the manufacturer role. Whether a modification is "substantial" depends on the individual case.

Sources

This content provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and does not constitute legal advice (no legal services within the meaning of the German RDG).