
Last updated: 2026-07-18
The EU Cyber Resilience Act (CRA, Regulation (EU) 2024/2847) does not spread its duties evenly across everyone involved. Whoever develops, imports or resells a product with digital elements carries a different responsibility. This page provides a technical-organisational orientation on the four economic-operator roles and compares their duties. It offers guidance, not binding individual advice; a legal assessment in the specific case remains reserved for legal counsel.
The key point up front
The substantive product-security burden sits with the manufacturer (Art. 13): it meets the essential requirements, runs vulnerability handling, draws up the technical documentation, carries out the conformity assessment, issues the EU Declaration of Conformity and affixes the CE marking. The importer (Art. 19) and distributor (Art. 20) are primarily gatekeepers: they verify that the manufacturer has met its duties and must not place or make available non-conforming products. They do not, however, take over the manufacturer's duties themselves.
Manufacturer (Art. 13) — the main product-security burden
The manufacturer carries the actual substantive responsibility. Its duties include:
- Meeting the essential cybersecurity requirements of Annex I Part I on the basis of a documented risk assessment.
- Vulnerability handling under Annex I Part II across the whole support period — including an SBOM, security updates and a mandatory coordinated vulnerability disclosure (CVD) policy.
- Technical documentation under Annex VII.
- Conformity assessment under Art. 32 (self-assessment as a rule; third-party assessment only for higher product classes).
- EU Declaration of Conformity (Art. 28, Annex V) and affixing the CE marking (Art. 30).
- Reporting obligations under Art. 14 (actively exploited vulnerabilities and severe incidents) via the Single Reporting Platform.
- In case of non-conformity: corrective action, withdrawal or recall.
Two figures shape the manufacturer's effort: the support period is at least 5 years (or the shorter expected use), and technical documentation together with the EU Declaration of Conformity must be retained for at least 10 years (or the support period, whichever is longer). Full details in our article on the manufacturer duties under the CRA.
Importer (Art. 19) — the gatekeeper at market entry
The importer places a non-EU manufacturer's products on the Union market. It does not create product security itself but verifies conformity before placing on the market. Its core duties:
- Place only conforming products on the market — specifically verify that the conformity assessment has been carried out, the technical documentation drawn up and the CE marking affixed.
- Do not place non-conforming products on the market.
- In case of non-conformity: take corrective action.
- Inform the manufacturer of vulnerabilities and the market surveillance authorities of significant risks.
The distinction is decisive: the importer does not carry out the conformity assessment itself, does not draw up the technical documentation and does not affix the CE marking — these remain manufacturer duties. More on this on our page covering the importer duties.
Distributor (Art. 20) — due care in the supply chain
The distributor makes a product available on the market without being the manufacturer or importer. Due care is expected of it:
- Verify that the CE marking is present and that the manufacturer or importer has met their respective duties.
- Do not make non-conforming products available on the market.
- In case of non-conformity: take corrective action.
- Inform the manufacturer and authorities where necessary.
The distributor's verification depth is lower than the importer's — it is a plausibility and due-care check, not a re-assessment of conformity. Details in our article on the distributor duties.
Authorised representative (Art. 18) — the extended arm, not the substitute
A non-EU manufacturer may appoint an authorised representative by written mandate. This representative keeps the EU Declaration of Conformity and the technical documentation available for the authorities and acts as a point of contact. Important: the authorised representative cannot take over the manufacturer's core duties under Art. 13 — design, vulnerability handling and actual conformity remain the manufacturer's responsibility. It is the extended arm, not the substitute.
Watch out for role changes: Anyone who places a product on the market under their own name or trademark, or who substantially modifies a product already placed on the market, is considered a manufacturer under the CRA and takes on its full duties. An importer or distributor can therefore unintentionally become a manufacturer — for example by re-labelling or modifying. This allocation is one of the most common pitfalls.
Duty-allocation matrix: who bears what?
The following overview shows which role is responsible for which duty. The authorised representative (Art. 18) is deliberately not given its own column, as it takes on only a defined subset (keeping the EU Declaration of Conformity and documentation available) and precisely does not replace the manufacturer's duties under Art. 13.
| Duty | Manufacturer (Art. 13) | Importer (Art. 19) | Distributor (Art. 20) |
|---|---|---|---|
| Meet essential requirements (Annex I) | ✅ | — | — |
| Vulnerability handling (Annex I Part II) | ✅ | — | — |
| Draw up technical documentation (Annex VII) | ✅ | — | — |
| Carry out conformity assessment (Art. 32) | ✅ | — | — |
| Issue EU Declaration of Conformity (Art. 28) | ✅ | — | — |
| Affix CE marking (Art. 30) | ✅ | — | — |
| Report under Art. 14 (vulnerabilities/incidents) | ✅ | — | — |
| Verify CE marking is present | — | ✅ | ✅ |
| Verify conformity assessment was carried out | — | ✅ | — |
| Verify technical documentation was drawn up | — | ✅ | — |
| Verify manufacturer/importer met their duties | — | ✅ | ✅ |
| Do not place / make available non-conforming products | ✅ | ✅ | ✅ |
| Corrective action on non-conformity | ✅ | ✅ | ✅ |
| Inform manufacturer / authorities | ✅ | ✅ | ✅ |
✅ = duty of that role · — = no original duty of that role under the CRA
The practical starting point
Before allocating duties, clarify two questions: which role do I actually take on per product? and is the product in scope of the CRA at all? One and the same company can simultaneously be a manufacturer, importer and distributor for different products — duties are determined per product and role, not blanket per company. In practice this means: build a product-role register recording, for each product, the role in which you place it on the market and which of the duties shown above follow from that. This register also becomes the basis for demonstrating compliance to the market surveillance authorities. Our scope assessment is the first step: it maps your portfolio and shows where you carry the main burden (manufacturer) and where you carry the gatekeeper role (importer/distributor).
Note: These explanations are general technical-organisational information, not legal advice within the meaning of the German Legal Services Act (RDG). The allocation of roles and the resulting duties depend on the individual case and may change with Commission guidance.
Frequently asked questions
Who bears the most duties under the CRA?+
What must an importer verify under the CRA?+
How do distributors and importers differ under the CRA?+
Can an authorised representative take over the manufacturer's duties?+
Can an importer or distributor become a manufacturer?+
Sources
- https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng
- https://digital-strategy.ec.europa.eu/en/policies/cra-summary
- https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Cyber_Resilience_Act/cyber_resilience_act_node.html
- https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202402847
This content provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and does not constitute legal advice (no legal services within the meaning of the German RDG).