Understanding the obligations of the Cyber Resilience Act is essential for any organisation involved in creating or distributing digital products in the European Union. The regulation identifies three economic operators, the manufacturer, the importer and the distributor, and assigns distinct responsibilities to each. These roles determine who is accountable for conformity, documentation and ongoing cybersecurity duties when placing a product with digital elements on the EU market.
This article provides a clear, high level explanation of how each role works, enriched with important clarifications from the latest CRA FAQ.
Disclaimer: This content is provided for informational purposes only. The official text remains the authoritative reference.
The Three Economic Operators Under the CRA
The Cyber Resilience Act defines three market participants. The distinctions may seem straightforward, but they carry practical implications for compliance.
Manufacturer
Creates, develops or commissions the development of a product with digital elements and provides it under its own brand name.
This includes:
Anyone who markets a product under their own name, regardless of whether they built it themselves or had it built by someone else. Manufacturer status applies whether the product is provided for payment or free of charge. It also applies whether the company is based inside or outside the European Union.
Importer
Is based in the European Union and places on the EU market a product that carries the brand name of a company established outside the EU.
Importers act as the gateway to the EU market and must ensure the foreign manufacturer has met the CRA requirements.
Distributor
Offers a product with digital elements on the EU market without modifying it.
Distributors do not perform conformity assessment, but they do act as a final checkpoint before the product reaches end users.
Important clarification
If an importer or distributor places a product on the market under their own name or substantially modifies it, they are considered a manufacturer under the CRA. This reclassification triggers full manufacturer obligations, including risk assessment, technical documentation and vulnerability handling.
These definitions matter because each operator carries different responsibilities for conformity, documentation and incident reporting.
Obligations for Manufacturers
A manufacturer is any natural or legal person who develops or manufactures a product with digital elements or has it developed or manufactured and markets it under their own name or trademark.
Under the Cyber Resilience Act, manufacturers must:
- Integrate CRA requirements from the design stage
- Ensure the product meets the essential cybersecurity requirements
- Maintain technical documentation based on a documented cybersecurity risk assessment
- Complete the correct conformity assessment and affix the CE marking
- Guarantee ongoing vulnerability handling and security updates
- Provide clear instructions and safety information to users
- Exercise due diligence when integrating third party and open source components to ensure they do not compromise the product’s cybersecurity
Key clarifications from the FAQ
Manufacturers must carry out a cybersecurity risk assessment covering the entire product with digital elements, including any remote data processing. This risk assessment is not a one time activity. It must guide decision making across design, development, production, distribution and maintenance, and must be kept up to date throughout the support period.
Manufacturers may integrate components that do not yet bear their own CE marking, including open source software, but they must apply additional due diligence to ensure they understand the security posture of those components and mitigate risks accordingly.
These nuances expand the role of the manufacturer from compliance owner to ongoing steward of product cybersecurity.
Obligations for Importers
An importer is a natural or legal person established in the European Union who places a product from a non EU manufacturer on the EU market.
To comply with the CRA, the importer must ensure that:
- The manufacturer has completed the correct conformity assessment
- The manufacturer has created the required technical documentation and applied the CE marking
- All traceability information is in place, such as contact details and product identifiers
- The product is accompanied by instructions and safety information in a language EU users understand
- The importer’s own name, trade name or contact address is clearly indicated on the product, packaging or documentation
Importers are not required to re-perform the manufacturer’s technical checks. Instead, they must verify, based on documentation and due diligence, that the product is not obviously non compliant before placing it on the market.
They must also ensure that storage and transport conditions under their responsibility do not compromise compliance with the essential cybersecurity requirements.
If the importer knows or suspects that the product does not comply with the CRA:
- It must not be placed on the EU market
- The importer must notify the manufacturer and the relevant supervisory authority
- Corrective actions must be taken, including bringing the product into compliance, recalling it or removing it from the market
If the importer becomes aware of a vulnerability, they must notify the manufacturer without delay.
Obligations for Distributors
A distributor is any natural or legal person in the supply chain who offers a product with digital elements on the EU market without making changes to its characteristics.
Before making a product available, the distributor must ensure that:
- The product bears the CE marking
- Instructions and safety information are provided in a language users understand
- Manufacturer and importer identification appear on the product, packaging or accompanying documentation
Distributors are not expected to hold or review the full technical documentation themselves, but they must be able to provide the EU declaration of conformity on request and must cooperate with market surveillance authorities.
If they believe a product is not in conformity, distributors must withdraw it from sale, notify the relevant parties and support any necessary corrective actions.
Transition period nuance
Products placed on the market before 11 December 2027 generally do not need to be brought into CRA conformity by distributors.
The exception is when a distributor substantially modifies a product, in which case they take on manufacturer obligations.
Why These Obligations Matter
The Cyber Resilience Act aims to raise the baseline for product cybersecurity across the European market. That shift requires clear accountability throughout the supply chain. Manufacturers ensure secure by design and secure by default development. Importers verify that products coming from outside the EU meet the same standards. Distributors ensure that only compliant products reach users.
Together, these roles create a traceable, enforceable chain of responsibility that strengthens both market trust and real world cybersecurity resilience.
ScanDog is an AI-powered Application Security Posture Management (ASPM) platform that helps development teams build secure software faster. With advanced vulnerability prioritization, reachability analysis, and AI-assisted remediation, ScanDog cuts through the noise of false positives to focus on what truly matters.