Vulnerabilities7 min read
SBOM and vulnerability management: the practical foundation of CRA compliance
Without visibility into a product's components you cannot manage vulnerabilities. Why an SBOM is at the core of CRA compliance.
Read article
Roles & obligations
Manufacturer, importer, distributor: who has which obligations under CRA
8 min read
The Cyber Resilience Act does not just talk about 'companies' – it precisely distinguishes roles in the supply chain. Each role carries a different level of responsibility and different obligations. So the first question to answer is not 'what should we do', but 'who exactly are we'.
Three roles, three levels of responsibility
CRA works primarily with the roles of manufacturer, importer and distributor. Their obligations are not the same – they form a kind of pyramid with the manufacturer carrying the highest responsibility at the top. Clarifying your own role is a necessary prerequisite for any further preparation.
Manufacturer – carries the main burden
The manufacturer is the one who designs or makes a product and places it on the market under their own name or brand. The vast majority of CRA obligations fall on the manufacturer:
- design and manufacture the product following security by design principles,
- carry out and document a cybersecurity risk assessment,
- manage vulnerabilities throughout the support period and provide updates,
- maintain technical documentation and issue the EU declaration of conformity,
- report actively exploited vulnerabilities and severe incidents,
- provide users with information and instructions for safe use.
Importer – a verification role
An importer places a product from a third-country manufacturer on the EU market. They do not automatically take on the manufacturer's obligations, but they have their own – primarily verification. Before placing the product on the market, the importer must verify that the manufacturer has met their obligations: that they carried out conformity assessment, prepared the technical documentation, affixed the CE marking and attached the required information.
- verify the manufacturer's compliance and not place on the market a product they know does not meet the requirements,
- ensure that the technical documentation is available,
- cooperate with market surveillance authorities and report identified risks.
Distributor – act with due care
A distributor makes a product available on the market but is neither the manufacturer nor the importer. Their obligation is to act with due care – in particular to verify that the product bears the CE marking and is accompanied by the required information, and not to make available a product they know to be non-compliant.
Watch out: when the role changes
The most common mistake is to assume 'we are just an importer, so this barely concerns us'. Yet CRA contains rules under which an importer or distributor starts to be subject to the manufacturer's obligations:
- you place the product on the market under your own name or brand (typically private label),
- you make a substantial modification to the product after it has been placed on the market.
Key takeaways
- CRA distinguishes the manufacturer, importer and distributor roles – each has different obligations.
- The manufacturer carries the vast majority of obligations; the importer verifies, the distributor acts with due care.
- Private label or a substantial modification turns an importer/distributor into a manufacturer.
- The role must be determined for each product separately.
Related service
Suppliers & Manufacturers
All articles
Deadlines7 min read
Cyber Resilience Act: every deadline and phase you must hit by 2027
CRA is not introduced all at once. Go through the three key dates – and why 'we have time until 2027' is a dangerous trap.
Read article
Start with CRA before the deadline catches up with you
A free consultation will quickly show you where you stand and the shortest path to compliance.
Book a consultation