CRA Distributor Checklist: 5 Verification Steps for Every Product

Distributors have the lightest CRA obligations, but "light" doesn't mean "none." If you sell a product that's obviously non-compliant, you share liability.

This checklist covers the five things you must verify before every sale and what to do when something looks wrong.

What "Distributor" Means Under CRA

The Cyber Resilience Act defines a distributor as any entity in the supply chain, other than the manufacturer or importer, that makes a product available on the market.

You're a distributor if you:

• Buy from importers and sell to retailers or end users
• Operate as a wholesaler or reseller
• Run an e-commerce platform that takes title to goods
• Provide products to business customers

You're NOT a distributor if you:

• Only provide logistics (transport/storage without sales)
• Are the first EU entity placing non-EU goods on market (that's an importer)
• Manufacture or substantially modify products (that's a manufacturer)

The Distributor's Role in CRA Compliance

Distributors act as the final checkpoint before products reach end users. Your job isn't to perform deep technical assessments. That's already been done by manufacturers and verified by importers.

Your role is to catch obvious problems and ensure the compliance chain hasn't been broken.

The 5-Point Distributor Verification

Before making any product with digital elements available on the EU market, verify these five points:

1. CE Marking Present and Correct

Check that:

• CE marking is visible on the product or packaging
• Marking is legible (not faded, smudged, or partially obscured)
• Format is correct (the two letters must have specific proportions)
• Minimum 5mm height (unless product size makes this impossible)

What to look for:

CORRECT CE MARKING:
- Letters "C" and "E" have equal height
- Specific proportions (available from EU guidance)
- Clear, permanent marking

RED FLAGS:
- "CE" in a different font or style
- "China Export" marking (similar but different)
- CE marking only on outer shipping box, not retail packaging
- Sticker that can be easily removed

2. Manufacturer Identification Visible

Products must display:

• Manufacturer's name or registered trade name
• Contact address (postal, not just website)
• For imported products: importer's name and address too

This information should be on:

• The product itself (preferred)
• The packaging (if product size prohibits)
• Accompanying documentation

Red flag: Products with no manufacturer identification whatsoever, or only a website URL with no physical address.

3. Required Documentation Accompanies Product

Verify that products come with:

• User instructions in appropriate language(s)
• Safety information relevant to the product
• EU Declaration of Conformity or reference to where it can be obtained

You don't need to read and verify the technical content. You need to confirm these documents exist and accompany the product.

Red flag: Products shipped with documentation only in Chinese, or no documentation at all.

4. No Obvious Signs of Non-Compliance

This is the judgment call. "Obviously non-compliant" means problems visible without technical expertise:

Your standard: Would a reasonable business person, without specialized cybersecurity knowledge, recognize this as non-compliant?

5. No Known Issues from Upstream

Check whether:

• Manufacturer has communicated any compliance concerns
• Importer has flagged any documentation gaps
• Product is subject to recall or market withdrawal
• Regulatory authorities have issued warnings about this product

This means maintaining communication channels with your suppliers and monitoring relevant regulatory announcements.

Storage and Transport Requirements

Your obligations don't end at verification. How you handle products matters:

Storage Conditions

• Products must not be modified during storage
• Environmental conditions must not compromise security features
• Tamper-evident packaging must remain intact
• Firmware must not be altered

Transport Handling

• Products must arrive to customers in the same compliance state as received
• No modifications during transport
• Packaging integrity maintained

Practical example: If you store IoT devices in a warehouse, you can't "helpfully" update their firmware before shipping. That could constitute a modification making you a manufacturer.

What to Do When You Suspect Non-Compliance

If any verification point fails, you have specific obligations:

Step 1: Stop

Do not make the product available until the issue is resolved. You can hold it in inventory, but you cannot sell it.

Step 2: Document

Record your concerns:

• Which verification point failed
• What you observed
• Date and time of discovery
• Product identifiers (model, batch, serial numbers if visible)

Step 3: Notify Upstream

Inform the manufacturer and/or importer immediately:

• Specific concerns identified
• Request for clarification or resolution
• Timeline for response

Step 4: Cooperate with Corrective Actions

If the product is already on the market and found non-compliant:

• Support any recall or withdrawal
• Assist with customer notifications
• Provide sales records to authorities if requested

Step 5: Report Safety Risks

If the product poses an immediate cybersecurity risk (not just documentation gaps):

• Report to market surveillance authority
• Provide all available documentation
• Cooperate with any investigation

When Distributors Become Manufacturers

Under Article 22, you become a manufacturer with full CRA obligations if you:

Place Products Under Your Own Name

• Rebranding products with your company name
• White-labeling where you're presented as the source
• Your trademark on the product or packaging

Make Substantial Modifications

Any change affecting:

• The product's intended purpose
• Compliance with CRA requirements

Examples of substantial modifications:

• Installing custom firmware
• Adding connectivity features
• Hardware modifications affecting security
• Integrating products in ways that change functionality

NOT substantial modifications:

• Applying security patches (explicitly exempted)
• Changing packaging without product changes
• Adding accessories that don't integrate with the product
• Language localization of existing documentation

If you trigger manufacturer status, you inherit the full set of CRA obligations: risk assessment, technical documentation, conformity assessment, vulnerability management, and more.

Penalties for Non-Compliance

Distributors face lighter penalties than manufacturers, but they're still significant:

For comparison, manufacturers face up to EUR 15 million or 2.5% of turnover.

Common Pitfalls

"I just sell it, compliance isn't my problem"

Wrong. Distributors share liability for obviously non-compliant products. If you sell a device with no CE marking and it causes harm, you're in the enforcement chain.

"The importer said it's fine"

Verbal assurances don't constitute verification. You need to see the CE marking and documentation yourself. An importer's word doesn't transfer liability.

"We've sold this product for years without issues"

Past sales don't guarantee CRA compliance. The CRA is new, with requirements taking effect in stages. Products that were fine before may need updates.

"Our platform just connects buyers and sellers"

If your e-commerce platform takes title to goods (you buy inventory and resell), you're a distributor. If you're purely a marketplace facilitating third-party sales, different rules may apply, but this is a complex area requiring legal advice.

"I'll just update the firmware for customers as a service"

Don't. Modifying firmware, even with good intentions, can constitute a substantial modification making you a manufacturer. Let customers update their own devices, or ensure any updates come from the original manufacturer.

Distributor Receiving Checklist

Use this checklist when receiving products from suppliers:

DISTRIBUTOR RECEIVING CHECKLIST

Product: _______________________________________
Supplier: ______________________________________
Date Received: _________________________________
Quantity: ______________________________________

VISUAL VERIFICATION:
[ ] CE marking present on product or packaging
[ ] CE marking correctly formatted (proportions, size)
[ ] Manufacturer name and address visible
[ ] Importer name and address visible (if non-EU origin)
[ ] Product packaging intact (no tampering evidence)

DOCUMENTATION CHECK:
[ ] User instructions present
[ ] Instructions in required language(s)
[ ] Safety information included
[ ] DoC reference or document present

COMPLIANCE STATUS CHECK:
[ ] No active recall notices for this product
[ ] No communications from manufacturer about issues
[ ] No regulatory warnings about this product
[ ] Supplier has not flagged any concerns

STORAGE REQUIREMENTS:
[ ] Storage conditions appropriate for product type
[ ] Tamper-evident seals intact
[ ] No modifications required before sale

DECISION:
[ ] ACCEPT - All checks passed
[ ] HOLD - Issues identified (specify below)
[ ] REJECT - Non-compliant (document and notify supplier)

Issues Identified:
________________________________________________
________________________________________________

Verified by: ___________________________________
Date: _________________________________________

Quick Reference Card

Print this and keep it at your receiving desk:

┌─────────────────────────────────────────────────┐
│         DISTRIBUTOR CRA QUICK CHECK             │
├─────────────────────────────────────────────────┤
│                                                 │
│  ✓ CE marking visible and correct?              │
│  ✓ Manufacturer name/address on product?        │
│  ✓ Instructions in correct language?            │
│  ✓ No obvious defects or tampering?             │
│  ✓ No recall notices for this product?          │
│                                                 │
│  ALL YES → OK to sell                           │
│  ANY NO  → STOP, document, notify supplier      │
│                                                 │
│  NEVER: Modify firmware, rebrand, or ignore     │
│         obvious problems                        │
│                                                 │
└─────────────────────────────────────────────────┘

CRA Evidence for Distributors

While CRA Evidence is primarily designed for manufacturers, distributors benefit from:

• Supplier verification records: Track which suppliers have provided compliant products
• Product status monitoring: Get alerts when products you distribute have reported vulnerabilities
• Documentation storage: Keep verification records for the 10-year retention period

Ensure your upstream suppliers are using proper compliance tools, and you'll spend less time on verification.

Related Guides

• CRA Importer Obligations: What to Verify Before Placing Products on the EU Market
• CRA Penalties in Practice: What Market Surveillance Actually Looks Like
• CRA Product Classification: Is Your Product Default, Important, or Critical?

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel familiar with EU product regulations.