CRA Distributor Checklist: 5 Verification Steps for Every Product
An operational CRA distributor companion: receiving checklist, quick-reference card, real scenarios, and the acts that turn a distributor into a manufacturer.
In this article
This page is the shop-floor companion to the CRA distributor cluster guide. The cluster guide is the regulatory framework: who counts as a distributor, what the duty set is, how authority requests work. This blog is what the receiving desk, warehouse team, and sales reps actually use: a quick-reference card, a printable intake checklist, the supply-chain scenarios that distributors hit in real operations, and the concrete acts that move you from distributor into manufacturer status without you noticing.
Summary
- Presence-based intake. Verify CE marking, manufacturer and importer identification, user information in the right language, support-period end date, and EU DoC accessibility before every sale. The full pre-supply checklist is on the cluster page.
- The product must arrive in the same compliance state it left the manufacturer. Firmware updates, repackaging, configuration changes, or rebranding during storage or transport flip you from distributor into manufacturer status via the rebrand bridge.
- A failed check stops supply. Customs warehousing or return-to-supplier remain available. Sale to end users does not. Escalation steps are in when verification fails on the cluster page.
- Distributor breaches sit in the middle penalty tier, up to EUR 10 million or 2% of worldwide annual turnover.
At-a-glance receiving check
Print and keep at the receiving desk for fast-pass acceptance decisions.
+-------------------------------------------------+
| DISTRIBUTOR CRA QUICK CHECK |
| |
| ✓ CE marking visible and correct? |
| ✓ Manufacturer name/address on product? |
| ✓ Instructions in correct language? |
| ✓ No obvious defects or tampering? |
| ✓ No recall notices for this product? |
| |
| ALL YES → OK to sell |
| ANY NO → STOP, document, notify supplier |
| NEVER: Modify firmware, rebrand, or ignore |
+-------------------------------------------------+
The full intake checklist
Use this when receiving products from suppliers. Print, fill in per shipment, file with the receiving log.
DISTRIBUTOR RECEIVING CHECKLIST
Product: _______________________________________
Supplier: ______________________________________
Date Received: _________________________________
Batch / Lot: ___________________________________
SKU: ___________________________________________
Quantity: ______________________________________
VISUAL VERIFICATION:
[ ] CE marking present on product or packaging
[ ] CE marking correctly formatted (proportions, size)
[ ] Manufacturer name and address visible
[ ] Importer name and address visible (if non-EU origin)
[ ] Product packaging intact (no tampering evidence)
DOCUMENTATION CHECK:
[ ] User instructions present
[ ] Instructions in required language(s)
[ ] Safety information included
[ ] DoC reference or document present
[ ] DoC URL resolves to a full EU Declaration of Conformity
[ ] Support-period end date visible (month and year)
COMPLIANCE STATUS CHECK:
[ ] No active recall notices for this product
[ ] No communications from manufacturer about issues
[ ] No regulatory warnings about this product
[ ] Supplier has not flagged any concerns
STORAGE REQUIREMENTS:
[ ] Storage conditions appropriate for product type
[ ] Tamper-evident seals intact
[ ] No modifications required before sale
DECISION:
[ ] ACCEPT - All checks passed
[ ] HOLD - Issues identified (specify below)
[ ] REJECT - Non-compliant (document and notify supplier)
Issues Identified:
________________________________________________
________________________________________________
Verified by: ___________________________________
Date: _________________________________________
Keeping the product unchanged in storage and transport
The intake check is only half the job. Distributors must keep the product in the same compliance state from receipt to delivery. Any act that changes the product after the manufacturer placed it on the market can flip the distributor role into manufacturer status.
Storage:
- Products are not modified during storage. No firmware updates pushed by the distributor's IT team. No "preventive" configuration tweaks.
- Environmental conditions do not compromise security features. Tamper-evident seals stay intact.
- Battery replacement during long storage is risky. Identical-part replacement may stay in the spare-parts carve-out, but a different battery chemistry or firmware change pushes the product into modified territory.
Transport:
- Products arrive to customers in the same compliance state as received. The shipping label is the distributor's, the product inside is not.
- Packaging integrity is maintained. A damaged outer carton that exposes the product mid-route gets quarantined for re-verification, not silently repackaged.
- Cross-border transport between EU Member States does not change the compliance state. The product is already placed on the Union market, and you are making it available in a second Member State.
Practical example. If you store IoT devices in a warehouse, you cannot "helpfully" update their firmware before shipping. A firmware change by the distributor is a substantial modification and triggers the manufacturer-obligation switch via the rebrand bridge. Let customers update their own devices, or route updates through the original manufacturer.
Distributor scenarios you actually face
The cluster guide covers the framework. These are the supply-chain situations distributors hit in real operations and the answers are not always obvious from reading the framework.
Drop-shipping where you never touch the stock
You take orders, the non-EU manufacturer or another EU entity ships direct to the end customer. Are you the distributor?
The legal trigger is "making available on the Union market", not physical possession. If you take title to the goods, invoice the customer, and the legal supply relationship runs through your business, you are the distributor regardless of who handles the box. The presence-based intake check still applies to you. You need a documented agreement with the upstream supplier that the CE, DoC, user information, and importer identification will be in place before the shipment leaves their warehouse.
If the relationship is pure introduction (you match buyer and seller, you never take title, the supply contract is between buyer and the upstream entity directly, you do not invoice the goods), you are generally outside the distributor regime. The boundary is fact-specific. Read the contract structure, not the ownership of the warehouse.
Marketplace operator and Amazon-FBA-style fulfilment
Two different boundary tests:
You operate the marketplace. If your platform only matches buyers and third-party sellers and never takes title, you are generally not a distributor under the CRA, in line with the broader EU framework on online intermediaries. If your platform takes title (you buy stock from suppliers, list it, fulfil orders against your own inventory), you are a distributor.
You sell on someone else's marketplace. If you are a third-party seller using Amazon FBA, Cdiscount fulfilment, or an equivalent service, you are the distributor. The fulfilment provider is a logistics service, not the distributor. Your intake check, your refusal duty, your vulnerability flow.
B2B-only distribution
The CRA applies to "products with digital elements placed on the Union market" without distinguishing B2B from B2C in scope. Distributor obligations are the same: intake check, refusal duty, vulnerability flow, cooperation with market surveillance.
Two practical differences for B2B:
- User-information language. The end customer is a downstream business that may operate in English or another commercial language. The legal floor is the language easily understood by users and market surveillance of the Member State of supply. For internal corporate end-users at a multinational, English may be commercially negotiated. For commercial end-users that re-deploy the product to consumer-facing settings, the local-language requirement is back.
- Vulnerability awareness. A B2B distributor typically learns about vulnerabilities through commercial channels (helpdesk tickets, supplier bulletins) rather than consumer reports. The "without undue delay" notification clock still starts when you become aware.
Refurbished or used CRA products
The CRA covers products placed on the Union market. A refurbished product re-placed on the market by a new entity may or may not be a fresh product placement, depending on what was changed.
The boundary depends on whether the refurbishment substantially modifies the product. Cleaning, re-packaging, and replacing identical components within the spare-parts carve-out keep the product in distributor territory. Replacing a battery with a different chemistry, re-flashing firmware, or restoring a non-original software image is substantial modification and pushes the refurbisher into manufacturer status for the modified product.
Practical rule: if you are reselling a unit you bought from a known manufacturer in its original state, you are a distributor. If you are restoring units after a hardware swap or firmware overhaul, get the legal interpretation before treating it as distribution.
Bundle sellers
You combine 2-3 products into a single SKU.
Bundling without modification. Each product inside the bundle keeps its own manufacturer, its own CE, its own DoC. You are the distributor of each product. The bundle's outer packaging needs to make the constituent products and their compliance documents identifiable. Your intake checklist runs per product, not per bundle.
Bundling with custom firmware or configuration. If you push a custom firmware image, change security defaults, or pre-configure products to work together in a way that changes their intended purpose, that is substantial modification. You become the manufacturer for the bundle, and the manufacturer obligations apply to the affected part of the product or, where the change affects cybersecurity of the product as a whole, to the entire product.
Bundle branding. Putting a "Distributed by ACME" sticker on the bundle does not by itself trigger the rebrand bridge. Replacing the individual manufacturers' brand identifiers with yours does. The cluster pitfall on stripping the importer's contact label applies here too.
Cross-border supply when a vulnerability arises
You distributed a product into six Member States. A vulnerability is reported and presents significant cybersecurity risk. Who do you notify?
Notify market surveillance in every Member State of supply, in parallel, without undue delay. You also inform the manufacturer of the vulnerability without undue delay. The manufacturer separately runs the ENISA reporting stream, which is not the distributor's job.
Practical preparation: keep a per-product, per-supply Member State distribution log. Build a one-click MSA-contact rolodex. When a vulnerability is reported on a product in your catalogue, you should not be looking up the BSI vulnerability-reporting address for the first time at 23:00.
What tips you into manufacturer status
Distributor status is fragile. Several small operational acts can move you across the line into manufacturer obligations without you noticing. This is the act-by-act matrix.
| Act | Stays distributor | Becomes manufacturer | Why |
|---|---|---|---|
| Adding a "Distributed by" sticker with your contact details | ✓ | Identifying yourself as the distributor is required, not a brand act. | |
| Replacing the manufacturer's brand with yours on the product | ✓ | This is placing the product on the market under your own name or trademark. | |
| Pushing a firmware update issued by the original manufacturer | ✓ | You are passing through the manufacturer's update. The product remains as the manufacturer placed it. | |
| Pushing a custom firmware build of your own | ✓ | Custom firmware is substantial modification. | |
| Translating the user manual into a Member State language | ✓ | Language compliance is required of the supply chain. Translation does not modify the product. | |
| Adding a configuration profile to all units before sale | depends | depends | If the profile is end-user reversible and does not change security defaults, you stay a distributor. If it changes auth flow, encryption defaults, or attack surface, it is substantial modification. |
| Re-packaging into your own retail packaging | ✓ | As long as the inner product, its CE, its identification and its user information are unchanged, repackaging the outer carton is distribution. | |
| Repackaging in a way that changes the intended purpose | ✓ | A product re-packaged as a different category of device (consumer-friendly retail of an industrial unit, for example) is substantial modification. | |
| Pre-installing your own software on top of the manufacturer's image | ✓ | Adding software changes the security envelope of the product. | |
| Removing the importer's contact label | ✓ (non-conformant) | Importer identification must remain present. Removing it breaks the distributor compliance check on the unit. |
For the regulatory framework behind these calls, the cluster guide's Am I a distributor or a manufacturer? FAQ has the verbatim Article 21 text and the Article 22 third-party-modifier distinction.
When customs holds your shipment
A non-EU shipment can be held at customs if national customs authorities flag a CE, conformity, or product-information defect. The CRA does not regulate customs directly, but it routes through the existing EU market-surveillance framework that applies at the border.
What customs typically demands:
- A copy of the EU Declaration of Conformity, full or simplified with a working URL to the full version.
- Evidence of the conformity assessment route used (Module A self-assessment, or notified-body certificate number for Important Class II or Critical products).
- The manufacturer and importer identification, postal addresses, and digital contacts.
- User information and instructions in a Member State language.
- The CE marking placement evidence on a sample unit.
What the distributor can do at the hold:
- Provide the documents you would have collected at the intake check. If your supplier did not give them to you, you should not have accepted the shipment in the first place.
- Coordinate with the importer, who carries the heavier verification duty and the 10-year retention obligation. If the importer has the technical documentation table of contents, customs will usually accept that as evidence the file exists.
- Hold the goods in customs warehousing while gaps are closed. Customs warehousing is a legitimate intermediate state. Customer-facing supply is not.
- Return the shipment to the supplier or destroy if the gap cannot be closed in a reasonable window. Member State customs rules vary on the destruction window.
Common Pitfalls
The cluster guide has the full eight-pitfall table for distributor-vs-importer mistakes, presence-based-verification mistakes, and vulnerability-flow mistakes. This blog adds three pitfalls specific to the operational layer.
| Claim | Why it fails |
|---|---|
| "Our platform just connects buyers and sellers." | If your e-commerce platform takes title to goods, you are the distributor. The marketplace-only boundary turns on whether you own the listing and the transaction, not whether you operate a website. |
| "I will update the firmware for customers as a service." | A firmware change by the distributor is substantial modification. You become the manufacturer for the modified product, with the full manufacturer obligation set. Let customers update their own devices, or route updates through the original manufacturer. |
| "We forward vulnerability notices to the manufacturer monthly with our commercial updates." | The CRA's vulnerability-awareness duty runs without undue delay. Monthly batching is a breach. If the vulnerability presents significant cybersecurity risk, market-surveillance notification is also immediate. |
Frequently Asked Questions
What if the manufacturer's DoC URL is dead or returns 404?
The simplified EU Declaration of Conformity must give the exact internet address of the full DoC. A dead URL is a documentation defect. Hold the shipment, notify the manufacturer in writing, and ask for either the full DoC document or a corrected URL. Until the URL resolves or the full DoC is delivered, the unit is not ready for sale. If the manufacturer cannot produce a working DoC, the product fails the intake check and customs warehousing or return-to-supplier are your options.
How fast must I respond to a market surveillance reasoned request, and in what format?
The CRA requires distributors to cooperate with market surveillance authorities on reasoned request, in paper or electronic form, in a language the authority can easily understand. The CRA itself does not set a fixed response clock for distributors. National market-surveillance frameworks typically operate on 7-to-15-day response windows for documentary requests, with shorter windows for urgent cybersecurity-risk cases. Build the document set so it can be produced inside one business day: DoC reference, user information samples in the supply Member State language, manufacturer and importer contact points, the intake-check record.
Can I keep selling stock placed on the market before 11 December 2027?
Products placed on the Union market before the CRA's main application date remain governed by their original placement regime, not the CRA. New units, new variants, or units placed after 11 December 2027 fall under the CRA. The boundary is the act of placing on the market, not the act of sale. A unit that has been in your warehouse since 2026 and was placed on the EU market by the manufacturer or importer before the CRA applied keeps its pre-CRA status. A unit placed on the market on or after 11 December 2027 enters the CRA regime, even if it was manufactured earlier.
The manufacturer just went bankrupt. Am I now responsible for their support obligations?
No. The distributor's duty on manufacturer cessation is a notice duty, not a transfer of manufacturer obligations. Inform the relevant market surveillance authorities without undue delay, and inform users by any means available and to the extent possible. The CRA does not require the distributor to take over support, vulnerability handling, or security update issuance. If you decide to keep selling existing stock, that is a commercial decision with reputation and consumer-relations risk, not a statutory duty. If you decide to place new units under your own name from that point onwards, the rebrand bridge tips you into manufacturer status.
I distribute from Germany into France. A vulnerability is reported. Which authority do I notify?
The vulnerability-awareness duty is to inform the manufacturer without undue delay, and where the product presents significant cybersecurity risk, to inform market surveillance in every Member State where you supplied the product. Both Germany and France in this example. The notifications run in parallel. Use the German BSI route for the German MSA, the French ANSSI route for the French MSA. Keep a per-product distribution log so the supply Member State list is one query away when a vulnerability surfaces.
Can I refuse a shipment from a long-standing supplier without breaching the commercial contract?
Refusal on CRA non-conformity grounds is a legal duty, not a commercial preference. A distributor that places a non-conformant product on the market is in breach, regardless of any supplier agreement. Most commercial supply contracts include compliance-with-applicable-law clauses that override commercial commitments where regulatory non-conformity is documented. Refuse with a written record of which intake-check item failed, what documentation was missing or non-conformant, and what you asked the supplier to remedy. The refusal record is also your evidence if a market surveillance authority later asks why a shipment was held in customs warehousing.
This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel familiar with EU product regulations.
Related Articles
Does the CRA apply to your product?
Answer 6 simple questions to find out if your product falls under the EU Cyber Resilience Act scope. Get your result in under 2 minutes.
Ready to achieve CRA compliance?
Start managing your SBOMs and compliance documentation with CRA Evidence.