CRA for French Manufacturers: ANSSI, ANFR and CE Marking

Country brief for French manufacturers under the CRA: CERT-FR routing, ANSSI as notifying authority, ANFR for market surveillance, COFRAC accreditation.

CRA Evidence Team Published January 4, 2026 Updated May 31, 2026
CRA country brief for French manufacturers showing the national institutional chain: CERT-FR for vulnerability reports, ANSSI as notifying authority, COFRAC for accreditation, ANFR for market surveillance
In this article

French manufacturers face the same CRA obligations as every other EU manufacturer. This page is a country brief for France: how vulnerability and incident reports route through CERT-FR (ANSSI's operational CSIRT), how conformity-assessment bodies are expected to be designated under the French split (ANSSI notifies, COFRAC accredits), how ANFR is the leading candidate for CRA market surveillance pending the formal Journal Officiel instrument (a role often mistakenly attributed to DGCCRF), what the French-language obligations actually require, and which of the Bpifrance and France 2030 lines are open for compliance investment. For the full manufacturer obligation set, see the manufacturer cluster guide.

Summary

  • The CRA is an EU Regulation with direct effect. There are no French-specific exemptions for product manufacturers.
  • CERT-FR, the operational CSIRT inside ANSSI, is the receiving French CSIRT for CRA vulnerability and incident reports when your main establishment is in France.
  • ANSSI is expected to act as the French notifying authority that formally designates CRA notified bodies to the European Commission. COFRAC accredits the candidate bodies as the technical step before that notification.
  • ANFR (Agence nationale des fréquences) is the leading candidate for CRA market surveillance of products with digital elements placed on the French market, pending the formal Journal Officiel instrument. ANSSI provides technical support. DGCCRF is the historical consumer-product safety inspector and is NOT the expected CRA market-surveillance authority.
  • French (français) is required for user-facing product information shipped on the French market under the CRA, reinforced by the Loi Toubon for consumer products.
  • Bpifrance runs the Cyber PME programme and several France 2030 cybersecurity calls. France 2030 is co-financed with the EU Digital Europe Programme and remains a viable planning vehicle for compliance investment dated against the 11 December 2027 deadline.

When this guide applies to you

You are the target reader if your manufacturer "main establishment in the Union" is in France. That means the place where decisions related to the cybersecurity of your products with digital elements are predominantly taken. A French-registered sales subsidiary with engineering offshore is not the main establishment. If your engineering team, your SDLC governance, and the people approving security-update releases sit in France, this guide is for you.

If your main establishment is elsewhere in the EU and you only ship into France, your CRA reports route through the CSIRT of your main-establishment Member State, not CERT-FR. The French-language obligation for user-facing information still applies for any product placed on the French market.

ANSSI and CERT-FR: the French CSIRT route

CRA notifications route through the CSIRT designated as coordinator of the Member State where the manufacturer has its main establishment in the Union. For a manufacturer whose main establishment is in France, that CSIRT is CERT-FR, the operational arm of ANSSI (Agence nationale de la sécurité des systèmes d'information).

ANSSI is attached to the SGDSN and runs the French national certification schemes (CSPN, Visa de Sécurité) and the accredited evaluation centres (CESTI). CERT-FR publishes French-language vulnerability advisories and operates the national vulnerability-coordination stream.

CERT-FR contact: website https://www.cert.ssi.gouv.fr, email cert-fr@ssi.gouv.fr. ANSSI: https://www.ssi.gouv.fr.

The technical channel for the 24h / 72h / 14d reporting cadence is the ENISA single reporting platform, which goes operational on 11 September 2026. A French manufacturer files via that platform with CERT-FR as the receiving coordinator. The CSIRT designation is the routing. The platform is the transport.

Notified bodies: ANSSI notifies, COFRAC accredits

Important Class I products need a notified body (Module B+C or Module H) only where harmonised standards, common specifications, or a certification scheme do not fully cover them. Important Class II products use a notified body (Module B+C or Module H) or an available and applicable certification scheme. Critical products (Annex IV) follow Article 32(4): the Article 8(1) certification route where the Commission has triggered it, otherwise the same Article 32(3) routes.

The French institutional split is:

  • ANSSI acts as the notifying authority that formally designates French notified bodies to the European Commission under the CRA. ANSSI evaluates, controls, and notifies the conformity-assessment bodies.
  • COFRAC (Comité français d'accréditation) is the French national accreditation body and assesses the technical competence of a candidate before ANSSI notifies it.

The CRA framework for notified bodies applies from 11 June 2026, with ANSSI's accreditation and notification phase running from June to December 2026. As of late May 2026, zero notified bodies are designated EU-wide under the CRA, and France's formal national designation remains pending in the Journal Officiel. The chain is being stood up.

A French manufacturer can use any EU-notified body, not only French-designated ones. Choosing a French-designated one (LNE, LCIE Bureau Veritas, SGS France, and other historically-accredited bodies) is a procurement preference, not a CRA requirement. Final CRA designations are published in the European Commission NANDO database.

ANFR: the CRA market-surveillance authority

CRA market surveillance for products with digital elements placed on the French market is expected to sit with ANFR (Agence nationale des fréquences), not with DGCCRF. ANSSI confirms this institutional direction on its official CRA page at cyber.gouv.fr, and ANSSI itself provides technical support to ANFR in the market-surveillance framework. Verify the final designation in the Journal Officiel before formal filings.

The French implementation path would give ANFR sanction powers up to 15 million euros or 2.5% of global annual revenue for the most serious CRA infringements, within the EU-level ceilings set by the Regulation.

DGCCRF retains its general consumer-product safety inspection role and will continue to surface non-compliant goods at the border or in retail, but the expected CRA market-surveillance role for digital products is ANFR's. Plan toward ANFR, while checking the final JO text before formal filings.

French-language requirements in practice

The CRA requires user-facing product information to be in a language easily understood by users and the local market-surveillance authority. For products placed on the French market, that is French. The Loi Toubon (Law 94-665) independently requires French in all consumer information, so the CRA obligation aligns with a long-standing national rule.

Must be in French:

  • The user instructions and product information shipping with the product.
  • The manufacturer contact details (name, address, email or other digital contact) wherever they appear, including on the product itself, packaging, or accompanying document.
  • The end-of-support date disclosure shown at the point of purchase.

Can be multilingual:

  • The product label and CE marking.
  • Packaging text.
  • Online documentation, provided a French version is reachable.

English is normally accepted for:

  • Internal technical documentation. ANFR or any other Member State's market-surveillance authority can request a French translation if they make a reasoned request, so plan for that contingency even if you do not translate proactively.

The EU Declaration of Conformity must be made available in the languages required by the Member State where the product is placed or made available. For France, plan a French version rather than treating translation as an inspection-only contingency.

Selling cross-border from France

French manufacturers selling into Belgium, Spain, Germany, Italy, or any other EU Member State carry the same single-routing rule: your reports still go to CERT-FR, because routing follows main establishment, not per-shipment destination. You do not file with the Belgian, Spanish, German, or Italian CSIRT.

The language obligation does fan out per market. A product shipped into the Spanish market needs Spanish user-facing content. A product shipped into the German market needs German content. The single French-language pack does not cover those markets.

Each receiving Member State's market-surveillance authority can also request your technical documentation in a language easily understood by that authority. If your supply runs broadly across the EU, expect requests in at least one widely-used working language, and treat early translation of the most-requested technical-documentation sections as a practical hedge.

National funding programmes

Unlike the Spanish Plan de Recuperación that is closing its NextGenEU window in 2026, French national programmes for cybersecurity investment remain open and active in 2026 and beyond.

  • Bpifrance runs the Diagnostic Cybersécurité (a subsidized cybersecurity audit for SMEs) and the Cyber PME programme. Cyber PME Phase B accepted applications up to 26 November 2025 for companies whose security-plan submission date is after 1 January 2024. Phase A and follow-up calls continue to be staged.
  • France 2030 is the national investment plan with cybersecurity-specific calls run jointly by the General Secretariat for Investment (SGPI), Bpifrance, and ANSSI. Cybersecurity-product-development calls are co-financed with the EU Digital Europe Programme, with recent calls offering up to 2 million euros in combined support. CRA-driven security R&D fits where the angle is genuine product-development innovation.
  • France Num offers regional diagnostic vouchers run through the chambers of commerce and industry. Useful for an initial Plan de Cybersécurité but not for the full CRA tooling investment.
  • Prêt Innovation and the Aide pour le développement de l'innovation are Bpifrance loan and grant lines that can underwrite SBOM tooling, vulnerability-handling capability build-out, and conformity-assessment fees where the cybersecurity work has a genuine innovation component.

Eligibility windows and budget caps change annually. Confirm the current convocation before scoping any line item against these programmes.

Frequently Asked Questions

Which French CSIRT receives my CRA vulnerability notifications?

CERT-FR, the operational CSIRT inside ANSSI, when the manufacturer's main establishment is in France. The CRA defines main establishment as the place where decisions related to the cybersecurity of products with digital elements are predominantly taken. Reports are submitted through the ENISA single reporting platform from 11 September 2026, with CERT-FR as the receiving coordinator.

Who designates French notified bodies, COFRAC or ANSSI?

ANSSI is expected to be the notifying authority that formally designates French CRA notified bodies to the European Commission. COFRAC accredits the candidate bodies as the technical step before that notification. Both are involved, with distinct roles. ANSSI's accreditation and notification phase runs from June 2026 through December 2026. As of late May 2026, zero notified bodies are designated EU-wide under the CRA. A French manufacturer can still use any EU-notified body for CRA conformity assessment.

Does my CSPN or Visa de Sécurité certification cover CRA conformity assessment?

No, neither substitutes for CRA conformity assessment, although both can produce evidence that supports it. CSPN (Certification de Sécurité de Premier Niveau) is ANSSI's lightweight national product evaluation. Visa de Sécurité is the certification mark that ANSSI grants to CSPN-evaluated products. CSPN maps into the EU fixed-time evaluation methodology through FITCEM EN 17640:2022 alongside the German BSZ and Spanish LINCE methodologies, so its outputs can feed into your CRA technical documentation as supporting evidence. The CRA's own conformity-assessment routes (Module A self-assessment, Module B+C type examination, Module H full quality assurance) operate as a separate chain. If you hold a CSPN or Visa de Sécurité, treat it as input to your CRA file, not as a substitute for the conformity assessment itself.

Which French authority is the CRA market-surveillance authority, ANFR or DGCCRF?

ANFR (Agence nationale des fréquences) is the leading candidate for CRA market surveillance of products with digital elements on the French market, per ANSSI's CRA reference page and the French implementation path. ANSSI provides technical support to ANFR within the market-surveillance framework. DGCCRF retains its long-standing general consumer-product safety role and will continue to surface non-compliant goods at the border or in retail, but it is not the expected CRA market-surveillance authority. The French implementation path would give ANFR sanction powers up to 15 million euros or 2.5% of global annual revenue within the CRA's EU-level ceilings. Verify the final JO text before formal filings.

When will France publish its national CRA implementing decree in the Journal Officiel?

The CRA is an EU Regulation with direct effect, so France does not need to transpose it into national law for the substantive obligations to apply on 11 December 2027. What France does need to publish before 11 June 2026 is a décret or arrêté ministériel that formally confirms the institutional designations (ANFR as market-surveillance authority, ANSSI as notifying authority, CERT-FR as receiving CSIRT) and sets the national fines scale within the CRA's EU-level ceilings. As of 25 May 2026, ANFR, ANSSI and CERT-FR are the leading designations in ANSSI and legislative materials, but I found no final CRA-specific Journal Officiel instrument. Watch the JO for a CRA-specific décret around the 11 June 2026 framework deadline.

Do I need to translate everything into French for B2B sales?

For products placed on the French market with end users in France, yes. The CRA requires user information in French. The Loi Toubon (Law 94-665) independently requires French in consumer information. B2B sales between professionals do have some flexibility under the Loi Toubon, but the CRA obligation does not distinguish on this basis once the product is placed on the French market. Plan to deliver French user information, French support-period disclosure, and French manufacturer contact details across both consumer and professional channels.

Can Bpifrance or France 2030 pay for my CRA compliance tooling?

Where the work is genuine R&D and innovation (new detection methods, SBOM analysis tooling, vulnerability-handling pipelines, CRA-relevant cybersecurity-product development), yes. Bpifrance Cyber PME and France 2030 cybersecurity calls have funded CRA-relevant work directly, and France 2030 is co-financed with the EU Digital Europe Programme for cybersecurity-product calls. Pure compliance work (audits, conformity-assessment fees, internal process build-out) is harder to fit, since France 2030 is innovation-funding rather than compliance-funding. France Num offers regional diagnostic vouchers for SMEs, useful for an initial Plan de Cybersécurité.

I ship from France into other EU Member States. Where do I report incidents?

Through CERT-FR, regardless of which Member States you ship into. The CRA ties notification routing to main establishment, not to per-shipment destination. The language obligation does fan out per market: Spanish-language product information for products shipped to Spain, German-language for products shipped to Germany, and so on. Pre-stage at least the most-requested technical-documentation sections in a widely-used working language to absorb cross-border reasoned requests.

For French manufacturers preparing for 11 December 2027

  1. Confirm your manufacturer obligations using the manufacturer cluster guide.
  2. Verify your main establishment is in France and document the rationale. The location of cybersecurity decision-making, not the registered office, is what matters.
  3. Map your CRA reporting flow to CERT-FR as receiving CSIRT, with a tested submission to the ENISA single reporting platform once it goes live on 11 September 2026.
  4. If your conformity-assessment route needs a notified body, scope COFRAC-accredited and ANSSI-notified bodies as the home option, plus at least one cross-border alternative for resilience.
  5. Plan for ANFR document requests and inspections in French. The Declaration of Conformity must be available in the language France requires, so prepare a French version for the French market.
  6. Translate user instructions and product information into French. The Loi Toubon overlap means this work is already half-done for many French companies. Add per-market translations for any other EU Member States you ship into.
  7. Scope Bpifrance Cyber PME, France 2030 cybersecurity calls, and Prêt Innovation against any R&D-flavoured CRA work. Confirm the current convocation window before banking on it.
  8. Read the supplier due diligence questionnaire for the manufacturer-side component-due-diligence framework.

This article is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for specific CRA compliance guidance.

CRA France Vulnerability Management
Share

Related Articles

Back to all articles

Does the CRA apply to your product?

Answer 6 simple questions to find out if your product falls under the EU Cyber Resilience Act scope. Get your result in under 2 minutes.

Check Now

Ready to achieve CRA compliance?

Start managing your SBOMs and compliance documentation with CRA Evidence.

Start 14-Day Free Trial

Deep dive into CRA topics

Evergreen guides covering the specific requirements, processes, and roles defined by the Cyber Resilience Act.

EU Declaration of Conformity

What the Declaration of Conformity must contain, who signs it, and when it is required.

Read guide →
Conformity Assessment

How conformity assessment works under the CRA and when a notified body is required.

Read guide →
Technical Documentation

What CRA technical documentation must contain (Annex VII section by section) and how manufacturers should structure it.

Read guide →
Products

How the CRA classifies products by risk level, with product-specific classification guides.

Read guide →
SBOM Requirements

What the CRA requires for SBOMs and how BSI TR-03183 defines quality criteria.

Read guide →
Vulnerability Reporting

How the 24-hour ENISA notification requirement works and what counts as an actively exploited vulnerability.

Read guide →
Importer Obligations

What Article 19 requires of importers and how to verify manufacturer compliance.

Read guide →
Support Period Planning

What the CRA support period obligation means for security updates and end-of-life planning.

Read guide →
View full CRA compliance guide