CRA for German Manufacturers: BSI, CERT-Bund and CE Marking

German manufacturers face the same CRA obligations as every other EU manufacturer. What is specific to Germany is the institutional chain, and Germany has built it around one body. The BSI is set to be both the market surveillance authority and the notifying authority for the CRA. One body, both roles, where France and Spain hand those to separate agencies. This is a country brief for Germany. For the full manufacturer obligation set, see the manufacturer cluster guide.

The BSI runs both market surveillance and notification

This is what is specific to Germany. The draft CRA implementing act designates the BSI as the Marktüberwachungsbehörde (market surveillance authority) and the notifizierende Behörde (notifying authority) in the same statute. The notifying authority decides which conformity-assessment bodies become notified bodies. The market surveillance authority polices products already on the market. In Germany both sit inside the BSI.

Some member states do the same. Others split the two roles across separate agencies.

Designated or expected national authorities. Several are still pending final national instruments.

The legal basis is the Gesetz zur Durchführung der Cyberresilienz-Verordnung, the CRA implementing act, which amends the BSI Act (BSI-Gesetz). It is a government bill (Gesetzentwurf der Bundesregierung), published as Bundestag printed paper BT-Drs. 21/6134.

As the designated market surveillance authority, the BSI would carry the CRA enforcement powers. It can require corrective action, restrict a product, withdraw it, or order a recall, and impose fines up to 15 million euros or 2.5% of worldwide annual turnover for the most serious breaches. The penalties and enforcement guide breaks down the full tier structure.

If the bill passes as drafted, one agency writes the German interpretation guidance, decides who certifies you, and polices you afterwards. That concentration is worth planning around. The BSI is your reference point at almost every step, and it publishes its CRA guidance, manufacturer flyers and an SME helpdesk on its official Cyber Resilience Act page.

CERT-Bund: the German reporting route

CRA notifications route to the CSIRT designated as coordinator of the Member State where the manufacturer has its main establishment, the place where your cybersecurity decisions are predominantly taken, not just a sales office. For a manufacturer based in Germany, the operational contact is CERT-Bund, the national CERT inside the BSI. The formal coordinator designation is published through ENISA, so confirm it before your first filing rather than assuming it. If your main establishment is in another Member State and you only ship into Germany, your reports route through that Member State's CSIRT, not CERT-Bund, though the German-language rules below still apply to anything you place on the German market.

The CRA splits reporting into two streams, and they have different clocks. An actively exploited vulnerability needs an early warning within 24 hours, a vulnerability notification within 72 hours, and a final report no later than 14 days after a corrective or mitigating measure is available. A severe incident needs an early warning within 24 hours, an incident notification within 72 hours, and a final report within one month of the incident notification. The 14-day clock and the one-month clock are not interchangeable. The vulnerability handling and reporting guide works through both.

You file through the ENISA single reporting platform, which goes operational on 11 September 2026, with CERT-Bund as the receiving coordinator and ENISA accessible at the same time. The ENISA platform onboarding guide covers registration. For current reporting contacts, see the CERT-Bund page.

Notified bodies: DAkkS accredits, the BSI notifies

You only need a notified body for some products, mainly the Important and Critical classes, and only where harmonised standards or a certification scheme do not already cover you. The conformity assessment guide maps your product class to its route.

The German chain has two steps:

• DAkkS (Deutsche Akkreditierungsstelle) is the national accreditation body. It assesses the technical competence of a candidate conformity-assessment body under Regulation (EC) No 765/2008.
• The BSI then notifies the accredited body to the European Commission, after which it appears in NANDO as a CRA notified body.

There is one German shortcut worth knowing. The draft BSI Act, as set out in BT-Drs. 21/6134, lets the BSI notify a body without an accreditation certificate in defined public-interest cases. The draft ties this to the Regulation's own target, that Member States should aim to have enough notified bodies in place by 11 December 2026 to avoid bottlenecks. The exception exists because the normal accreditation route may not produce enough bodies in time. Read that as a signal: Germany expects notified-body capacity to be tight.

The capacity problem is real and EU-wide right now. The CRA notified-body framework applies from 11 June 2026. As of that date, NANDO shows zero notified bodies designated under the CRA across the whole Union. Do not name a German body as CRA-designated until it appears in NANDO. A German manufacturer can use any EU notified body once designations appear, not only a German one. Choosing a German body is a procurement preference, not a CRA requirement.

BSI TR-03183: why you will meet it in German procurement

The BSI publishes the technical guideline BSI TR-03183, with parts covering manufacturer and product requirements, the software bill of materials, and vulnerability reports. It is interim technical guidance, not a harmonised standard, and it does not by itself grant the presumption of conformity that a harmonised standard would.

It still matters in Germany for a practical reason. The BSI is set to be your market surveillance authority and is already a heavy reference point in German public and industrial procurement, so German buyers are likely to cite TR-03183 because it is the BSI's CRA-oriented technical guideline. Treat it as the benchmark German counterparties will reach for, and as a sensible internal target while harmonised standards are still being written. The BSI TR-03183 guide covers the required data fields and quality levels in detail.

German-language requirements in practice

The CRA ties language to the audience, not to a blanket rule. User-facing information must be in a language easily understood by users and the market surveillance authority. For products placed on the German market, that is German.

Must be in German:

• The information and instructions to the user shipped with the product.
• The manufacturer contact details wherever they appear, on the product, packaging or accompanying document.
• The end-of-support date disclosed at the point of purchase.

Can be multilingual:

• The CE marking and the product label.
• Packaging text and online documentation, provided a German version is reachable.

English is normally accepted for:

• Internal technical documentation. On a reasoned request, the BSI can require it in a language it easily understands, so plan for that even if you do not translate proactively. Technical documentation tied to a notified-body procedure must be in an official language of the Member State where that body sits, or a language acceptable to it.

The EU Declaration of Conformity must be made available in the languages required by the Member State where the product is placed or made available. For the German market, prepare a German version rather than treating translation as an inspection-only contingency.

The one carve-out: high-risk AI systems

Germany centralises CRA market surveillance at the BSI. The draft implementing act makes that choice on purpose, and its rationale explicitly rejects spreading CRA surveillance across a range of sectoral authorities. For most manufacturers, the BSI is the surveiller.

There is one real exception, and it comes from the CRA itself, not from German law. If your product is a high-risk AI system under the AI Act, the market surveillance authority designated under the AI Act, not the BSI, is responsible for CRA market surveillance of that product. In Germany that authority is designated under the AI Act implementation law (KI-MIG). The two authorities cooperate, but the AI Act side leads.

Other regimes overlap with the CRA without changing who surveils it. A product can fall under the Machinery Regulation at the same time as the CRA, and the BSI still runs CRA surveillance while cooperating with the relevant sector authority. In finance, the BSI cooperates with the supervisors under Regulation (EU) 2022/2554 (DORA) rather than handing CRA surveillance to them. The energy and telecom law changes in the same bill are NIS2 corrections, not a CRA reassignment. If you build machinery or industrial automation, expect parallel obligations, not a different CRA surveiller.

Selling cross-border from Germany

A German manufacturer selling into France, Spain, Italy or any other EU Member State keeps the same single-routing rule. Your reports still go to CERT-Bund, because routing follows main establishment, not per-shipment destination. You do not file with the French, Spanish or Italian CSIRT.

The language obligation does fan out per market. A product shipped into the French market needs French user-facing content, a product shipped into the Spanish market needs Spanish, and so on. The German pack does not cover those markets. Each receiving Member State's market surveillance authority can also request your technical documentation in a language it easily understands, so pre-stage the most-requested sections in a widely-used working language.

Funding and financing to verify

There is no CRA-specific German grant. The picture is general digitalisation and security financing, and some of it has lapsed.

• go-digital is gone. The programme ran only until 31 December 2024, so ignore older guidance that still lists it.
• Mittelstand-Digital offers free advice and the Mittelstand-Digital Zentren network, not direct cash to individual SMEs.
• The KfW ERP-Förderkredit Digitalisierung und Innovation (programmes 511/512) is a financing line for digitalisation and IT-security investment, not a CRA subsidy.
• Federal research-funding calls can support genuine cybersecurity R&D, but check each call case by case and do not treat them as routine CRA compliance grants.

Programme windows and eligibility change often. Confirm the current status of any line before you scope a budget against it.

This article is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for specific CRA compliance guidance.