CRA Importer Obligations: What to Verify Before Placing Products on the EU Market

You're importing connected products into the EU. Under the Cyber Resilience Act, you face personal verification obligations before placing anything on the market. If your supplier's documentation is incomplete, you cannot legally sell the product.

This guide covers exactly what you must check and what to do when suppliers fall short.

What the CRA Requires of Importers

The Cyber Resilience Act (Regulation 2024/2847) establishes importers as gatekeepers for the EU market. Your role is to verify that non-EU manufacturers have done their compliance homework before their products reach European consumers.

This isn't a rubber-stamp exercise. Article 19 creates personal liability for importers who place non-compliant products on the market.

Importer vs Distributor: Key Differences

If you're the first entity placing a non-EU manufactured product on the EU market, you're an importer, regardless of what your contracts say.

The 6-Point Verification Checklist

Before placing any product with digital elements on the EU market, verify all six points:

1. Conformity Assessment Completed

The manufacturer must have performed the appropriate conformity assessment:

• Module A (self-assessment): For "default" category products
• Module B+C (EU-type examination): For "Important Class II" products
• Module H (full quality assurance): Alternative for Important/Critical products

Request evidence: the EU Declaration of Conformity (DoC) referencing the assessment module used.

2. EU Declaration of Conformity Exists

The DoC must include:

• Manufacturer name and address
• Product identification (model, type, serial number range)
• Statement of conformity with CRA essential requirements
• Reference to harmonized standards applied (if any)
• Notified body details (if third-party assessment)
• Signature, date, and signatory position

Red flag: A DoC that references only generic "cybersecurity requirements" without CRA/Annex I specifics.

3. CE Marking Correctly Affixed

Verify:

• CE marking is visible, legible, and indelible
• Minimum 5mm height (or proportional for small products)
• Located on product or packaging (if product size prohibits)
• No other markings that could confuse CE meaning

Red flag: CE marking only on outer shipping carton, not on retail packaging.

4. Technical Documentation Available

You don't need to hold the full technical file, but you must confirm:

• Technical documentation exists
• Manufacturer will provide it to authorities upon request
• Documentation covers CRA Annex VII requirements

Request a technical file summary or table of contents as evidence.

5. Manufacturer Contact Information Present

Products must display:

• Manufacturer name
• Registered trade name or trademark
• Postal address for contact
• Single point of contact URL or email (for vulnerability reports)

This information must be on the product itself, or if impossible, on packaging and/or accompanying documentation.

6. Instructions in Target Market Language(s)

User instructions and safety information must be available in the official language(s) of the member state(s) where you'll sell the product.

For EU-wide distribution: At minimum, provide English. Confirm additional languages for specific markets.

How to Verify Non-EU Manufacturer Compliance

Many importers receive confident assurances from overseas suppliers. Assurances are not evidence.

The Documentation Request

Send manufacturers this request before committing to import:

SUBJECT: CRA Compliance Documentation Request

We are evaluating [Product Name/Model] for import into the European Union.

Under EU Regulation 2024/2847 (Cyber Resilience Act), importers must verify
manufacturer compliance before market placement.

Please provide:

1. EU Declaration of Conformity (signed, dated)
2. Technical file table of contents or summary
3. Confirmation of conformity assessment module used
4. CE marking placement confirmation (photo if possible)
5. Support period declaration (minimum 5 years required)
6. Vulnerability handling policy / security contact point

Without this documentation, we cannot proceed with import.

Timeline requested: [X business days]

Evaluating Responses

Red Flags in Manufacturer Responses

Watch for these warning signs:

• Generic DoC: Template language not specific to the product
• Outdated dates: DoC predates CRA enforcement (suggests non-CRA compliance)
• Missing notified body: For Important Class II products, third-party assessment is mandatory
• No security contact: Required for all products with digital elements
• "Pending" compliance: Product cannot be placed on market while compliance is pending

What to Do When Verification Fails

If any verification point fails, you have legal obligations:

Step 1: Stop

Do not place the product on the EU market. Import for warehousing/re-export may still be possible, but market placement is prohibited.

Step 2: Document

Record the specific non-compliance finding:

• Which verification point failed
• What evidence was missing or inadequate
• Date of determination
• Communication with manufacturer

Step 3: Notify Manufacturer

Inform the manufacturer in writing:

• Specific compliance gaps identified
• Documentation required to resolve
• Timeline for response
• Consequence: cannot import until resolved

Step 4: Assess Risk

If the product poses a cybersecurity risk (not just documentation gaps):

• Report to market surveillance authority in relevant member state
• Provide all available documentation
• Cooperate with any investigation

Step 5: Resolve or Reject

Only proceed with import when:

• All six verification points satisfied
• Documentation received and reviewed
• Any risk concerns addressed

When Importers Become Manufacturers

Under Article 22, you become a manufacturer (with full obligations) when you:

Trigger 1: Own Name or Trademark

Placing a product on the market under your brand makes you the manufacturer, regardless of who actually built it.

Examples:

• White-label router sold under your company name
• OEM device with your logo
• Product where your company is listed as "manufacturer" on packaging

Trigger 2: Substantial Modification

Making changes that affect intended purpose or CRA compliance.

Manufacturer Obligations (If Triggered)

If you become a manufacturer, you must:

• Conduct cybersecurity risk assessment
• Prepare full technical documentation (Annex VII)
• Perform conformity assessment (appropriate module)
• Issue your own EU Declaration of Conformity
• Affix CE marking under your responsibility
• Establish vulnerability handling process
• Provide security updates for support period (minimum 5 years)
• Report exploited vulnerabilities to ENISA within 24 hours

Documentation and Retention

What to Keep

• EU Declaration of Conformity (copy)
• Technical file summary or access confirmation
• Your verification records (checklist, correspondence)
• Evidence of manufacturer communication
• Import documentation (customs, shipping)

How Long

10 years from the date the last unit was placed on the market.

If you import a batch in 2027 and sell the final unit in 2029, retention ends in 2039.

Format

Digital storage is acceptable. Ensure:

• Files are accessible and readable
• Backup procedures in place
• Can be produced within reasonable time upon authority request

Common Pitfalls

"CE marking means they're compliant"

CE marking indicates the manufacturer claims compliance. Your job is to verify the underlying documentation. A CE mark without supporting documentation is a red flag.

"Our supplier has been reliable for years"

Past reliability with other regulations doesn't guarantee CRA compliance. The CRA is new, and many established manufacturers are still implementing requirements.

"Verbal assurances from our sales contact"

Regulatory compliance requires documentation. A sales representative's assurance has no legal weight. Get it in writing, or don't import.

"We'll verify after the shipment arrives"

Verification must occur before market placement. You can import goods into a warehouse, but you cannot sell them until verification is complete. Late verification creates inventory and cash flow risk.

"We're just the distributor"

If you're the first entity placing non-EU manufactured goods on the EU market, you're an importer, not a distributor. Distributor obligations are lighter, but only apply after an importer has already done their verification.

Pre-Import Verification Checklist

Use this checklist before every import decision:

CRA IMPORTER VERIFICATION CHECKLIST

Product: _______________________________________
Manufacturer: __________________________________
Date: _________________________________________

DOCUMENTATION RECEIVED:
[ ] EU Declaration of Conformity
[ ] Technical file summary/TOC
[ ] Conformity assessment evidence (module used: _____)
[ ] Security contact / vulnerability policy
[ ] Support period declaration

PHYSICAL VERIFICATION:
[ ] CE marking present and correctly formatted
[ ] Manufacturer name and address on product/packaging
[ ] User instructions in target market language(s)
[ ] Single point of contact for vulnerabilities

ROLE ASSESSMENT:
[ ] Product will be sold under manufacturer's brand (not ours)
[ ] No firmware or hardware modifications planned
[ ] No changes to intended purpose or security features

DECISION:
[ ] PROCEED - All verification points satisfied
[ ] HOLD - Awaiting documentation (specify: ___________)
[ ] REJECT - Verification failed (document reasons)

Verified by: ___________________________________
Date: _________________________________________

Next Steps

Verification is the first step. Once products are on the market, importers must:

• Monitor for manufacturer communications about vulnerabilities
• Cooperate with any recall or corrective action
• Notify authorities if manufacturer ceases operations
• Maintain documentation for the 10-year retention period

CRA Evidence helps importers manage the complete verification workflow:

• Manufacturer Address Book: Track supplier compliance status
• Verification Checklists: Structured Article 19 workflow
• Document Storage: Centralized compliance evidence
• Expiration Alerts: Certification and support period tracking

Start your importer verification workflow at app.craevidence.com.

Related Guides

• CRA Product Classification: Is Your Product Default, Important, or Critical?
• CRA Distributor Checklist: 5 Verification Steps for Every Product
• When Importers Become Manufacturers Under CRA: Role Escalation Explained

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel familiar with EU product regulations.