The EU Cyber Resilience Act (Regulation (EU) 2024/2847) treats the importer as the legal channel through which a non-EU manufacturer reaches the EU market. From 11 December 2027, Article 19 makes the importer personally responsible for verifying CRA conformity before any product with digital elements is placed on the Union market. This page covers the four pre-market checks under Article 19(2), the post-market duties under Article 19(3) to (8), the retention rule, and the role boundaries that decide whether you are an importer at all under Article 3(13) and Article 3(16).
Summary
- Four pre-market checks (Article 19(2)): conformity assessment carried out, technical documentation drawn up, CE + EU DoC + Annex II language present, and Article 13(15), (16) and (19) compliance.
- Refusal duty (Article 19(3)): if the product or the manufacturer's processes are not in conformity, do not place on market; inform manufacturer and market surveillance authorities where there is significant cybersecurity risk.
- Post-market duties (Article 19(5) to (8)): corrective measures and recall as needed, vulnerability-awareness reporting, cooperation with market surveillance, and reporting if the manufacturer ceases operations.
- Retention (Article 19(6)): 10 years or for the support period, whichever is longer.
- You are not an importer if you market under your own name. Article 3(13) catches you as manufacturer instead, with the full Article 13 and 14 obligation set.
Four checks, retention longer than ten years, two penalty tiers depending on whether you are actually the importer.
The CE mark is the manufacturer's declaration that the product complies. Article 19(2) makes the importer responsible for verifying the documentation behind the claim. CE with no DoC and no technical documentation availability is not a defence; it is an Article 19(3) trigger to refuse market placement.
Who Is an Importer under the CRA?
Article 3(16) defines the importer verbatim:
"Importer" means a natural or legal person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union.
You are an importer for CRA purposes if all three apply:
| Element | Test |
|---|---|
| Established in the Union | Your legal entity is registered in an EU Member State |
| Place on the market | You first make the product available on the Union market for distribution or use in the course of a commercial activity (Article 3(21) and (22)) |
| Bears a non-EU name or trademark | The name or trademark on the product, packaging or documentation is that of a person established outside the Union |
If any of the three fails, you are not the importer. If the product carries your own name or trademark you are the manufacturer under Article 3(13). If you are not the first EU entity placing the product on the Union market you are the distributor under Article 3(17). If a non-EU manufacturer has appointed you to act on its behalf by written mandate without you placing the product on the market yourself, you are the authorised representative under Article 18 and Article 3(15), not the importer.
The importer is the first legal channel through which a non-EU manufacturer reaches the Union market and carries personal liability for what flows through that channel.
Article 19 at a Glance
| Para | Duty | Key point |
|---|---|---|
| 19(1) | General compliance | Place only products that comply with Annex I Part I, where manufacturer's processes comply with Part II. |
| 19(2) | Pre-market verification (a) to (d) | Conformity assessment + technical documentation + CE/DoC/Annex II + Article 13(15), (16), (19). Importer must be able to provide documents proving fulfilment. |
| 19(3) | Refusal duty | Do not place on market if product or processes non-conformant. Inform manufacturer + market surveillance where significant cybersecurity risk. Non-technical risk factors trigger Article 54(2). |
| 19(4) | Importer identification | Own name, trade name or trademark, postal address, digital contact on product, packaging or accompanying document. |
| 19(5) | Post-market corrective | Withdrawal or recall as appropriate. Vulnerability awareness: inform manufacturer without undue delay; inform market surveillance authorities of every Member State of supply where significant cybersecurity risk. |
| 19(6) | Retention | Keep DoC at disposal of authorities for 10 years or support period, whichever is longer. Ensure technical documentation can be made available on request. |
| 19(7) | Cooperation | On reasoned request from market surveillance, provide all information and documentation in a language the authority understands. |
| 19(8) | Manufacturer ceased operations | Inform market surveillance authorities and, by any means available, the users. |
None of these obligations carry an SME threshold. The Article 64(10) exemption is limited to manufacturer-tier deadlines under Article 14(2)(a) and 14(4)(a), and to open-source software stewards.
Importer vs Distributor
The legal trigger is which party first places the product on the Union market.
| Aspect | Importer (Article 19) | Distributor (Article 20) |
|---|---|---|
| Position | Established in the Union; places a product bearing a non-EU person's name on the market | Anyone making the product available after the importer, without affecting its properties |
| Verification | Full Article 19(2) (a) to (d) including Article 13(15), (16), (19) | Verifies CE, plus Article 13(15), (16), (18), (19), (20) and Article 19(4) presence |
| Documentation | Must be able to provide documents proving Article 19; ensures Annex VII can be made available | Cooperates with authorities; presence-based verification |
| Refusal | Article 19(3) | Article 20 |
| Vulnerability awareness | Article 19(5) | Article 20 |
| Retention | DoC for 10 years or support period, whichever is longer | None specific; cooperate on request |
| Penalty tier | EUR 10 000 000 or 2% (Article 64(3)) | EUR 10 000 000 or 2% (Article 64(3)) |
Calling the role "distribution" in a private agreement does not move the public-law obligation. If your entity first places a non-EU product on the Union market, you are the importer.
The Four Pre-Market Checks
1. Conformity Assessment Carried Out (Article 19(2)(a), Article 32)
The manufacturer must have run the assessment route appropriate to the product class. Request the EU Declaration of Conformity that names the assessment module used and, where a notified body was involved, the certificate number and the body's four-digit identification number after the CE mark.
| Module | When |
|---|---|
| A internal production control | Default-class products only |
| B + C EU-type examination + production control | Important Class II by default; Class I where no relevant harmonised standard is applied |
| H full quality assurance | Alternative for Important products; required for Critical products absent a European cybersecurity certification scheme |
See the conformity assessment cluster guide.
2. Technical Documentation Drawn Up (Article 19(2)(b), Article 31, Annex VII)
The importer is not required to hold the full Annex VII file but must be able to prove fulfilment of Article 19 (closing sentence of 19(2)) and ensure the file can be made available to authorities on request (Article 19(6)). Request: a table of contents covering each Annex VII section, plus a written commitment from the manufacturer to produce the underlying file in a defined window and language. See the technical documentation cluster guide.
3. CE Marking, EU DoC and Annex II Instructions (Article 19(2)(c), Article 30, Article 13(20), Annex II)
Three artefacts must travel with the product.
| Artefact | Constraint |
|---|---|
| CE marking (Article 30) | At least 5 mm high, visible, legible, indelible, on product or data plate. Notified-body identification number follows the mark where applicable. CE only on outer carton is non-compliant. |
| EU DoC (Article 13(20), full content per Article 28 + Annex V) | Either full DoC with the product or simplified DoC containing the exact internet address of the full DoC. Generic "cybersecurity requirements" with no Annex I citation is a defect. |
| Annex II information and instructions | In a language easily understood by users and market surveillance of the Member State concerned. Manufacturer identity, intended purpose, support-period end date, secure configuration, secure decommissioning, vulnerability-reporting address. |
4. Article 13(15), (16) and (19) Compliance (Article 19(2)(d))
Three discrete manufacturer duties cross-referenced from Article 19(2)(d):
| Cite | Duty | Importer check |
|---|---|---|
| 13(15) | Type, batch or serial number for product identification (or on packaging if the product cannot bear it) | Confirm element on product or packaging |
| 13(16) | Manufacturer name, trade name or trademark, postal address, digital contact, also reproduced in Annex II | Confirm on product, packaging or accompanying document |
| 13(19) | Support-period end date specified at time of purchase, including at least month and year | Confirm month + year visible at point of sale |
A product without a stated month-and-year end date is non-conformant under Article 19(2)(d) on Article 13(19) grounds, regardless of every other check passing.
Adjacent duty worth treating as refusal trigger: Article 13(17) single point of contact. Article 13(17) requires that users can choose their preferred means of communication and that the means must not be limited to automated tools. A chatbot-only contact is non-conformant. Without a working single point of contact upstream, the Article 14 vulnerability reporting flow is broken from day one.
Verifying Non-EU Manufacturer Compliance
Verbal assurances are not Article 19(2) evidence. Send the documentation request before signing any import contract.
SUBJECT: CRA Compliance Documentation Request
We are evaluating [product / model] for import into the European Union under
Regulation (EU) 2024/2847 (Cyber Resilience Act). Please provide the following
before we proceed:
1. EU Declaration of Conformity (full or simplified per Article 13(20)),
citing Annex I requirements and the Article 32 module used, with notified
body certificate number where applicable.
2. Annex VII technical documentation table of contents, plus a written
commitment to produce the underlying file in [language] within [X] days.
3. Confirmation of the support period (Article 13(8): at least 5 years or
the expected in-use period if shorter, with rationale).
4. Support-period end date (month and year) as it will appear at point of
purchase under Article 13(19).
5. Single point of contact under Article 13(17), with confirmation it is
not limited to automated tools.
6. Coordinated vulnerability disclosure policy (Annex I Part II).
7. CE marking placement evidence on product or data plate.
8. Annex II user instructions in [target Member State language(s)].
Requested response window: [X] business days.
What to Refuse and Why
| Signal | Action |
|---|---|
| Complete documentation | Proceed to Article 19(2) review |
| Partial, balance "in progress" | Hold; document the gap |
| "CE under EMC, RED or LVD" | Insufficient. Request CRA-specific DoC and Annex VII. |
| "Out of CRA scope" verbal claim | Request written scope analysis citing Article 2 and Annex III/IV |
| "Notified body certificate pending" | Article 32 must be complete before market placement |
| Single point of contact is chatbot only | Article 13(17) violation; refuse |
| DoC date pre-11 December 2027, no CRA-specific update | Refuse |
| Missing notified-body number on Class II / Critical | Refuse |
| Support period under 5 years with no in-use justification | Refuse |
| Missing month + year support-period end date | Refuse |
| Instructions only in manufacturer's domestic language | Refuse for the affected Member State |
| Refusal or non-response | Do not import |
When Verification Fails
Article 19(3) creates a stop-and-inform duty.
- Stop. Do not place on the EU market. Customs warehousing or re-export remains possible until conformity is restored.
- Document. Record which Article 19(2) check failed, whether it concerns the product or the manufacturer's processes, the date and signatory.
- Notify the manufacturer in writing. Specify the gap, the documentation required, the timeline.
- Assess cybersecurity risk. Significant risk: inform market surveillance of the Member State concerned (Article 19(3) first subparagraph). Non-technical risk factors: inform under Article 19(3) second subparagraph; authorities then follow Article 54(2).
- Resolve or reject. Proceed only when all four checks pass. Otherwise reject the import.
After market placement, Article 19(5) takes over: corrective measures, withdrawal or recall as appropriate, manufacturer notification on vulnerabilities without undue delay, market-surveillance notification of every Member State of supply where the product presents significant cybersecurity risk. Article 19(8): if the manufacturer has ceased operations, inform market surveillance and, by any means available, the users.
Role Boundaries: Are You Actually the Importer?
The hardest classification question is not "what does an importer do" but "am I the importer at all". The Cyber Resilience Act answers this through Article 3 definitions, not through Article 22.
Article 3(13), manufacturer: develops or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark.
Article 3(16), importer: a person established in the Union who places on the market a product bearing the name or trademark of a person established outside the Union.
Read together: the same logistical act is "import" only when the product carries the non-EU person's name. Mark it with your own brand and you fit Article 3(13), not 3(16). You are, and always were, the manufacturer for that product. There is no "Article 22 escalation" for importers. Article 22 explicitly excludes importers ("other than the manufacturer, the importer or the distributor"); it covers third-party modifiers like system integrators or value-added resellers who are outside the Article 3 chain.
Branding Test
| Situation | Classification |
|---|---|
| Sell under "AcmeTech" brand | Manufacturer (Article 3(13)) |
| "Distributed by AcmeTech" alongside prominent original brand | Importer (Article 3(16)) |
| Replace all original branding with your own | Manufacturer (Article 3(13)) |
| Small distributor sticker alongside original branding | Depends on prominence; reasonable-buyer test |
| Marketing presents you as the source even where the device shows the upstream factory | Manufacturer (Article 3(13)) |
Substantial Modification Test (Article 3(30))
A change after placing on the market that affects compliance with Annex I Part I or modifies the intended purpose for which the product was assessed.
| Likely substantial | Likely not substantial |
|---|---|
| Custom firmware installation | Manufacturer-issued security patches that preserve intended purpose |
| Adding remote management or telemetry | Localising printed documentation |
| Hardware changes to security functions | Outer packaging changes |
| Replacing cryptographic implementations | Bundling compatible accessories without integration |
| Changing authentication or authorisation | |
| Adding network connectivity to a previously offline product |
Where an importer substantially modifies a product, Article 22 does not formally apply (it excludes importers). The defensible reading: substantial modification removes you from Article 3(16) because the product is no longer the same product the non-EU manufacturer placed on the market. The safe path is to treat the modifier as manufacturer for that variant under Article 3(13).
Cost of Reclassification
| Cost area | Importer (Article 3(16)) | Manufacturer (Article 3(13)) |
|---|---|---|
| Conformity assessment | Verify the manufacturer's | Carry out own (Module A) or pay a notified body (Module B+C, Module H) |
| Technical documentation | Verify access | Author and maintain (Article 31, Annex VII) |
| Vulnerability handling | Pass reports upstream; corrective measures (Article 19(5)) | Run intake, triage, remediation, CVD policy, Article 14 reporting |
| Security updates | Pass through | Develop, sign, distribute for support period; remain available 10 years or remainder (Article 13(9)) |
| Penalty exposure | Up to EUR 10M or 2% (Article 64(3)) | Up to EUR 15M or 2.5% (Article 64(2)) |
Practical Scenarios
| Scenario | Classification |
|---|---|
| White-label tablets sold under EU entity's brand | Manufacturer (Article 3(13)) from day one |
| Pre-configured enterprise routers under original brand, with security-relevant config profiles | Manufacturer (Article 3(13)) for the configured variant; or arrange with original manufacturer to cover under their DoC |
| Manufacturer-issued security patches applied before sale | Importer (Article 3(16)); document patches were manufacturer-supplied |
| Custom firmware build for enterprise customers | Two-track: standard SKU as importer, custom SKU as manufacturer |
| Bundle marketed as integrated system | Manufacturer of the bundle (Article 3(13)) |
Strategies for Staying as Importer
- Keep the original manufacturer's name and "manufactured by" identification visible. Yours stays as "imported by" under Article 19(4).
- Apply only manufacturer-issued patches that preserve intended purpose.
- Do not change security-relevant configuration before resale; route customer customisation through the original manufacturer.
- Document each product as "unmodified by importer" with a checklist mapping to Article 3(30).
Documentation and Retention
Article 19(6): keep the EU Declaration of Conformity at the disposal of market surveillance authorities for at least 10 years after the product is placed on the market or for the support period, whichever is longer, and ensure the technical documentation can be made available on request. A product with a 12-year support period drives a 12-year retention obligation.
The importer retains: DoC (full or simplified per Article 13(20)), Annex VII table of contents and the manufacturer's commitment to produce the underlying file, the importer's own four-check verification record (decision, date, signatory), manufacturer correspondence, customs and batch records with first-placement dates, and Article 19(5) corrective and notification records.
Where Article 3(13) classification applies (own brand or substantial modification), the regime becomes Article 13(13): same 10-year-or-support-period retention plus the technical documentation in the manufacturer's own name and the full conformity-assessment evidence chain.
Digital storage is acceptable. Files must remain accessible, readable, and producible within a reasonable window in a language the authority understands.
Common Pitfalls
| Claim | Why it fails |
|---|---|
| "CE means they are compliant." | CE is a manufacturer claim. Article 19(2) requires verification of the documentation behind it. |
| "Our supplier has been reliable for years." | EMC, RED and LVD compliance does not transfer to CRA's Annex I Part II vulnerability handling, support-period and Article 14 reporting. |
| "Verbal assurances from our sales contact." | Article 19(2) requires documentation; a sales rep has no legal weight. |
| "We will verify after the shipment arrives." | Verification must occur before market placement. Customs warehousing is fine; market is not. |
| "It is just a sticker with our logo." | If the sticker presents you as the source, Article 3(13) classification fires. There is no size threshold. |
| "Article 22 makes us a manufacturer if we modify." | Article 22 excludes importers. The legal basis is Article 3(13), not Article 22 (the practical outcome is the same). |
| "The manufacturer said we could rebrand." | Article 3(13) is definitional. Private agreements cannot rewrite the definition. |
| "Our chatbot is the single point of contact." | Article 13(17) requires user-chosen means of communication, not limited to automated tools. |
Frequently Asked Questions
What is an importer under the CRA?
An EU entity placing a non-EU-branded product on the Union market. Three elements must all be present: established in the Union, first to make the product available on the Union market, and the product bears a non-EU person's name or trademark. If the product carries your own brand, you are not the importer; you are the manufacturer (Article 3(16); first placing at Article 3(21); rebranding flips you to manufacturer at Article 3(13)).
Am I an importer or a distributor?
The line is the first placing on the market. You are the importer if you are the first EU entity placing a non-EU-branded product on the Union market. You are the distributor if you make the product available after the importer, without affecting its properties. If you buy a non-EU product from another EU company that already imported it, that other company is the importer and you are the distributor. If you buy directly from the non-EU manufacturer and place the product on the EU market yourself, you are the importer (Articles 3(16) and 3(17); importer obligations at Article 19; distributor obligations at Article 20).
Importer vs authorised representative: what is the difference?
Different jobs. The AR is documentation custody for the manufacturer; the importer physically places the product on the market. The AR holds the EU DoC and technical documentation at the disposal of market surveillance authorities and cooperates with those authorities, but does not place the product on the market. The importer carries the four-check verification duty before market placement. A non-EU manufacturer may appoint an AR for documentation and cooperation; it still needs an importer (or its own EU entity) to actually place the product on the market. An AR appointment does not transfer engineering, risk-assessment, vulnerability-handling or conformity-assessment duties (AR mandate at Articles 3(15) and 18(1)–(3); importer at Articles 3(16) and 19; AR mandate cannot cover Articles 13(1)–(11), 13(12) first subparagraph, or 13(14)).
Are there SME exemptions for importers?
No exemption from the obligations themselves. Article 19 applies to importers regardless of size. The CRA's SME concession on penalties is for manufacturers, not importers, and only for the 24h early-warning deadlines. The OSS-steward exemption applies to stewards, not importers. Authorities must give due regard to the size of the offender (including SMEs and start-ups) when setting fine amounts in individual cases, but that is a sentencing factor, not an obligation exemption (Article 19 applies to all sizes; SME concession at Article 64(10)(a) is for manufacturers, not importers, and only for the 14(2)(a) and 14(4)(a) deadlines; OSS-steward exemption at Article 64(10)(b); sentencing factor at Article 64(5)(c)).
When do CRA importer obligations apply?
From 11 December 2027. From that date, no product with digital elements may be placed on the EU market unless the importer has carried out the Article 19(2) verification. Article 14 reporting starts earlier (11 September 2026) but is a manufacturer obligation; the importer's role is to verify that the manufacturer's single point of contact is in place and not limited to automated tools (Article 71 applicability; Article 19 from 11 December 2027; Article 14 reporting from 11 September 2026 is on the manufacturer; importer's role is to verify the Article 13(17) single point of contact).
Does rebranding alone make the importer a manufacturer?
No. The rebrand reveals you were always the manufacturer. The importer definition is restricted to persons placing on the market products bearing a non-EU person's name. Marketing under your own brand removes you from the importer category and places you in the manufacturer category. The original manufacturer's DoC and CE no longer cover the rebranded product. There is no Article 22 escalation here; Article 22 covers third-party modifiers who are neither manufacturer, importer nor distributor (Article 3(13); the importer definition at Article 3(16) is restricted to non-EU brands; Article 22 covers third-party modifiers, not importers).
Are security patches ever a substantial modification?
Not when the patches are issued by the original manufacturer and preserve intended purpose, behaviour and security architecture. A patch that does more than fix a vulnerability (adds features, changes authentication, expands attack surface) leaves the exemption (Article 3(30); Annex I Part II treats manufacturer-issued security updates as part of vulnerability handling).
How long must an importer keep the EU Declaration of Conformity?
At least 10 years after the product is placed on the market or for the support period, whichever is longer. A product placed in 2028 with a 12-year support period drives retention until 2040. The same duty requires the importer to ensure the technical documentation can be made available on request. Digital storage is acceptable (Article 19(6)).
What does the importer have to do if documentation has gaps?
Stop and inform. Do not place on market until the gap is closed. Notify the manufacturer in writing. Where the product presents a significant cybersecurity risk, inform market surveillance of the Member State concerned. The duty also extends to non-technical risk factors; authorities then follow the relevant procedure. Goods may sit in customs warehousing while the gap is open (Article 19(3); non-technical risk factors trigger Article 54(2)).
What happens to the original CE marking when the EU entity becomes the manufacturer?
It no longer covers the product as the EU entity places it on the market. The EU entity issues its own DoC and affixes CE under its own responsibility (Article 3(13); fresh DoC under Article 13(20); fresh CE under Article 30).
Does the five-year support period restart when the EU entity becomes the manufacturer?
Yes. The support period runs from the date the EU entity places the rebranded or modified product on the market. The "at least 5 years" floor applies, with the exception that products expected to be in use for less than 5 years take a support period equal to the expected use time. Cost lands in support resources and supplier contracts (the upstream factory must commit inputs for at least your support period) (Article 13(8)).
Does the EU entity need a notified body if the original manufacturer used one?
For Class II or Critical products that are substantially modified, almost always yes. The original certificate was tied to the product as designed; substantial modification invalidates it. Rebranding alone of a Class II or Critical product also requires a fresh DoC in the EU entity's name. See the conformity assessment and product classification guides (Article 3(30); Module A only for default-class; Module B+C or H requires a notified body for Class II / Critical).