Multi-Role CRA: Manufacturer, Importer, Distributor
CRA playbook for companies that manufacture, import and distribute: role mapping, obligation stacking, vulnerability routing, penalties and conflict points.
In this article
- Summary
- How multi-role companies fail differently
- The multi-role obligation stack
- Organisational structure options
- Cost allocation example
- Conflicting-timeline scenarios
- Vulnerability notification fan-out
- Authority-request triage across roles
- Penalty exposure when you're multi-role
- Cross-Member-State multi-role topology
- When the same legal entity is AR, importer, and manufacturer
- When roles shift mid-lifecycle
- Business continuity when the multi-role org folds
- Frequently Asked Questions
Your company manufactures smart sensors in Germany, imports complementary devices from a Taiwanese supplier, and distributes another vendor's software. Under the CRA, you are simultaneously a manufacturer, importer, and distributor. The single-role cluster guides cover each obligation set in isolation. This page is what multi-role compliance teams actually need: the operational layer where roles stack, conflict, and bleed into each other. For per-role obligations themselves, follow the links to the manufacturer cluster, importer cluster, and distributor cluster.
Summary
- Role is determined per product, not per organisation. A multi-role company has a different obligation set per product line. Map every product first.
- Some compliance infrastructure consolidates across roles, some does not. A single document store, a single vulnerability intake, and a single SBOM tool work across roles. A single reporting clock, a single retention policy, and a single CVD policy do not.
- Penalty exposure stacks. A single incident can trigger the manufacturer-tier penalty for one product and the importer-tier or distributor-tier penalty for another. Multi-role companies model dual-tier exposure.
- Cross-Member-State multi-role topology amplifies everything. When you manufacture in one Member State, import to a second, and distribute in a third, you are dealing with three different market-surveillance authorities, three different national languages for user information, and three parallel notification routes when a vulnerability surfaces.
How multi-role companies fail differently
Single-role companies fail at the obligations of their one role. Multi-role companies fail at the seams between roles. Three failure modes recur.
Split-brain compliance. Each role's team operates against its own playbook without a shared product-to-role map. Sales sells the white-label product under your brand on Monday. The manufacturer team never gets the rebrand notice. The conformity assessment for the rebadged product never runs. Three months later a market-surveillance authority asks for the manufacturer evidence chain on a unit that was sold as your-branded but is documented as an imported third-party product. The legal position is indefensible.
Policy collision. Two roles' policies are applied to the same product because the role wasn't pinned. Your CVD policy says 90 days. Your supplier's policy says 120 days. Without a clear per-product role assignment, your engineering team uses the policy attached to the role they think you have, not the role the CRA assigns to that product.
Supplier audit redundancy. As an importer, you run pre-market verification on a supplier's product. As a manufacturer with the same supplier as a component vendor, you run component due diligence on the same supplier. Same supplier, two evidence files, two budgets, two interviews. The audit can be consolidated, but only if your role-per-product map is explicit enough to make the dual-purpose claim defensible.
The multi-role obligation stack
Some compliance infrastructure consolidates across roles. Some stays role-separate. The table below is the operational layer multi-role companies need before they invest in tools, processes, or org structure.
| Infrastructure | Consolidates across roles | Stays role-separate |
|---|---|---|
| Document storage | Yes. One file system with per-product folders works. | Folder structure must indicate the role(s) attached to each product. |
| Vulnerability intake | Yes. One inbox, one ticket queue can receive reports across product lines. | Routing rules differ. Manufacturer products escalate to the engineering team. Imported products escalate to the supplier and to importer-side verification. |
| SBOM tooling | Yes. Same generator works for manufactured firmware and for received supplier SBOMs (when supplied). | Authority over the SBOM differs: yours for manufactured products, the supplier's for imported. |
| Coordinated vulnerability disclosure policy | No. | Manufacturer products run your CVD policy. For imported products, the manufacturer's policy applies and your role is to verify it exists and is reachable. |
| Reporting clock | No. | Manufacturer products use the manufacturer reporting runbook. Importer and distributor escalation stays in the market-surveillance lane. |
| Single point of contact for vulnerability reports | No. | Manufacturer's contact is on your manufactured products. Imported product receivers see the original manufacturer's contact (which you verified at intake) and route through to that contact. |
| Document retention | No. | Retention is configured from the product role and evidence pack. Do not apply one archive rule to every folder. |
| Penalty tier | No. | Manufacturer-tier penalty applies when the breaching product is one you manufacture. Importer-tier or distributor-tier applies otherwise. |
| Conformity-assessment evidence chain | No. | Yours for manufactured products. The original manufacturer's for imported and distributed products. The importer holds a pointer. The distributor holds a presence check. |
The infrastructure that consolidates is the multi-role efficiency win. The infrastructure that stays role-separate is where compliance teams trip up if they assume one policy can serve every product.
Organisational structure options
Three patterns work for a multi-role compliance org. Pick the one that matches your portfolio.
Option 1: Role-based teams. Separate teams for manufacturer, importer, and distributor activity. Best when each role has substantial volume.
Compliance Department
├─ Manufacturing Compliance Team → all manufacturer obligations
├─ Import Compliance Team → supplier verification, import docs
└─ Distribution Compliance Team → partner relationships, distribution records
Option 2: Product-based teams. One team per product line, owning every role for the products in that line. Best when product lines are narrow and roles per line are mixed.
Compliance Department
├─ Product Line A Team (sensors) → all roles for sensor products
├─ Product Line B Team (controllers) → all roles for controller products
└─ Shared Services → document management, SBOM tools, training
Option 3: Hybrid (recommended for most). Shared core services plus role-specialised teams. Single document store and vulnerability intake, but separate manufacturer and supplier/partner teams.
Compliance Department
├─ Core Compliance → document mgmt, vulnerability intake, training
├─ Manufacturer Compliance → conformity assessment, technical files, updates
└─ Supplier/Partner Compliance → import verification, distributor relationships
Cost allocation example
A practical budget split for a multi-role company with 5 manufactured products, 10 imported, and 15 distributed.
MULTI-ROLE COMPLIANCE BUDGET (annual)
SHARED INFRASTRUCTURE (40% of budget):
Compliance management system: $25,000
Document management: $10,000
Training program: $15,000
Vulnerability intake: $10,000
SUBTOTAL $60,000
MANUFACTURER ROLE (35% of budget):
Conformity assessment (5 products): $25,000
SBOM tooling: $8,000
Update infrastructure: $15,000
Technical file maintenance: $5,000
SUBTOTAL $53,000
IMPORTER ROLE (20% of budget):
Supplier verification (10 products): $20,000
Documentation requests: $5,000
Supplier monitoring: $5,000
SUBTOTAL $30,000
DISTRIBUTOR ROLE (5% of budget):
Partner verification: $5,000
Record keeping: $2,500
SUBTOTAL $7,500
TOTAL $150,500
The 40% shared-core slice is the multi-role efficiency win. The 35% manufacturer slice expands sharply if any imported product crosses into manufacturer status because you start branding it or substantially modifying it.
Conflicting-timeline scenarios
Multi-role companies hit timeline conflicts that single-role companies never see.
Conflicting CVD windows. Your manufactured products run a 90-day coordinated-vulnerability-disclosure window. Your supplier (whose products you import) insists on 120 days. Resolution: separate policies by role. Your CVD policy applies only to products you manufacture. For imported products, the manufacturer's policy is the one that matters. Your role is to verify it exists, is reachable, and is consistent with the CRA minimum.
Documentation-standard mismatch. Your manufacturer technical file template follows your internal documentation standard. Your supplier's documentation is structured to its own domestic regime. Resolution: keep separate templates per role. Do not force supplier documentation into your manufacturer template, or you will lose verifiability when a market-surveillance authority asks for the original source.
Supplier non-cooperation. You are an importer, but your supplier will not provide the documentation you need for pre-market verification. Resolution: the deal is broken. Without the documentation, you cannot legally place the product on the EU market. Hold the shipment, formalise the documentation request in writing, and if the supplier still refuses, change supplier.
Support-period cascade. As manufacturer, you commit a 7-year support period for your own product. The same product line includes a rebadged OEM component you also imported (so you are both manufacturer of one variant and importer of another). The OEM commits only 5 years for the imported variant. Your customers may see both variants on your shelf. Resolution: communicate the per-variant support period clearly at point of sale. Do not let your marketing claim one envelope across both variants.
ENISA SRP access boundary. The ENISA Single Reporting Platform is the manufacturer-side reporting channel. Multi-role companies set up SRP access for their manufacturer role. For products you only import or distribute, the original manufacturer is the one reporting through SRP. Your role is to inform that manufacturer and (where significant cybersecurity risk exists) inform market surveillance directly, not to report to ENISA on the original manufacturer's behalf.
Vulnerability notification fan-out
One vulnerability is reported. It affects three product cohorts in your portfolio: products you manufacture, products you imported, and products you distribute. What fires where, in what order, and who signs.
| Cohort | Primary notification | Secondary notification | Who signs |
|---|---|---|---|
| Products you manufacture | ENISA single reporting platform (manufacturer's reporting stream) | Coordinator CSIRT for vulnerability, CSIRT and market surveillance for severe incident, plus affected users | Manufacturer compliance lead |
| Products you imported | The original manufacturer, without undue delay | Market surveillance of every Member State of supply if significant cybersecurity risk | Importer compliance lead |
| Products you distributed | The original manufacturer, without undue delay | Market surveillance of every Member State of supply if significant cybersecurity risk | Distributor compliance lead |
For a single-incident, multi-cohort event, the notifications run in parallel, not in sequence. The manufacturer-stream notification has a regulatory clock. The importer and distributor notifications run on the without-undue-delay standard. Do not let the manufacturer-side clock dominate the importer/distributor escalation, because the importer and distributor duties exist independently.
For per-cohort cadence, escalation thresholds, and the role-specific reporting flows, the manufacturer reporting flow, the importer cease-operations cascade, and the distributor vulnerability awareness sections in the cluster set are the canonical references.
Authority-request triage across roles
A market-surveillance authority issues a reasoned request. Different roles produce different evidence packs in response.
| Product role | What the authority expects | Where the evidence lives |
|---|---|---|
| Manufactured by you | Full evidence chain: technical documentation, conformity-assessment route, EU Declaration of Conformity, support-period commitment, vulnerability-handling record | Manufacturer compliance team, document management system |
| Imported by you | Importer verification record (CE marking check, manufacturer details, DoC pointer), pointer to the manufacturer's technical documentation, retention record for the DoC | Importer compliance team, document management system |
| Distributed by you | Documentation set used for intake check (DoC reference, user information, supply-chain contact points), proof of presence-based verification | Distributor compliance team, intake records |
Build the role-evidence map per product before a market-surveillance authority asks for it. The day a reasoned request arrives, the question is not "where is the evidence". The question is "which evidence pack matches the role this product carries on this date." A multi-role team that has not pre-built the map will burn a working day reconstructing the wrong evidence chain.
Penalty exposure when you're multi-role
A single vulnerability incident can trigger more than one penalty tier when the vulnerable code is in products across multiple roles.
| Role of the breaching product | Penalty tier | Ceiling |
|---|---|---|
| Manufactured by you | Manufacturer tier | EUR 15 million or 2.5% of worldwide annual turnover |
| Imported by you | Importer tier | EUR 10 million or 2% of worldwide annual turnover |
| Distributed by you | Distributor tier | EUR 10 million or 2% of worldwide annual turnover |
The tiers apply per breach, not per product. A multi-role company that runs the same vulnerable component across manufactured and imported product lines, and fails to notify, is exposed to the manufacturer tier for the manufactured cohort and the importer tier for the imported cohort, in parallel. Insurance underwriting and board-level risk modelling should account for both ceilings, not just the higher one.
The mitigation is operational, not contractual. The role-evidence map plus the per-role notification fan-out gives you a defensible record of which products were notified when, under which role's protocol. Without that record, an authority can press the company to prove which role applied to each product before the penalty tier is assessed.
Cross-Member-State multi-role topology
When a multi-role org operates across Member State borders, the role-per-product map gets a second axis: which national authority contacts to pre-stage per role, and what language each Member State of supply expects on user information.
Take an EU group that manufactures sensors in Germany, imports controllers from a Taiwanese supplier through its French entity, and distributes a Belgian vendor's software through its Italian sales arm.
| Product cohort | Role | Authority contacts to pre-stage | User-information language |
|---|---|---|---|
| Manufactured sensors | Manufacturer | Coordinator CSIRT and competent market surveillance authority for the manufacturer reporting flow, plus market surveillance contacts in every Member State where the product is made available | German for German-market user information, plus per-Member-State language for shipments into other markets |
| Imported controllers | Importer | Market surveillance authorities of every Member State where you place product on the market | French, plus per-Member-State language for re-supply |
| Distributed software | Distributor | Market surveillance authorities of every Member State where you make product available, plus the route back to the manufacturer's primary authority chain for upstream escalation | Italian, plus per-Member-State language matching where you make the product available |
A vulnerability that hits all three cohorts triggers parallel notifications to three different national MSAs at the same time, each in the appropriate national language. The CRA does not have a single-pane-of-glass route across Member States for a multi-role org. Build the per-cohort MSA-contact rolodex now. The first time you reach for it should not be in an incident.
When the same legal entity is AR, importer, and manufacturer
The authorised-representative arrangement is permissive, not mandatory. A non-EU manufacturer may appoint an EU-established entity as its authorised representative under a written mandate. Nothing in the CRA prevents that same EU entity from also being the importer for a different non-EU vendor's products, or the manufacturer of its own product line.
This is the most concentrated multi-role overlap in the CRA. Three things must stay separated even though they sit under one corporate roof:
Mandates are per-vendor. Each authorised-representative relationship is documented by a written mandate. If you act as AR for non-EU vendor A and importer for non-EU vendor B, the AR record covers vendor A only. Vendor B's products run on the importer regime, with no mandate overlay.
Liability bounds differ per role. The AR holds documentation and cooperates with market surveillance on behalf of the represented manufacturer, but does not place products on the market. The importer carries the four-check pre-market verification, places the product on the market, and retains the EU Declaration of Conformity for 10 years or the support period. The manufacturer carries the full design and engineering obligation set. These are three different liability surfaces, all sitting under one legal person. Records must support the role split per product.
Cessation routing is per role. If vendor A, for whom you are AR, ceases operations, check the written mandate and preserve the AR documentation and cooperation file. The statutory cessation notice itself sits with the manufacturer unless another role-specific trigger also applies. If vendor B (for whom you are importer) ceases operations, the importer's awareness-of-cessation notice fires: inform market surveillance and users about the manufacturer's cessation. Your own manufacturer line, if it ever ceases, fires the manufacturer self-cessation notice with your own customer-communications path. The three triggers do not consolidate into one routing.
The practical floor: a per-product map with the role tag attached to every product makes the AR/importer/manufacturer separation defensible. Without that map, an audit on vendor A's products will spill into your importer and manufacturer records and create avoidable evidence-discovery costs.
When roles shift mid-lifecycle
Multi-role companies see product roles shift over a product's lifecycle. Five events recur.
Distributor to importer. Your EU supplier closes, and you start importing directly from the non-EU manufacturer. Actions: full importer verification on the product, direct supplier relationship, refresh of all import documentation.
Importer to manufacturer. You start placing the imported product under your own brand. Actions: complete the manufacturer obligation set (conformity assessment, technical file, SBOM, vulnerability handling, support-period commitment). Your supplier is now a contract manufacturer in commercial terms, not the CRA manufacturer. The compliance ownership moves to you.
Distributor to bundle-modifier. You start pre-installing custom firmware on a product you previously distributed unchanged. Actions: manufacturer obligations apply via the rebrand bridge for the modified product or, where the modification affects cybersecurity of the whole product, for the entire product.
Manufacturer to distributor. You stop branding a product line and pass it back to the OEM under the OEM's own brand. Actions: the original manufacturer regains the manufacturer role from that point. You become the distributor of the OEM-branded product. Your manufacturer-side retention and support obligations continue for units already placed under your brand.
Any role to exit. You stop selling a product. Actions: document retention continues (manufacturer and importer carry 10-year or support-period retention). Manufacturer support obligations continue for at least 5 years from the last unit placed on the market, or the support period if committed longer. If the manufacturer is also ceasing operations, the notice duty routes through any importer and distributor in the chain.
Business continuity when the multi-role org folds
The CRA has one statutory self-cessation notice: the manufacturer's. When a manufacturer ceases operations and can no longer comply, it must inform the relevant market surveillance authorities and the users of products already placed on the market, before the cessation takes effect. There is no equivalent self-cessation notice for the importer or distributor roles. The importer and distributor cessation duties in the CRA only fire when the manufacturer of a product they handle ceases operations, not when the importer or distributor itself ceases.
For a multi-role organisation that folds, this means:
| Cohort the failing entity holds | What the CRA requires | Operational continuity work |
|---|---|---|
| Manufactured products | Statutory self-cessation notice to market surveillance authorities and, by any means available, to users. Communicate any successor support arrangement if one exists. | Document the notice, the date, the recipients, and the support-period implications. Preserve the technical file and DoC at the retention floor (10 years or the support period). |
| Imported products | No statutory self-cessation notice on the importer side. The DoC and technical-documentation pointer were already on file at intake and stay with the records archive. | Plan record continuity. Identify which entity inherits the importer-side DoC retention. Communicate channel changes to commercial counterparts. |
| Distributed products | No statutory self-cessation notice on the distributor side. | Stop making products available. Communicate to commercial counterparts that they need to source elsewhere. No statutory user notice is required from the distributor for the act of ceasing distribution. |
| AR mandates held for non-EU manufacturers | No statutory self-cessation notice for the AR. The mandate documentation continues to exist, and the AR's role is documentation custody and cooperation. | Coordinate with each represented manufacturer to either transition the AR mandate to a successor or terminate the mandate cleanly. Preserve the documentation file per Article 18. |
Treat the manufacturer self-cessation notice as the regulated event. Treat the importer, distributor, and AR transitions as operational record-continuity planning, not as additional statutory notice streams. Multi-role companies that conflate the four (and assume the importer and distributor have their own self-cessation notice obligation) over-build the runbook and may delay the one statutory notice that actually matters.
Frequently Asked Questions
What does the CRA do when one company is both manufacturer and importer?
The CRA applies role obligations per product, not per organisation. If you manufacture one product and import another, you carry manufacturer obligations on the first and importer obligations on the second, in parallel. If the same product is one you place under your own brand or substantially modify after import, the rebrand bridge applies and you become the manufacturer for that specific product. The boundary is product-by-product, not company-by-company.
Can I subcontract one CRA role to another company?
You can outsource tasks. You cannot outsource the legal role. The company that places the product on the market under its name, imports it into the Union, or makes it available downstream remains the bearer of the role and its obligations. A third-party compliance services firm can run conformity-assessment testing, supplier audits, or documentation maintenance under contract, but the regulatory accountability stays with you.
How do reporting obligations stack when I hold multiple roles?
The manufacturer-side reporting stream (ENISA single reporting platform, coordinator CSIRT, affected users) is the primary regulatory channel. Importer and distributor duties operate alongside as escalation: inform the manufacturer of vulnerabilities without undue delay, and inform market surveillance of every Member State of supply if the product presents significant cybersecurity risk. A multi-role company runs both streams in parallel and signs them under different role leads, with separate evidence trails.
When should a multi-role company split into separate legal subsidiaries?
The decision is usually triggered by penalty exposure modelling, not by operational complexity. When the manufacturer-tier ceiling (EUR 15 million or 2.5% of worldwide turnover) applied to your manufactured product line dwarfs your importer and distributor revenue, splitting the manufacturer activity into a separate subsidiary may protect the importer and distributor revenue from a manufacturer-side incident. Splitting is also worth considering when supplier audit duplication or regulatory-reporting overhead becomes a measurable line item rather than a compliance footnote. The CRA does not require any legal structure. It attaches role obligations to the legal person placing the product on the market.
Does ENISA single reporting platform onboarding cover all my roles?
The single reporting platform is the manufacturer reporting channel. A multi-role company onboards SRP for its manufacturer role and uses the platform for products it manufactures. For products you only import or distribute, the original manufacturer is the entity reporting through SRP. Your role on those products is to inform the manufacturer of vulnerabilities and to notify market-surveillance authorities directly when significant cybersecurity risk is present in products you placed on the market or made available.
Can one supplier audit serve both my importer and manufacturer-component due diligence needs?
Yes, when the audit is designed for dual purpose and the per-product role map is explicit. The audit scope must cover both the importer's pre-market verification requirements for finished products and the manufacturer's component due-diligence requirements for components integrated into your own product. Document the dual purpose in the audit charter. A single supplier visit that produces two role-specific evidence packs is acceptable. A single pack that conflates the two roles is harder to defend when a market-surveillance authority asks which role's evidence is being shown.
Can one single point of contact serve manufacturer, importer, and distributor roles?
One inbox can intake vulnerability reports across roles, but the routing must split per role downstream. The manufacturer-side single point of contact must be non-automated and let users choose their preferred means of communication. For imported and distributed products, the receivers expect the original manufacturer's contact. A multi-role company that publishes one inbox should make sure that, behind that inbox, reports are tagged with the product role and routed to the correct lead within the same business day. Conflating the queues without internal routing leaves manufacturer-side reports in a distributor-style ticket flow, which breaks the no-undue-delay standard.
This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel.
Related Articles
Does the CRA apply to your product?
Answer 6 simple questions to find out if your product falls under the EU Cyber Resilience Act scope. Get your result in under 2 minutes.
Ready to achieve CRA compliance?
Start managing your SBOMs and compliance documentation with CRA Evidence.