Multi-Role CRA Compliance: When You're Manufacturer, Importer, and Distributor

Your company manufactures smart sensors in Germany. You also import complementary products from a Taiwanese supplier and distribute another vendor's software. Under CRA, you're simultaneously a manufacturer, importer, and distributor.

This guide explains how to manage compliance when you hold multiple economic operator roles.

Understanding CRA Economic Operator Roles

The CRA defines four primary roles for placing products on the EU market:

Manufacturer

The entity that designs and produces the product, or has it designed/produced and markets it under their name or trademark.

Key obligations:

• Conformity assessment
• Technical documentation
• CE marking
• Vulnerability handling
• 5-year support period

Importer

An entity established in the EU that places a product from a third country on the EU market.

Key obligations:

• Verify manufacturer compliance (DoC, CE marking, documentation)
• Ensure product identification and traceability
• Maintain documentation for 10 years
• Report non-compliance

Distributor

An entity in the supply chain that makes a product available on the market (not manufacturer or importer).

Key obligations:

• Verify CE marking and required documentation present
• Ensure storage/transport doesn't affect compliance
• Report non-compliance
• Cooperate with market surveillance

Open-Source Software Steward

A legal entity (not natural person) that systematically provides support for OSS intended for commercial use.

Key obligations:

• Cybersecurity policy
• Coordinated vulnerability disclosure
• Cooperation with market surveillance

Why Multi-Role Is Common

Scenario 1: Vertical Integration

You manufacture your core product but source components:

YOUR COMPANY:
├── Manufacturer of: Smart Home Hub (designed in-house)
├── Importer of: Power supply units (from China)
└── Distributor of: Compatible smart plugs (EU partner's product)

Scenario 2: Portfolio Diversification

You expand offerings through sourcing:

YOUR COMPANY (Industrial Automation):
├── Manufacturer of: PLC controllers (original design)
├── Manufacturer of: Sensors (white-label, your brand)
├── Importer of: HMI panels (Korean supplier)
└── Distributor of: Industrial software (German vendor)

Scenario 3: Regional Operations

EU subsidiary of non-EU company:

YOUR COMPANY (EU subsidiary):
├── Importer of: All parent company products
├── Distributor of: Partner products for EU market
└── Manufacturer of: EU-specific configurations

Role Determination Per Product

Critical principle: CRA role is determined product by product, not at the organization level.

For each product in your portfolio, ask:

1. Did you design it and/or put your brand on it? → Manufacturer
2. Are you first to place it on EU market from outside EU? → Importer
3. Are you making it available but didn't import or manufacture? → Distributor

Decision Matrix

Obligation Mapping by Role

Here's what each role requires:

Compliance Documentation

Market Placement

Post-Market Obligations

Managing Multiple Roles: Unified Approach

Shared Infrastructure

Some compliance capabilities serve multiple roles:

SHARED COMPLIANCE INFRASTRUCTURE

┌─────────────────────────────────────────────────┐
│           UNIFIED COMPLIANCE SYSTEM              │
├─────────────────────────────────────────────────┤
│  Document Management                             │
│  - Technical files (manufacturer role)           │
│  - Verification records (importer role)          │
│  - Distribution records (distributor role)       │
├─────────────────────────────────────────────────┤
│  Traceability System                             │
│  - All roles require traceability               │
│  - Single system, different data per role       │
├─────────────────────────────────────────────────┤
│  Vulnerability Management                        │
│  - Intake: Serves all roles                     │
│  - Response: Differentiated by role             │
├─────────────────────────────────────────────────┤
│  Non-Compliance Handling                         │
│  - Detection: All roles                         │
│  - Response: Role-specific actions              │
└─────────────────────────────────────────────────┘

Role-Specific Processes

Some processes must be differentiated by role:

Manufacturer products:

• Full conformity assessment
• SBOM creation and maintenance
• Update development and distribution
• ENISA reporting (direct)

Imported products:

• Supplier verification workflow
• Documentation request/verification
• Pass-through for vulnerability reports
• ENISA reporting coordination with manufacturer

Distributed products:

• Simplified verification (CE, docs present)
• Storage condition monitoring
• Report issues upstream

Organizational Structure Options

Option 1: Role-Based Teams

Compliance Department
├── Manufacturing Compliance Team
│   └── Handles: All manufacturer obligations
├── Import Compliance Team
│   └── Handles: Supplier verification, import docs
└── Distribution Compliance Team
    └── Handles: Partner relationships, distribution records

Option 2: Product-Based Teams

Compliance Department
├── Product Line A Team (sensors)
│   └── Handles: All roles for sensor products
├── Product Line B Team (controllers)
│   └── Handles: All roles for controller products
└── Shared Services
    └── Document management, SBOM tools, training

Option 3: Hybrid (Recommended for Most)

Compliance Department
├── Core Compliance
│   └── Shared: Document mgmt, vulnerability intake, training
├── Manufacturer Compliance
│   └── Conformity assessment, technical files, updates
└── Supplier/Partner Compliance
    └── Import verification, distributor relationships

Practical Workflows

New Product Introduction

When adding a product to your portfolio:

NEW PRODUCT COMPLIANCE WORKFLOW

1. ROLE DETERMINATION
   - Where is it designed/manufactured?
   - Whose brand goes on it?
   - How does it reach EU market?
   → Determine: Manufacturer / Importer / Distributor

2. ROLE-SPECIFIC ONBOARDING

   If MANUFACTURER:
   [ ] Conduct risk assessment
   [ ] Create technical documentation
   [ ] Complete conformity assessment
   [ ] Prepare SBOM
   [ ] Establish update mechanism
   [ ] Set up vulnerability handling

   If IMPORTER:
   [ ] Request manufacturer documentation
   [ ] Verify DoC and CE marking
   [ ] Verify SBOM availability
   [ ] Confirm vulnerability contact
   [ ] Set up supplier monitoring
   [ ] Add your identification

   If DISTRIBUTOR:
   [ ] Verify CE marking present
   [ ] Verify documentation accompanies product
   [ ] Establish storage/transport controls
   [ ] Set up issue reporting channel

3. ENTER INTO COMPLIANCE SYSTEM
   [ ] Register product with determined role
   [ ] Upload relevant documentation
   [ ] Set review/monitoring schedules
   [ ] Assign responsible team/person

Vulnerability Response by Role

When a vulnerability is discovered affecting your products:

For Manufactured Products:

Vulnerability → Your Security Team → Assess → Develop Patch
                                          ↓
                                    Release Update
                                          ↓
                                    Notify Customers
                                          ↓
                              ENISA Report (if exploited)

For Imported Products:

Vulnerability → Forward to Manufacturer → Track Response
                         ↓
                  Receive Update
                         ↓
              Ensure EU Customers Receive
                         ↓
         Support ENISA Reporting (if needed)

For Distributed Products:

Vulnerability → Notify Upstream (Manufacturer/Importer)
                         ↓
            Pause Distribution (if serious)
                         ↓
              Resume When Resolved

Non-Compliance Handling

When you discover a product doesn't comply:

All roles: Notify market surveillance authorities if product presents serious risk.

Common Multi-Role Challenges

Challenge 1: Conflicting Timelines

Problem: Your manufactured products have a 90-day CVD window, but your supplier (whose products you import) insists on 120 days.

Solution: Separate policies by role. Your CVD policy applies to products you manufacture. For imported products, you work within the supplier's timeline while ensuring it meets CRA minimums.

Challenge 2: Documentation Inconsistency

Problem: Different documentation standards across roles (your technical files vs. supplier documentation vs. distributed product docs).

Solution:

• Maintain unified document management system
• Create role-specific templates and checklists
• Don't force supplier documentation into your manufacturer template

Challenge 3: Responsibility Confusion

Problem: Unclear internally who handles what when multiple roles apply.

Solution:

• Clear product registry with role assignments
• RACI matrix for compliance activities
• Escalation paths for edge cases

Challenge 4: Supplier Non-Cooperation

Problem: You're an importer, but your supplier won't provide documentation.

Solution:

• This is a deal-breaker. Without proper documentation, you cannot legally import.
• Either get documentation or find a different supplier.
• This is why supplier due diligence matters.

Cost Considerations

Efficiency Through Unification

Multi-role companies can achieve economies of scale:

Role-Specific Costs

Some costs scale with role count:

• Manufacturer: Conformity assessment per product (can't share)
• Importer: Supplier verification per supplier (can't share)
• Distributor: Partner management per partner (can't share)

Budget Allocation Example

MULTI-ROLE COMPLIANCE BUDGET

Organization:
- 5 manufactured products
- 10 imported products
- 15 distributed products

SHARED INFRASTRUCTURE (40% of budget):
- Compliance management system:    $25,000/year
- Document management:             $10,000/year
- Training program:                $15,000/year
- Vulnerability intake:            $10,000/year
SUBTOTAL:                          $60,000/year

MANUFACTURER ROLE (35% of budget):
- Conformity assessment (5 products): $25,000/year
- SBOM tooling:                        $8,000/year
- Update infrastructure:              $15,000/year
- Technical file maintenance:          $5,000/year
SUBTOTAL:                             $53,000/year

IMPORTER ROLE (20% of budget):
- Supplier verification (10 products): $20,000/year
- Documentation requests:               $5,000/year
- Supplier monitoring:                  $5,000/year
SUBTOTAL:                              $30,000/year

DISTRIBUTOR ROLE (5% of budget):
- Partner verification:                 $5,000/year
- Record keeping:                       $2,500/year
SUBTOTAL:                               $7,500/year

TOTAL:                                $150,500/year

Multi-Role Compliance Checklist

MULTI-ROLE COMPLIANCE CHECKLIST

FOUNDATION:
[ ] Product portfolio cataloged
[ ] Each product assigned a CRA role
[ ] Role determination documented
[ ] Single compliance system selected
[ ] Responsibilities assigned by role

PER ROLE:

MANUFACTURER PRODUCTS:
[ ] Technical files complete
[ ] Conformity assessments done
[ ] SBOMs created and maintained
[ ] Update mechanism established
[ ] CVD policy published
[ ] ENISA reporting capability

IMPORTED PRODUCTS:
[ ] Suppliers verified (for each)
[ ] Documentation obtained and verified
[ ] DoC copies on file
[ ] Traceability established
[ ] Your contact info added to products
[ ] Supplier monitoring in place

DISTRIBUTED PRODUCTS:
[ ] CE marking verified (all products)
[ ] Required documentation present
[ ] Storage conditions appropriate
[ ] Issue reporting channel to manufacturer/importer
[ ] Distribution records maintained

UNIFIED CAPABILITIES:
[ ] Document management for all roles
[ ] Traceability system operational
[ ] Non-compliance response procedure
[ ] Training completed (role-specific)
[ ] Market surveillance cooperation ready

EDGE CASES:
[ ] White-label products identified (→ manufacturer)
[ ] Substantially modified products identified (→ manufacturer)
[ ] Third-country subsidiary products identified (→ importer)

When Roles Shift

Your role can change over time:

Distributor → Importer

Trigger: Your EU supplier closes; you start importing directly from their manufacturer.

Action:

• Full importer verification for the product
• Establish direct supplier relationship
• Update documentation

Importer → Manufacturer

Trigger: You start putting your brand on the imported product.

Action:

• Complete manufacturer obligations (conformity assessment, technical file, SBOM, etc.)
• Your supplier is now just that: a supplier, not the manufacturer
• You own the compliance

Any Role → Exit

Trigger: You stop selling a product.

Action:

• Document retention continues (10 years for manufacturer/importer)
• Support obligations continue for manufacturer (5-year minimum from last unit)
• Clear communication to customers

How CRA Evidence Helps

CRA Evidence supports multi-role organizations:

• Role-based product registry: Track each product's CRA role
• Role-specific workflows: Different checklists and processes per role
• Unified documentation: Single system for all technical files, verification records
• Supplier management: Track and verify suppliers for imported products
• Vulnerability coordination: Route issues to appropriate handlers by role

Manage your multi-role compliance at app.craevidence.com.

Related Guides

• CRA Importer Obligations: What to Verify Before Placing Products on the EU Market
• CRA Distributor Checklist: 5 Verification Steps for Every Product
• When Importers Become Manufacturers Under CRA: Role Escalation Explained
• CRA Product Classification: Is Your Product Default, Important, or Critical?

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel.