White-Label and OEM Products Under CRA: Who's the Manufacturer?

You sell tablets under your brand, but a factory in Asia makes them. Under CRA, you're the manufacturer, with all the obligations that entails. Understanding white-label product compliance is essential before you put your logo on someone else's hardware.

This guide covers CRA obligations for white-label, OEM, and private-label arrangements.

Understanding White-Label Under CRA

The Core Rule

Article 3 of the CRA defines "manufacturer" as:

"any natural or legal person who manufactures a product with digital elements or has such product designed or manufactured and markets it under their name or trademark"

The key phrase is "markets it under their name or trademark."

If your brand is on the product, you're the manufacturer, even if you never touched a soldering iron or wrote a line of code.

Terminology Clarification

Different terms, same CRA outcome:

The distinction that matters: Whose brand is on the product?

What This Means in Practice

You're a Manufacturer, So...

As a white-label manufacturer under CRA, you must:

Before Market Placement:

1. Conduct conformity assessment (Module A, B+C, or H)
2. Prepare technical documentation (Annex VII)
3. Ensure product meets Annex I essential requirements
4. Sign EU Declaration of Conformity
5. Affix CE marking
6. Create/maintain SBOM

During Support Period:

1. Handle vulnerability reports
2. Provide security updates for 5+ years
3. Report to ENISA (if active exploitation)
4. Notify customers of security issues
5. Maintain documentation

Ongoing:

1. Post-market surveillance
2. Cooperation with authorities
3. Non-compliance response

Your Supplier Becomes Your Supplier

The actual manufacturer (factory, ODM, etc.) is now your supplier, not the legal manufacturer for CRA purposes. This changes the relationship:

BEFORE CRA:
ODM Factory → "Manufacturer" (their product, their compliance)
     ↓
Your Brand → "Reseller/Distributor"

UNDER CRA:
ODM Factory → "Supplier" (builds to spec)
     ↓
Your Brand → "Manufacturer" (your product, your compliance)

The White-Label Compliance Gap

Many white-label arrangements weren't designed for this. Common problems:

Gap 1: No Access to Technical Documentation

Your ODM has the technical file, but you're now required to maintain it.

Problem:

• Factory considers designs proprietary
• Documentation may be incomplete
• May not meet CRA format requirements

Solution:

• Contract for documentation access
• Require Annex VII-compliant technical file
• Verify before signing agreement

Gap 2: Vulnerability Handling Undefined

Who handles security issues when your branded product has a vulnerability?

Problem:

• Factory discovers vulnerability: do they tell you?
• Customer reports to you: can the factory fix it?
• Timelines misaligned

Solution:

• Define vulnerability response in contract
• Establish notification timelines
• Agree on update development responsibilities
• Clarify ENISA reporting (your obligation)

Gap 3: Support Period Mismatch

You promised 5-year support, but your supplier relationship is 2 years.

Problem:

• Factory discontinues product
• Factory goes out of business
• No source for updates after contract ends

Solution:

• Contract for support period duration
• Escrow arrangements for source code
• Contingency planning for supplier changes
• Consider multiple supplier qualification

Gap 4: No SBOM

You need an SBOM. Your supplier never created one.

Problem:

• Can't provide SBOM to regulators or customers
• Can't track vulnerabilities in components
• Can't demonstrate supply chain transparency

Solution:

• Require SBOM in procurement
• Specify format (CycloneDX, SPDX)
• Define update frequency

Structuring White-Label Agreements for CRA

Essential Contract Terms

Your white-label/OEM agreement should include:

1. CRA Compliance Acknowledgment

Supplier acknowledges that Buyer will place the Product
on the EU market under Buyer's brand and that Buyer will
be considered the "manufacturer" under Regulation (EU)
2024/2847 (Cyber Resilience Act). Supplier agrees to
support Buyer's compliance obligations as set forth
in this Agreement.

2. Technical Documentation

Supplier shall provide to Buyer:
(a) Complete technical documentation meeting the
    requirements of Annex VII of Regulation (EU) 2024/2847
(b) All documentation necessary for Buyer to:
    - Conduct conformity assessment
    - Prepare EU Declaration of Conformity
    - Respond to market surveillance requests
(c) Updates to documentation within [10] days of any
    change affecting compliance status

Supplier grants Buyer a perpetual, irrevocable license
to use such documentation for compliance purposes.

3. SBOM Provision

Supplier shall provide:
(a) Software Bill of Materials in [CycloneDX/SPDX] format
(b) Updated SBOM within [5] days of each firmware/software
    release
(c) SBOM including all third-party components with:
    - Component name and version
    - Supplier information
    - License information
    - Known vulnerabilities at time of delivery

4. Vulnerability Management

Vulnerability Notification:
Supplier shall notify Buyer within [24 hours] of becoming
aware of any security vulnerability in the Product,
regardless of source of discovery.

Patch Development:
Upon notification of a vulnerability, Supplier shall:
(a) Acknowledge within [24 hours]
(b) Provide severity assessment within [72 hours]
(c) Deliver patch within:
    - [7 days] for Critical severity
    - [30 days] for High severity
    - [90 days] for Medium/Low severity

Buyer retains final authority on customer communications
and update release timing.

5. Support Period Commitment

Supplier commits to:
(a) Providing security updates for the Product for a
    minimum period of [5 years] from date of first
    delivery to Buyer
(b) Maintaining capability to produce updates throughout
    this period
(c) Providing [90 days] notice before any planned
    discontinuation
(d) [Source code escrow / transition assistance] if
    Supplier cannot fulfill this commitment

6. Conformity Support

Supplier shall:
(a) Support Buyer's conformity assessment activities
(b) Provide test reports, certificates, and evidence
    as reasonably requested
(c) Allow Buyer or Buyer's designated Notified Body
    to audit production facilities
(d) Maintain quality controls consistent with the
    assessed product type

7. Subcomponent Management

Supplier shall:
(a) Provide list of all subcomponent suppliers
(b) Flow down relevant CRA requirements to subcomponents
(c) Notify Buyer of any subcomponent changes affecting
    security or compliance
(d) Maintain subcomponent supplier qualification records

Risk Allocation

Practical Workflow

Before Signing White-Label Agreement

PRE-AGREEMENT DUE DILIGENCE

1. TECHNICAL ASSESSMENT
   [ ] Review product architecture
   [ ] Assess security features against Annex I
   [ ] Identify gaps requiring remediation
   [ ] Evaluate update mechanism capability

2. DOCUMENTATION ASSESSMENT
   [ ] Request sample technical documentation
   [ ] Verify completeness against Annex VII
   [ ] Review SBOM availability and quality
   [ ] Assess risk assessment documentation

3. SUPPLIER CAPABILITY
   [ ] Evaluate security development practices
   [ ] Review vulnerability handling history
   [ ] Assess support infrastructure
   [ ] Verify update development capability
   [ ] Check financial stability for 5-year commitment

4. CONTRACT NEGOTIATION
   [ ] Include all CRA-specific terms
   [ ] Define documentation deliverables
   [ ] Establish vulnerability response SLAs
   [ ] Secure support period commitment
   [ ] Address source code escrow

5. CONFORMITY ASSESSMENT PLANNING
   [ ] Determine product classification
   [ ] Select conformity assessment module
   [ ] Identify Notified Body (if required)
   [ ] Plan technical file preparation

After Signing: Ongoing Management

WHITE-LABEL PRODUCT COMPLIANCE MANAGEMENT

Monthly:
[ ] Review supplier vulnerability notifications
[ ] Check SBOM updates received
[ ] Monitor supplier security advisories
[ ] Verify update delivery capabilities

Quarterly:
[ ] Technical documentation review
[ ] Supplier capability assessment
[ ] Contract compliance verification
[ ] Support period tracking

Annually:
[ ] Full compliance audit
[ ] Contract review and update
[ ] Supplier business health check
[ ] Documentation completeness review

Per Release:
[ ] Updated SBOM received
[ ] Technical file updated
[ ] Testing completed
[ ] Conformity maintained

Common White-Label Scenarios

Scenario 1: Simple Rebranding

Situation: You buy finished tablets, put your logo on them, sell under your brand.

Your obligations:

• Full manufacturer status
• Must obtain all documentation from supplier
• Must conduct conformity assessment (or verify supplier's is valid for your use)
• Must handle all post-market obligations

Key risks:

• Supplier's conformity assessment may not transfer to you
• You need your own DoC
• Updates depend entirely on supplier

Scenario 2: Customized ODM Product

Situation: ODM designs product to your specifications, you brand and sell it.

Your obligations:

• Full manufacturer status
• Conformity assessment is definitely your responsibility (custom design)
• Technical file must reflect your customizations
• Vulnerability handling for your version

Key risks:

• Customizations may introduce vulnerabilities
• Your changes may invalidate supplier testing
• Support period for custom version

Scenario 3: Multiple Brand Versions

Situation: Same product sold under different brands (yours and others).

Each brand owner's obligations:

• Each is manufacturer for their branded version
• Each needs own DoC and CE marking
• Vulnerabilities affect all; coordination needed

Key risks:

• Vulnerability disclosure coordination
• Who reports to ENISA?
• Customer confusion if updates differ

Scenario 4: Partial White-Label (Components)

Situation: You design overall product, source white-label component modules.

Your obligations:

• You're manufacturer of the overall product
• Component supplier is your supplier
• You must assess component security
• Component vulnerabilities are your problem

Key risks:

• Component supplier may not provide adequate documentation
• Vulnerability in component = your liability
• Multiple component suppliers = complex tracking

When White-Label Doesn't Work

Some situations make white-label compliance very difficult:

Factory Won't Provide Documentation

If supplier refuses access to technical documentation, you cannot:

• Complete conformity assessment
• Create compliant technical file
• Demonstrate compliance to authorities

Options:

• Find different supplier
• Negotiate harder (compliance is non-negotiable)
• Commission independent testing (expensive, incomplete)

Support Period Can't Be Guaranteed

If supplier won't commit to 5-year support:

Options:

• Negotiate source code escrow
• Identify backup development capability
• Shorten your support period (but still minimum 5 years required)
• Don't proceed

Product Doesn't Meet Requirements

If the white-label product has fundamental security gaps:

Options:

• Require supplier to remediate (before you take delivery)
• Add security layer yourself (and become more involved)
• Don't proceed

Never: Take non-compliant product to market assuming you'll "fix it later."

Cost Considerations

White-label CRA compliance adds costs beyond product procurement:

Rule of thumb: Add 15-25% to product cost for CRA compliance overhead.

White-Label Compliance Checklist

WHITE-LABEL CRA COMPLIANCE CHECKLIST

PRE-AGREEMENT:
[ ] Product security assessment completed
[ ] Supplier capability verified
[ ] Documentation availability confirmed
[ ] Support period commitment secured
[ ] Contract includes CRA terms

DOCUMENTATION:
[ ] Technical file received and reviewed
[ ] SBOM received in proper format
[ ] Risk assessment documentation available
[ ] Test reports received
[ ] Design documentation accessible

CONFORMITY ASSESSMENT:
[ ] Product classification determined
[ ] Assessment module selected
[ ] Conformity assessment completed
[ ] DoC signed (by you, the brand owner)
[ ] CE marking applied

VULNERABILITY MANAGEMENT:
[ ] Security contact established
[ ] CVD policy published
[ ] Supplier notification process agreed
[ ] Update testing capability
[ ] Customer notification process

ONGOING:
[ ] SBOM updates received
[ ] Vulnerability monitoring active
[ ] Supplier relationship managed
[ ] Support period tracked
[ ] Documentation maintained

POST-EOL:
[ ] Documentation retention (10 years)
[ ] Known vulnerability disclosure (if needed)
[ ] Customer transition managed

How CRA Evidence Helps

CRA Evidence supports white-label manufacturers:

• Supplier management: Track white-label supplier compliance
• Documentation repository: Store and manage supplier-provided documentation
• SBOM aggregation: Combine component SBOMs
• Technical file assembly: Structure documentation for your branded product
• Vulnerability workflow: Coordinate between supplier and customer-facing response

Manage your white-label compliance at app.craevidence.com.

Related Guides

• When Importers Become Manufacturers Under CRA: Role Escalation Explained
• CRA Supplier Due Diligence: Questionnaire Template and Verification Process
• CRA Conformity Assessment: Module A vs B+C vs H Decision Guide

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel familiar with EU product regulations.