CRA White-Label & OEM Products: A Manufacturer's Guide
CRA obligations for white-label, OEM and private-label products: rebrand bridge, OEM cessation, SBOM provenance, support-period mirror, contract clauses.
In this article
- Summary
- Why white-label is its own category
- The "just a sticker" defence and what actually counts
- White-label scenario taxonomy
- Firmware customisation: where the rebrand-bridge ends and the catch-all begins
- Support-period clock for white-label
- Cross-border white-label
- White-label SBOM provenance
- Liability split contract clauses
- Post-M&A inherited white-label arrangements
- Common pitfalls
- Frequently Asked Questions
You sell tablets under your brand, and an ODM in Shenzhen builds them. Under the CRA, you are the manufacturer, the ODM is your supplier, and the trigger is the brand, not the build. This page is the white-label operational layer. For the full manufacturer obligation set see the manufacturer cluster.
Summary
- Brand owner is the manufacturer under the CRA, regardless of who physically builds the product. The OEM/ODM is your supplier.
- The support-period clock starts when YOU place the rebranded product on the EU market, not when the OEM first shipped the un-branded version.
- When your OEM goes out of business, the importer's notice duty does NOT apply to you (you are the manufacturer, not the importer); the support obligation never "transferred" because it was always yours.
- Firmware customisation BEFORE placement makes you the manufacturer from the start. Customisation AFTER placement is rebrand-bridge territory if done by an importer/distributor, or catch-all territory if done by any other third party.
- Hidden white-label, multi-tier white-label, retailer private-label and co-branded products each have a different operational picture; the scenario taxonomy below maps each to the right CRA route.
Why white-label is its own category
White-label sits in a specific corner of the CRA role map. The boundary between white-label and the adjacent roles is sharp on paper but blurry in procurement reality.
| Role | What you do | CRA position |
|---|---|---|
| White-label brand owner | You take an OEM/ODM product, put your brand on it, place it on the EU market | Manufacturer from the first sale |
| Importer | You bring a foreign manufacturer's branded product into the EU; their brand stays on it | Importer; full importer verification |
| Distributor | You resell another EU entity's branded product after the importer placed it; you do not modify | Distributor |
| Substantial modifier (rebrand-bridge) | You are an importer or distributor who modifies a product already placed on the market | Manufacturer obligations apply to you for the modified product |
| Substantial modifier (catch-all) | You are NOT manufacturer, importer or distributor, but you substantially modify a placed product (integrator, repair shop, value-added reseller) | Manufacturer obligations apply to you |
| Component supplier | You build components that go into someone else's product | Your buyer runs component due diligence on you; you are not subject to the full manufacturer obligation set unless you separately place a product on the market |
Three boundaries get crossed often. First, the boundary between white-label (you are the manufacturer from day one) and substantial modification (someone modifies an already-placed product). White-label is a placement-time trigger; substantial modification is a post-placement trigger. Second, the boundary between white-label and importer: if you put your brand on the product, you crossed out of the importer role into the manufacturer role, even if you also physically import the device. Third, the boundary between white-label and component sourcing: if you place a product under your brand, you are the manufacturer of that product; if you integrate a component into a product you build yourself, the supplier due diligence playbook is your operational layer.
The "just a sticker" defence and what actually counts
Procurement leads sometimes argue that adding a brand sticker to a finished product cannot trigger full manufacturer status. The importer cluster pitfall table names this exact claim ("It is just a sticker with our logo.") and disposes of it: if the sticker presents you as the source of the product, manufacturer obligations apply. The trigger is brand presentation to the market, not the depth of the modification.
The operational question is what counts as "branded as yours" and what stays in distributor territory.
| Act | What happens |
|---|---|
| Sell the OEM's product in OEM packaging with OEM brand visible | Distributor. OEM is presented as the source. |
| Add a "Distributed by [your company]" label that names you as distributor | Distributor. Identification is required, not a brand act. |
| Replace the OEM brand on the product with your brand | Manufacturer from first sale. You are presented as the source. |
| Replace OEM packaging with your packaging; product still carries OEM brand visibly | Depends. If your brand is the customer-facing source, manufacturer. If the OEM brand stays visible on the product itself, distributor for that unit. |
| Co-brand both your brand and the OEM brand on the product | Typically manufacturer. Whichever party is presented as the source carries responsibility, usually the retail-facing brand. |
| Translate the user manual and add it to the box | Distributor. Language compliance is required of the supply chain; translation does not flip you to manufacturer. |
| Add a Distributor sticker AND replace the firmware splash with your logo on first boot | Manufacturer. Boot-time brand presentation makes you the source. |
| Sell un-branded product in your retail packaging only (retailer private-label) | Manufacturer. Private-label brand presents you as the source. Amazon Basics, Lidl Silvercrest, Tesco F&F-Tech are the canonical examples. |
| Resell under your brand AND substantially modify firmware after placement | Manufacturer end-to-end. White-label manufacturer from first sale; post-placement modification triggers the rebrand-bridge or catch-all route. |
The unifying rule is source presentation. If a market surveillance authority, asked "who is the manufacturer of this product?", would point at your brand, you are the manufacturer under the CRA. Sticker depth, design effort and customisation level are not the test.
White-label scenario taxonomy
Seven scenarios cover the operational territory. Each maps to a different combination of CRA route, supplier diligence depth and contractual exposure.
1. Simple rebrand (finished product, your brand only)
You buy finished tablets, apply your logo, sell under your brand. Default white-label.
- CRA route: manufacturer from first sale.
- Conformity assessment: yours. The OEM's prior conformity assessment may inform your technical file but does not transfer.
- Diligence depth: high on the OEM as supplier, especially documentation, vulnerability handling, and support-period commitment.
- Operational risk: the OEM's willingness to ship security updates dictates your ability to honour your own support-period commitment to users.
2. Hidden white-label (your reseller re-rebrands)
You white-label an OEM product as Brand-A and sell to a reseller. The reseller strips your brand and re-rebrands as Brand-B without telling you, then places Brand-B units on the EU market.
- CRA route: the reseller becomes the manufacturer of the Brand-B units. You remain the manufacturer of the Brand-A units you placed. The OEM remains supplier to both.
- Discovery operational signal: customer-support tickets referencing Brand-B that match Brand-A behaviour, or returns arriving in Brand-B packaging when you never sold to Brand-B.
- Contractual fix: reseller agreements should prohibit re-rebranding without written consent. Without that clause, your only remedy is termination.
- Why it matters: a vulnerability you ship a patch for will not reach Brand-B units unless the reseller flows the patch through, and the reseller may have no infrastructure to do so.
3. Multi-tier white-label (you white-label, your distributor white-labels yours again)
OEM builds, you white-label as your brand, you sell to an EU distributor, the distributor white-labels yours as their own brand.
- CRA route: three legal positions stacked. OEM is supplier, you are manufacturer of the units you placed under your brand, the distributor becomes manufacturer of the units they placed under their brand.
- Operational pattern: common in industrial automation, AV equipment and B2B IoT.
- Critical clause: your contract with the distributor must specify whether re-rebranding is permitted and, if it is, that the distributor takes manufacturer status for the re-rebranded variant. Without that, both parties may end up claiming distributor status while authorities point at the visible brand on each unit.
4. Co-branded products (both names on the product)
The product carries both your brand and the OEM brand visibly to the end user.
- CRA route: typically the retail-facing brand carries manufacturer status; both parties can be designated manufacturers if both present themselves as the source.
- Contractual fix: the manufacturer designation must be written into the co-branding agreement. Default reading: whichever party signs the DoC is the manufacturer for that unit cohort.
- Operational risk: shared brand visibility can confuse users about which party to contact for vulnerability reports; the single point of contact for the product must be unambiguous.
5. Retailer private-label (Amazon Basics, Lidl Silvercrest, Tesco)
A high-volume retailer commissions an OEM to build a product under the retailer's private-label brand. The retailer is the white-label brand owner.
- CRA route: retailer is the manufacturer. The volume does not change the analysis; the brand presentation does.
- Operational scale: hundreds of SKUs across multiple OEMs is typical. Per-SKU technical files, per-SKU DoCs, per-SKU support-period clocks. A retail buyer treating CRA compliance as a single-pass procurement question understates the load.
- Contractual pattern: long-term framework agreements with the OEM, support-period mirror clauses (OEM commits AT LEAST as long as the retailer commits to users), source-code escrow for the firmware, and explicit re-flow of CRA requirements to subcomponents.
6. Hardware-only ODM + your firmware
You commission ODM hardware (industrial board, ruggedised tablet, IoT gateway shell) and ship your own firmware on it. The hardware substrate is OEM-supplied; the security envelope is yours.
- CRA route: you are the manufacturer of the integrated product. The ODM is your hardware supplier. Different from the simple rebrand because you actually build something on top of the substrate.
- Diligence shape: leans on the hardware-only ODM playbook (BOM controls, secure-element source, factory-key injection, EOL window for the hardware platform).
- Common operational error: signing a multi-year customer support commitment with an ODM whose hardware EOL window is shorter. When the silicon goes EOL, your support obligation does not soften.
7. White-label SaaS or remote-data-processing component
The "product" customers see is your-branded SaaS or your-branded API. The actual processing runs on an OEM platform white-labelled to you (a managed Kafka cluster, a SaaS authentication platform, a managed device-fleet service).
- CRA route: depends on whether the SaaS itself is a "product with digital elements" under the CRA. The CRA covers "remote data processing solutions" only where they are integral to a placed product. A pure SaaS that does not integrate into a placed product is typically out of scope. If your SaaS is an integral component of a placed product (firmware that calls home, IoT device fleet management), the SaaS provider is part of your supplier chain and the cloud-service component playbook applies.
- Contractual pattern: SaaS attestation portfolio (SOC 2, ISO/IEC 27001, ISO/IEC 27017), data-processing agreement, sub-processor list, service-discontinuation notice window.
Firmware customisation: where the rebrand-bridge ends and the catch-all begins
The most common conflation in white-label compliance is between the rebrand-bridge (an importer or distributor who substantially modifies a product already placed on the market becomes the manufacturer for the modified product) and the catch-all (any other third party who substantially modifies a placed product becomes the manufacturer). Both routes are in the CRA; they cover different actors.
The boundary, mapped onto firmware customisation scenarios that white-label brand owners encounter:
| Scenario | CRA route | Why |
|---|---|---|
| You customise the firmware BEFORE placing the product on the EU market under your brand | Manufacturer from first sale | No catch-all question. The customisation is part of the product as you place it. |
| You release a firmware update after placement that fixes vulnerabilities and preserves intended purpose, behaviour and security architecture | Same manufacturer status as before | A genuine security update is not a substantial modification. |
| You release a firmware update after placement that adds features, changes authentication or expands attack surface | Manufacturer status unchanged BUT triggers a fresh conformity-assessment loop on your same manufacturer file | You were already the manufacturer; the modification changes the product's risk picture, not your role |
| An importer or distributor downstream from you modifies the firmware on your white-label units they hold | Importer/distributor becomes the manufacturer for the modified units (rebrand-bridge route) | The bridge explicitly covers substantial modification of a product already placed on the market by an importer or distributor |
| A third party that is NOT manufacturer, importer or distributor (a service provider, an integrator, a value-added reseller, a maintenance contractor) modifies the firmware on your white-label units and makes them available again | The third party becomes the manufacturer for those units (catch-all route) | The catch-all covers everyone outside the manufacturer/importer/distributor chain |
| You commission an OEM, the OEM ships you the product, you customise the firmware before placement | You are still the manufacturer from first sale; the OEM remains your supplier | The pre-placement customisation does not change your role; it is part of the product as you place it |
Two operational implications. First, the white-label brand owner does not "escape" into the catch-all route by claiming the substantial modification was done by someone else; if you are placing the modified product on the market under your brand, the modification is part of your manufacturer scope. Second, when one of your distributors customises your white-label firmware, the rebrand-bridge route lands on them, not you, for those specific units. Track which units left your control unmodified and which were modified downstream; the support-period responsibility for the modified units shifts to the modifier.
For the verbatim text of the rebrand-bridge and catch-all provisions, see the distributor cluster FAQ which quotes both side by side.
Support-period clock for white-label
The CRA support-period clock starts when the manufacturer places the product on the EU market. For white-label, you are the manufacturer, so the clock starts when you first place your rebranded version on the EU market, not when the OEM first placed the un-branded original or sold to you.
SUPPORT-PERIOD TIMING (WHITE-LABEL)
Year 0 OEM first places the un-branded version on EU market
OEM's support clock starts on its own DoC
Year 0 OEM ships your first rebranded batch to your warehouse
(No CRA clock starts on you yet, not on EU market)
Year 1 You place your first rebranded units on the EU market
YOUR support clock starts on YOUR DoC (5 years minimum)
Year 1 OEM continues to sell un-branded original in parallel
(Two independent clocks now run; OEM's covers OEM units, yours covers yours)
Year 4 OEM stops production
Your support obligation continues until at least Year 6
(and beyond if you placed units after Year 1)
The mirror-clause obligation that follows: your OEM contract must commit the OEM to ship security updates to you for AT LEAST as long as you commit to your users. If you commit five years to users and the OEM commits three years to you, you carry a two-year gap with no source of patches. Source-code escrow and second-source qualification are the two standard mitigations.
When the OEM ceases operations
A common misconception: when the OEM goes out of business, the CRA imposes a notice duty on you that transfers some of the OEM's obligations.
Two clarifications matter. First, the CRA notice duty on a manufacturer's cessation sits on the importer, not on you. When you are the white-label brand owner, you are the CRA manufacturer of your rebranded product; the OEM was your supplier, not the manufacturer of your branded product. The importer-cessation notice provision does not apply to you in this scenario, because the OEM was not the CRA manufacturer of your branded product. The importer cluster cessation section walks through the importer-side duty in detail.
Second, the support obligation does not "transfer" from the OEM to you because it was always yours. You committed to your users at first placement; the OEM ceasing changes your supply situation, not your statutory commitment. The practical fallback is what the contract committed to (source-code escrow, second source, transition services), not the importer-cessation provision.
The one statutory cessation notice that DOES apply to you, the white-label brand owner, is the manufacturer's own cessation duty: if YOU as manufacturer cease operations, you must inform the market surveillance authorities and, by any means available, your users.
Cross-border white-label
You source from an Asian ODM, white-label, and place the product on the EU market via your EU subsidiary. The white-label trigger (you are the manufacturer from first sale) combines with a no-EU-establishment question for vulnerability and incident reporting.
If your white-label brand is held by a non-EU parent and the EU subsidiary is the entity placing the product on the market, two routes are possible. Route A: the EU subsidiary is the legal manufacturer, with the parent acting as a commercial brand owner; the EU subsidiary's Member State is the home authority. Route B: the non-EU parent is the legal manufacturer (brand owner of record) and the EU subsidiary is the importer; the non-EU-manufacturer fallback cascade routes incident reporting via AR Member State → importer Member State → distributor Member State → highest-user Member State.
Pick the route deliberately in your group's legal structuring; do not let it fall out of the brand-ownership accident. A non-EU brand owner with no EU establishment and no appointed AR routes its incident reporting to the importer Member State by default, which means the EU subsidiary's MSA gets the reports whether or not the subsidiary is set up to handle them.
White-label SBOM provenance
The supplier sibling covers SBOM contract clauses in the abstract. For white-label, the operational reality is sharper: you cannot generate the SBOM from your own build pipeline because you did not build the code.
Three operational consequences.
First, the SBOM is a contracted deliverable from the OEM, not an internal artifact. Your contract must specify format (CycloneDX or SPDX), update cadence (per release), depth (transitive dependencies, not just direct), and refresh trigger (any firmware version bump). Without this, the OEM may deliver a direct-only SBOM that misses 90% of the actual risk surface.
Second, the SBOM authority bears your brand even though you did not author the components. When the SBOM lists a vulnerable transitive dependency, the component due diligence duty lands on you. The diligence record cannot be a copy-paste from the OEM; it has to be your own decision and your own risk acceptance per integrated component. Use the supplier due diligence playbook for the FOSS, cloud, hardware-only and OSS-steward sub-cases inside the OEM's SBOM.
Third, hardware-only ODM scenarios split into hardware BOM (BOM of physical components) and software SBOM (BOM of the firmware you ship). The hardware BOM is OEM-supplied; the software SBOM is yours (because the firmware is yours). The technical file must distinguish the two, and the vulnerability monitoring split has to match: hardware BOM monitoring flows from the OEM to you, software SBOM monitoring is your direct responsibility.
Liability split contract clauses
Seven contract clauses carry the white-label arrangement under CRA. Each plugs into a specific manufacturer obligation that originates with you, the brand owner, and depends on the OEM to make good.
1. CRA manufacturer acknowledgement
Supplier acknowledges that Buyer will place the Product
on the EU market under Buyer's name or trademark and
that Buyer will be considered the "manufacturer" under
Regulation (EU) 2024/2847 (Cyber Resilience Act).
Supplier agrees to support Buyer's compliance obligations
as set out in this Agreement.
2. Technical documentation (Annex VII)
Supplier shall provide to Buyer:
(a) Complete technical documentation meeting the
requirements of Annex VII of Regulation (EU) 2024/2847
(b) All documentation necessary for Buyer to:
- Conduct the conformity assessment
- Prepare the EU Declaration of Conformity
- Respond to market surveillance reasoned requests
(c) Updates to documentation within [10] business days
of any change affecting compliance status
Supplier grants Buyer a perpetual, irrevocable, royalty-
free licence to use such documentation for compliance
purposes, including production for any market surveillance
authority in a language the authority understands.
3. SBOM provision (with transitive depth)
Supplier shall provide:
(a) Software Bill of Materials in [CycloneDX/SPDX] format
(b) Updated SBOM within [5] business days of each firmware
release that changes direct or transitive components
(c) SBOM including transitive dependencies, not direct
dependencies only
(d) Component identification with name, version, supplier,
licence, known vulnerabilities at delivery
4. Vulnerability notification (hours, not "promptly")
Supplier shall notify Buyer within [24/48] hours of
becoming aware of any security vulnerability in the
Product or in any transitively integrated component
that:
(a) Is actively exploited
(b) Has a CVSS score of 7.0 or higher
(c) Is subject to public disclosure
Patch development:
(a) Acknowledge within [24] hours
(b) Severity assessment within [72] hours
(c) Deliver patch within [7/30/90] days
for Critical/High/Medium severity
Buyer retains final authority on customer communications
and update release timing.
5. Support-period mirror
Supplier commits to providing security updates for the
Product for a minimum period that matches or exceeds
Buyer's support-period commitment to its end users, and
in any case for at least [5/7/10] years from the date of
first market placement by Buyer in the EU.
Supplier shall provide [90] days written notice before
any planned discontinuation. On discontinuation, Supplier
shall release source code and build artefacts under
[source-code escrow / transition assistance terms].
6. Conformity assessment support and audit rights
Supplier shall:
(a) Support Buyer's conformity assessment activities,
including providing test reports, certificates, and
evidence on reasonable request
(b) Allow Buyer or Buyer's Notified Body to audit
production facilities upon [30] days written notice
(c) Maintain quality controls consistent with the
assessed product type
7. Subcomponent flow-down and disclosure
Supplier shall:
(a) Provide and maintain a list of subcomponent suppliers
that contribute to or have access to security-relevant
parts of the Product
(b) Flow down relevant CRA requirements to subcomponents
(c) Notify Buyer within [30] days of any material change
to the subcomponent supplier list
(d) Maintain subcomponent supplier qualification records
for the duration of Buyer's support period plus 10 years
Risk allocation summary
| Risk | Contract mechanism | Who acts |
|---|---|---|
| Product fails to meet essential cybersecurity requirements | Warranty + remediation obligation | Supplier remediates; Buyer holds market position |
| Documentation incomplete or late | Deliverable requirement with response window | Supplier delivers |
| Vulnerability discovered | Notification SLA in hours, patch SLA in days | Supplier notifies and patches; Buyer reports to ENISA |
| ENISA reporting | Notification obligation from Supplier flows to Buyer | Buyer reports |
| Market surveillance reasoned request | Documentation access perpetual licence | Buyer responds; Supplier supports |
| OEM cessation | Source-code escrow + transition services | Buyer continues support from escrowed code |
| Regulatory fines | Negotiated indemnification (proportionate to fault) | Negotiated |
Post-M&A inherited white-label arrangements
You acquire a brand and discover half its catalogue is white-labelled with no compliance trail. The CRA does not grant an M&A grace period; the acquiring entity inherits manufacturer obligations on day one for every product currently on the EU market under the acquired brand.
POST-M&A WHITE-LABEL TRIAGE (90 DAYS)
DAY 1-15: Inventory
[ ] Pull SKU list from acquired entity's ERP
[ ] Tag each SKU as own-design / white-label / OEM-modified
[ ] Identify the OEM behind each white-label SKU
[ ] Cross-check against current shipping status (active vs EOL stock)
DAY 15-30: Documentation gap analysis
[ ] For each active white-label SKU: is there a Buyer-named DoC?
[ ] For each active white-label SKU: is there a technical file in Buyer's name?
[ ] For each active white-label SKU: is there an SBOM?
[ ] Tag SKUs by gap severity (no DoC > incomplete tech file > no SBOM)
DAY 30-60: Tier 1 remediation
[ ] SKUs with no DoC: pull from EU market until DoC is in place
[ ] SKUs with no technical file: build from OEM evidence + your own assessment
[ ] SKUs with no SBOM: contract the OEM for SBOM delivery; if OEM refuses or has ceased, plan replacement or sunset
DAY 60-90: Decision gate
[ ] Each white-label SKU classified: keep / sunset / replace OEM
[ ] OEM contracts assessed against the 7-clause set; gaps mapped
[ ] Support-period mirror coverage analysed end to end
ONGOING:
[ ] Tag the acquired-via-M&A origin in each SKU record for audit
[ ] Roll inherited SKUs into normal release-cycle SBOM and vulnerability monitoring
The triage is not a paper exercise. Authorities asking why a 12-year-old white-label SKU has no DoC after acquisition will accept "we discovered the gap in our 90-day post-acquisition triage and pulled the SKU until remediated" more readily than "we are still working out which OEM made it".
Common pitfalls
| Claim | Why it fails |
|---|---|
| "It is just a sticker with our logo." | If the sticker presents you as the source to the EU market, manufacturer obligations apply. The trigger is brand presentation, not sticker depth. |
| "The OEM made it, so the OEM is the manufacturer." | The CRA treats the brand owner as the manufacturer. The OEM is your supplier. |
| "The OEM's CE marking transfers when we rebrand." | CE marking is tied to the manufacturer named on the DoC. When you rebrand, you issue your own DoC and affix CE under your own responsibility; the OEM's CE no longer covers the rebranded units. |
| "The support clock starts when the OEM first placed the un-branded version." | The clock starts when YOU place the rebranded version on the EU market. Your customers bought the rebranded product on your timeline. |
| "Our OEM is going out of business; we can wait and see what happens to our support obligation." | Your support obligation does not change when the OEM ceases. Plan source-code escrow and second source BEFORE the OEM fails, not after. |
| "Co-branding means we share liability equally." | The retail-facing brand typically carries the manufacturer designation; the contract decides if both parties are manufacturers. Default reading is whoever signs the DoC. |
| "Retailer private-label is exempt because it's volume retail." | Volume is irrelevant. Amazon Basics, Lidl Silvercrest and Tesco F&F-Tech are all manufacturers of their private-label SKUs. |
| "We white-labelled it from a non-EU OEM; the OEM is responsible for vulnerability reporting." | Your brand on the product makes YOU the manufacturer, including for vulnerability and incident reporting to ENISA. The OEM has zero CRA reporting duty on your branded SKUs. |
Frequently Asked Questions
I just discovered our reseller is re-rebranding our white-label product under their own brand. What now?
The reseller becomes the manufacturer of the re-rebranded units. You remain the manufacturer of the units you placed under your brand; the reseller is the manufacturer for theirs. Step one is to map the affected units (which serial-number ranges or batches were re-rebranded) so a vulnerability response can reach them. Step two is to amend the reseller contract: prohibit re-rebranding without written consent, and add a manufacturer-status acknowledgement clause for any pre-existing re-rebranded stock. Step three is to put a CVD flow in place that informs the reseller of vulnerabilities so they can patch their units, since your customers can no longer reach them through your channels.
A product carries our brand and the OEM's brand side by side. Who is the manufacturer?
Typically whichever brand is presented as the source of the product to the EU market, which is usually the retail-facing brand. Both parties can be designated manufacturers if both are presented as such, but practical operations rarely sustain shared manufacturer status. The cleanest position is to write the designation into the co-branding agreement: whichever party signs the DoC is the manufacturer. Avoid ambiguous co-branding that leaves the question to a market surveillance authority's interpretation.
Our OEM is going bankrupt. Do we have to take over their support obligations?
No. The importer's cessation notice duty does not apply to you in this scenario, because you are the CRA manufacturer of your rebranded product and the OEM was your supplier, not the manufacturer. The support obligation does not "transfer" from the OEM because it was always yours. Your operational fallback is what the contract committed to: source-code escrow, second-source qualification, transition services. If you placed the product on the market, you owe the support, regardless of what happens to your OEM. The importer cluster cessation section covers the importer-side duty for completeness.
We commission ODM hardware and ship our own firmware. Are we still in white-label territory?
Yes, but with a different supplier-diligence shape. You are the manufacturer of the integrated product; the ODM is your hardware supplier. The hardware BOM is OEM-supplied; the software SBOM is yours because the firmware is yours. Use the hardware-only ODM diligence playbook for the hardware side. The common operational error is signing a long support-period commitment to your users when the ODM's hardware EOL window is shorter than that commitment.
What if we modify the firmware after we have already placed the product?
You remain the manufacturer; the modification is part of your manufacturer scope, not a separate trigger on someone else. A genuine security update that preserves intended purpose and behaviour does not start a new conformity-assessment cycle. A modification that adds features, changes authentication, or expands attack surface stays within your manufacturer status but starts a fresh conformity-assessment loop for the modified product on your same technical file. The rebrand-bridge and catch-all routes only fire when the modification is done by someone else (an importer/distributor for the bridge, anyone else for the catch-all).
How long must we keep technical documentation for a white-label product?
At least 10 years after market placement or for the support period, whichever is longer. A white-label product placed in 2028 with a 7-year support period requires retention until 2038. Your contract with the OEM should mirror this: the OEM keeps the underlying technical evidence (test reports, design documentation, subcomponent qualifications) for at least the same window, and you can request copies during the period to respond to a market surveillance reasoned request.
We just acquired a company whose catalogue is half white-label. Where do we start?
Run the 90-day triage in the post-M&A section above. Inventory first (which SKUs are white-label, which OEM is behind each), gap-analyse documentation (no DoC > incomplete tech file > no SBOM), pull no-DoC SKUs from the EU market until remediated, and tag the M&A origin in each SKU record for audit. The CRA does not give an M&A grace period; manufacturer obligations land on you the day the acquisition closes. A defensible programme demonstrably running inside one quarter is the credible position to take to a market surveillance authority.
Does our supplier's conformity assessment transfer to our branded version?
Usually not. Conformity assessment attaches to the product as placed by a specific manufacturer. When you rebrand, you issue your own DoC, in your name, against your own technical file. You may rely on the OEM's test evidence as inputs (and that should be a contracted deliverable), but the declaration, the CE marking and the technical-file authorship sit with you, the brand-owner manufacturer. The conformity assessment guide covers module choice.
This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel familiar with EU product regulations.
Related Articles
Does the CRA apply to your product?
Answer 6 simple questions to find out if your product falls under the EU Cyber Resilience Act scope. Get your result in under 2 minutes.
Ready to achieve CRA compliance?
Start managing your SBOMs and compliance documentation with CRA Evidence.