EU Authorised Representative for the Cyber Resilience Act (Article 18)

Summary

Five things to know about Article 18 of the EU Cyber Resilience Act before deciding whether to appoint an authorised representative.

Legal basis: Article 18(1) of Regulation (EU) 2024/2847 (the EU Cyber Resilience Act) is permissive: “A manufacturer may, by a written mandate, appoint an authorised representative.” Appointment is optional. There is no separate clause requiring it for non-EU manufacturers (unlike MDR Article 11 or RED Article 5).
Why appoint one anyway: A single EU-established legal contact point for market surveillance authorities, document custody by an entity inside the relevant jurisdiction, and operational parity with existing MDR/RED AR arrangements many non-EU manufacturers already have. Practical convenience, not legal compulsion.
What an AR can do: Article 18(3) sets the maximum scope: hold the EU Declaration of Conformity and the technical documentation for at least ten years (or the support period, whichever is longer); provide information to market surveillance authorities on reasoned request; cooperate on actions taken to eliminate risks.
What stays with the manufacturer: Article 18(2) excludes the obligations in Article 13(1) to (11), 13(12) first subparagraph, and 13(14) from the mandate. Essential cybersecurity requirements, vulnerability handling, and conformity assessment cannot be delegated to an AR.
Article 19 importer: If a non-EU manufacturer's product is placed on the EU market via an EU-established commercial entity, that entity is the importer by definition (Art. 3(14)) and carries Article 19 obligations independently of any AR appointment.
Where we sit: CRA Evidence is the evidence platform for Article 18(3) document custody, authority response, and corrective-action records, used directly by manufacturers, by AR firms, or by both. We are also building a partner network of EU-established AR firms; we do not hold AR mandates today.

Should you appoint an authorised representative?

AR appointment is optional under CRA Article 18(1). The decision is operational, not legal: do the practical benefits of having an EU-established legal contact point outweigh the cost of the mandate? The factors below cover the typical reasoning.

Factor

Lean toward appointing

Lean toward not appointing

Manufacturer EU presence

Manufacturer is established outside the Union and has no EU office that can credibly take MSA correspondence.

Manufacturer is EU-established, or has an EU subsidiary that already handles regulatory correspondence.

Other EU instruments

Product is also covered by MDR or RED, both of which require an AR for non-EU manufacturers. Reusing the same AR firm for CRA scope is operationally simpler.

Product falls only under the CRA, with no parallel MDR or RED AR obligation already in place.

Authority correspondence

Want correspondence with market surveillance authorities to flow through a local EU contact in the relevant Member State language and timezone.

Comfortable handling Article 18(3)(b) reasoned-request responses directly from the manufacturer's headquarters.

Document custody

Want the 10-year retention of the DoC and technical documentation held by an EU-established custodian.

Already operating an internal evidence platform that keeps the documentation accessible to authorities on request.

Importer route

Multiple EU importers/distributors and you want a single named AR across the channel rather than splitting accountability.

Single trusted EU importer who already runs Article 19 verification and document retention.

None of these factors create a legal obligation. The CRA does not penalise the absence of an AR. They are practical levers; most non-EU manufacturers in regulated sectors end up appointing one because the operational simplification is worth more than the mandate fee.

Decided an AR is the right move? We are building a partner network of EU-established AR firms across MDR, RED, and RoHS practices. Tell us your product and Member State, we will introduce you when a fit is signed →

What an AR is on the hook for, Article 18(3)

The mandate scope is set by the manufacturer in writing, but it must cover at minimum the three duties below. These are what market surveillance authorities will press on first.

Article 18(3)(a)

Hold the EU Declaration of Conformity and Annex VII technical documentation for ten years.

keep the EU declaration of conformity and the technical documentation at the disposal of the market surveillance authorities for at least 10 years after the product with digital elements has been placed on the market, or for the support period, whichever is longer

Article 18(3)(b)

Provide documentation and information to authorities on reasoned request.

further to a reasoned request from a market surveillance authority, provide that authority with all the information and documentation necessary to demonstrate the conformity of the product with digital elements

Article 18(3)(c)

Cooperate with authorities on corrective action and risk elimination.

cooperate with the market surveillance authorities, at their request, on any action taken to eliminate the risks posed by the product with digital elements covered by the authorised representative's mandate

AR and importer: independent roles

The Article 18 AR and the Article 19 importer are separate roles with separate triggers. The AR exists when a manufacturer chooses to appoint one; the importer exists by commercial fact when an EU-established person places a non-EU manufacturer's product on the market. They do not substitute for each other in either direction.

Authorised representative · Art. 18

EU importer · Art. 19

Trigger

Optional. A manufacturer may appoint an AR by written mandate (Art. 18(1)).

Status by definition. Whoever, established in the Union, places the product bearing a non-EU manufacturer's name or trademark on the market is the importer (Art. 3(14)).

Created by

Written mandate from the manufacturer to an EU-established legal or natural person.

The commercial supply route. No appointment, no mandate.

Maximum scope

Hold the DoC and technical documentation for 10+ years; provide them on reasoned MSA request; cooperate on corrective action (Art. 18(3)). Article 18(2) excludes the substantive Article 13 duties.

Verify conformity assessment, CE marking, DoC and user instructions; retain docs for 10+ years; cooperate with authorities; notify on suspected non-compliance and on awareness of vulnerabilities (Art. 19(1) to (8)).

Substitutes the other?

No. Appointing an AR does not remove importer obligations from whoever places the product on the EU market.

No. Article 19 importer duties exist independently. They neither create nor remove an AR appointment.

Same entity allowed?

Yes. One EU-established firm can hold both the AR mandate and the importer role, with separate written mandates and indemnity covering both.

Practical implication: choosing to appoint an AR is independent of who imports the product. An EU importer does not relieve the manufacturer of any cybersecurity obligation, and an AR does not relieve the importer of any Article 19 duty. If you want one EU partner to wear both hats, that is allowed; you need a written AR mandate distinct from the commercial supply contract, and indemnity covering both functions.

What to look for when appointing an AR

If your supplier landscape includes incumbents from MDR, RED, or RoHS, that is a reasonable starting point. The CRA-specific checks below are what separates a serviceable AR from one that will struggle when the first authority letter arrives.

Domicile: EU-established legal entity in a Member State, with a registered office and a local point of contact.
Insurance: Professional indemnity with coverage explicitly extended to CRA scope and Annex III product classifications.
Sector experience: Demonstrable track record under MDR, RED cybersecurity delegated act, or RoHS, the firms credibly pivoting into CRA work today.
Document custody: Platform meeting the ten-year retention obligation with a tamper-evident audit trail and authority-ready exports.
Accountability: A named natural person accountable to authorities, not a generic legal-team mailbox.
Language: Capacity to handle Article 18(3)(c) corrective-action cooperation in the language of the relevant Member State authority.

Know what you are looking for, not where to start? Skip the cold-outreach phase. Request an AR introduction once our partner network goes live →

How CRA Evidence supports Article 18

Whether the manufacturer keeps document custody in-house, hands it to an external AR, or splits the work with an EU importer, the operational tasks are the same: maintain a complete technical file, hand it to authorities on reasoned request, and record corrective action. CRA Evidence is the platform that runs that work, AR or no AR.

Article 18(3)(a)

Hold the EU DoC and Annex VII technical documentation for 10+ years

Annex VII bundles, signed Declarations of Conformity, and the underlying SBOMs / VEX / risk assessments stored under a hard 10-year retention policy with a tamper-evident audit log.

Technical File Export bundles Annex VII into a machine-readable ZIP with manifest.
Compliance Certificates issue multi-language EU DoC PDFs (Module A / B+C / H / EUCC); immutable once issued.
Artifact Signing (Sigstore keyless or key-based) writes signatures to a transparency log for non-repudiation.
10-year retention across SBOMs, documents, audit events, and vulnerability records, with no early deletion on plan change.

Article 18(3)(b)

Provide everything to a market surveillance authority on reasoned request

When an authority writes, the AR has a numbered request, a deadline, and a one-click evidence package. No scrambling across drives, no missing documents.

Authority Request Service intakes MSA requests with AUTH-YYYY-NNNN tracking, deadlines, and overdue detection.
Response Package Assembly ZIPs manifest, product info, supplier-chain verifications, audit trail, and README ready to send.
Unified Evidence View normalises SBOM, HBOM, VEX, documents, certificates, and Annex II UII into one queryable index.
Supplier Portal issues token-scoped, audit-tracked external access for authorities or supply-chain counterparts.

Article 18(3)(c)

Cooperate on corrective action and risk elimination

Vulnerability handling, VEX, and corrective-action records are all written to the same audit-trailed evidence base, so the AR can show authorities what was done, when, by whom.

Authority Request lifecycle: received → acknowledged → in_progress → responded → closed, with response method, reference, and document list captured.
VEX automation (CycloneDX, CSAF, OpenVEX) records exploitability decisions per finding.
ENISA reporting workflow for Article 14 24h / 72h / 14d notifications (in active development).
Audit Trail records every version update, document change, and approval, the full corrective-action lineage.

If you appoint an AR, the mandate sits with them. Either way, the evidence runs on CRA Evidence. See how an Article 18 hand-over actually works on the platform, free for 14 days, no card required.

See it on CRA Evidence Need help finding an AR?

Article 18 and Article 19, full text

From Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements. Reproduced for reference; the consolidated EUR-Lex text is authoritative.

Article 18 · Authorised representatives

1. A manufacturer may, by a written mandate, appoint an authorised representative.

2. The obligations laid down in Article 13(1) to (11), Article 13(12), first subparagraph, and Article 13(14) shall not form part of the authorised representative's mandate.

3. An authorised representative shall perform the tasks specified in the mandate received from the manufacturer. The authorised representative shall provide a copy of the mandate to the market surveillance authorities upon request. The mandate shall allow the authorised representative to do at least the following:

(a) keep the EU declaration of conformity referred to in Article 28 and the technical documentation referred to in Article 31 at the disposal of the market surveillance authorities for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer;

(b) further to a reasoned request from a market surveillance authority, provide that authority with all the information and documentation necessary to demonstrate the conformity of the product with digital elements;

(c) cooperate with the market surveillance authorities, at their request, on any action taken to eliminate the risks posed by a product with digital elements covered by the authorised representative's mandate.

Source · EUR-Lex CELEX 32024R2847, Article 18 (verbatim)

Article 19 · Obligations of importers (independent of AR appointment)

1. Importers shall place on the market only products with digital elements that comply with the essential cybersecurity requirements set out in Part I of Annex I and where the processes put in place by the manufacturer comply with the essential cybersecurity requirements set out in Part II of Annex I.

2. Before placing a product with digital elements on the market, importers shall ensure that:

(a) the appropriate conformity assessment procedures as referred to in Article 32 have been carried out by the manufacturer;

(b) the manufacturer has drawn up the technical documentation;

(c) the product with digital elements bears the CE marking referred to in Article 30 and is accompanied by the EU declaration of conformity referred to in Article 13(20) and the information and instructions to the user as set out in Annex II in a language which can be easily understood by users and market surveillance authorities;

(d) the manufacturer has complied with the requirements set out in Article 13(15), (16) and (19).

Subsequent paragraphs of Article 19 (paragraphs 3 to 8) cover non-conformity handling, importer identification on the product, corrective measures and vulnerability notifications, 10-year document retention, response to reasoned requests from market surveillance authorities, and the duty to inform authorities and users when the manufacturer ceases operations. These obligations apply to whoever acts as the EU importer, independently of any Article 18 AR appointment.

Source · EUR-Lex CELEX 32024R2847, Article 19 (verbatim, paras 1–2; 3–8 summarised)

Frequently asked questions

Is appointing an authorised representative mandatory under the CRA?

No. Article 18(1) of Regulation (EU) 2024/2847 reads, verbatim: “A manufacturer may, by a written mandate, appoint an authorised representative.” This is permissive. The CRA does not impose AR appointment as a condition for placing products on the EU market, even for manufacturers established outside the Union. This differs from MDR Article 11 and RED Article 5, both of which require an AR for non-EU manufacturers. If a CRA product is also covered by MDR or RED, the AR requirement under those instruments still applies.

Why would a non-EU manufacturer still appoint an AR under the CRA?

Several practical reasons. A single EU-established legal contact point reduces friction with market surveillance authorities, who prefer correspondence with an entity in their jurisdiction and language. The AR can hold the Declaration of Conformity and technical documentation locally for the 10-year retention period under Article 18(3)(a). Many non-EU manufacturers already use an MDR or RED AR and find it operationally simpler to extend that arrangement to CRA scope. Finally, a clearly named EU AR can shorten authority response cycles when a reasoned request arrives under Article 18(3)(b).

What can and cannot be delegated to a CRA authorised representative?

Article 18(2) explicitly excludes the obligations in Article 13(1) to (11), Article 13(12) first subparagraph, and Article 13(14) from the AR mandate. The substantive cybersecurity obligations (essential requirements, vulnerability handling, conformity assessment) cannot be passed to the AR. Article 18(3) sets the maximum scope of what an AR can do: hold the DoC and technical documentation for 10+ years, provide information and documentation to authorities on reasoned request, and cooperate on actions taken to eliminate risks. The manufacturer always remains the entity legally responsible for the substantive cybersecurity duties.

What is the difference between a CRA authorised representative and an EU importer?

They are independent roles. An importer is, by Article 3 definition, an EU-established person who places a product bearing a non-EU manufacturer's name or trademark on the EU market. Importers carry their own Article 19 obligations regardless of whether an AR exists. An AR, when appointed, takes on the Article 18(3) tasks listed in the mandate. They are not substitutes: the importer role is triggered by the commercial supply route, the AR role by a written mandate. One EU entity may hold both, with separate paperwork.

Can my EU importer or distributor act as my authorised representative?

Yes. The CRA does not forbid one EU-established entity from holding both a commercial importer or distributor role and an AR mandate. The functions remain legally distinct: the importer carries Article 19 obligations from the commercial supply relationship, the AR carries Article 18(3) duties from a written mandate. To combine them, you need a separate written AR mandate that explicitly covers Article 18(3), professional indemnity sufficient for both roles, and a clear contractual line between the two functions.

Is the AR liable for product defects, or only for documentation duties?

The AR is responsible only for the duties listed in the written mandate, which under the CRA are bounded by Article 18(3): document custody, authority responsiveness, and cooperation on corrective action. Article 18(2) explicitly excludes the substantive Article 13 obligations from the mandate. Product defect liability and the underlying cybersecurity obligations remain with the manufacturer. National law in some Member States may extend AR exposure further, so the mandate should be drafted carefully.

Is a CRA authorised representative the same as an MDR or RED authorised representative?

The AR concept is shared across EU product regulations, but the regimes are not identical. MDR Article 11 makes AR appointment mandatory for non-EU manufacturers and imposes broader medical-specific duties including vigilance reporting. RED Article 5 also makes AR appointment mandatory for non-EU manufacturers. CRA Article 18(1) makes it optional. The Article 18(3) duties are narrower and centred on documentation, authority requests, and corrective-action cooperation. An incumbent MDR or RED AR can be a strong starting point, but the mandate must be re-papered for CRA scope and Article 18(2) non-delegation rules.

Does the AR sign the EU Declaration of Conformity?

No. The EU Declaration of Conformity is drawn up and signed by the manufacturer under Article 28. The AR, when appointed, holds the signed DoC and the technical documentation at the disposal of market surveillance authorities under Article 18(3)(a), but the act of declaring conformity is a manufacturer responsibility that Article 18(2) keeps out of the AR mandate.

Can I change my AR after appointment?

Yes. The mandate is a contract between the manufacturer and the AR, and either party can terminate subject to its terms. On change, the new AR takes over custody of the technical documentation and Declaration of Conformity, and the manufacturer should update the contact information communicated to market surveillance authorities. Plan for an explicit handover step in the mandate template.