A CRA authorised representative (AR) is an EU-established person or company that a manufacturer can appoint by written mandate to hold compliance documents, answer reasoned authority requests, and cooperate with market surveillance. Appointment is optional under the Cyber Resilience Act, including for non-EU manufacturers. The role is useful when a manufacturer wants an EU regulatory contact, but it does not transfer cybersecurity engineering, vulnerability handling, conformity assessment, or importer duties away from the manufacturer or importer.
Summary
- Appointment is optional. CRA manufacturers may appoint an authorised representative, but the CRA does not require one as a condition for EU market access.
- The mandate is narrow. The AR can hold the EU Declaration of Conformity and technical documentation, provide them to authorities on reasoned request, and cooperate on risk-elimination actions.
- Core manufacturer duties stay put. Product cybersecurity, risk assessment, vulnerability handling, technical-documentation creation, conformity assessment, and production controls stay with the manufacturer.
- Importer duties are separate. An importer exists by supply-chain fact; an AR exists only by written mandate. One EU entity can hold both roles, but the paperwork and duties are distinct.
- Penalty exposure follows the duty breached. Manufacturer-duty breaches sit in the top penalty tier; AR-mandate breaches sit in the importer/distributor tier.
- Deadlines matter. Manufacturer reporting starts 11 September 2026; most AR-relevant operational readiness belongs with the 11 December 2027 regime start.
Should you appoint an authorised representative?
Choosing an authorised representative is an operational decision, not a CRA market-access requirement. The factors below cover the typical reasoning. None of them creates a legal obligation; the CRA does not penalise the absence of an AR.
| Factor | Lean toward appointing | Lean toward not appointing |
|---|---|---|
| Manufacturer EU presence | Manufacturer is established outside the Union and has no EU office that can credibly take market surveillance correspondence. | Manufacturer is EU-established, or has an EU subsidiary that already handles regulatory correspondence. |
| Other EU instruments | Product is also covered by MDR, which requires an AR for non-EU medical-device manufacturers, or you already use a RED compliance representative or service provider. Reusing the same firm for CRA scope can simplify operations. | Product falls only under the CRA, with no parallel MDR AR obligation and no existing RED representative arrangement. |
| Authority correspondence | You want correspondence with market surveillance authorities to flow through a local EU contact in the relevant Member State language and timezone. | You are comfortable handling reasoned-request responses directly from the manufacturer's headquarters. |
| Document custody | You want the 10-year retention of the DoC and technical documentation held by an EU-established custodian. | You already operate an internal evidence platform that keeps the documentation accessible to authorities on request. |
| Importer route | Multiple EU importers and distributors, and you want a single named AR across the channel rather than splitting accountability. | Single trusted EU importer who already runs importer verification and document retention. |
Most non-EU manufacturers in regulated sectors end up appointing an AR because the operational simplification is worth more than the mandate fee, not because the CRA forces them to.
What the Mandate Can Cover
The written mandate turns the AR into a document custodian and authority interface. It can be narrower or broader as a contract, but for CRA purposes it must at least allow the AR to do the three tasks below.
| Task | What the AR does |
|---|---|
| Document custody | Hold the EU Declaration of Conformity and technical documentation for at least 10 years after market placement, or for the support period, whichever is longer. |
| Authority requests | Provide the information and documentation needed to demonstrate conformity when a market surveillance authority makes a reasoned request. |
| Risk cooperation | Cooperate with market surveillance authorities, at their request, on actions taken to eliminate product risks. |
The mandate is also itself a controlled document: the AR must provide a copy to market surveillance authorities on request.
What Cannot Be Delegated
The written mandate cannot move the manufacturer's core CRA work. These duties cannot be delegated, regardless of what the mandate text says.
| Excluded cluster | What it covers |
|---|---|
| Product and vulnerability duties | Product cybersecurity, the cybersecurity risk assessment, component due diligence, the support-period determination, security update availability, and substantially-modified-software rules. |
| Technical documentation creation and conformity assessment | Drawing up the technical documentation remains a manufacturer responsibility. The AR may hold the resulting file under the mandate but cannot create it or take over conformity assessment. |
| Series production controls | The manufacturer remains responsible for continued conformity across the products it places on the market. |
The practical line is sharp: engineering, risk assessment, vulnerability handling, conformity assessment, and series-of-production controls stay with the manufacturer. The AR is a documentation custodian and authority interface, not a substitute manufacturer.
Authorised Representative vs Importer
The AR role is created by a written mandate. The importer role is created by the commercial supply route when an EU-established person places a non-EU manufacturer's product on the Union market. They do not substitute for each other in either direction.
| Authorised representative | EU importer | |
|---|---|---|
| Trigger | Optional. A manufacturer may appoint an AR by written mandate. | Status by definition. Whoever, established in the Union, places a product bearing a non-EU manufacturer's name or trademark on the market is the importer. |
| Created by | Written mandate from the manufacturer to an EU-established legal or natural person. | The commercial supply route. No appointment, no mandate. |
| Maximum scope | Hold the DoC and technical documentation for 10 or more years; provide them to market surveillance on reasoned request; cooperate on corrective action. The substantive manufacturer duties are excluded from the mandate. | Verify conformity assessment, CE marking, DoC and user instructions; retain documents for 10 or more years; cooperate with authorities; notify on suspected non-compliance and on awareness of vulnerabilities. |
| Substitutes the other? | No. Appointing an AR does not remove importer obligations from whoever places the product on the EU market. | No. Importer duties exist independently. They neither create nor remove an AR appointment. |
| Same entity allowed? | Yes. One EU-established firm can hold both the AR mandate and the importer role, with separate written paperwork and indemnity covering both. | Same. |
Practical implication: choosing an AR is independent of who imports the product. An EU importer does not relieve the manufacturer of any cybersecurity obligation, and an AR does not relieve the importer of any importer duty. If you want one EU partner to wear both hats, that is allowed; you need a written AR mandate distinct from the commercial supply contract, and indemnity covering both functions.
What to look for when appointing an AR
If your supplier landscape includes incumbents from MDR, RED, or RoHS, that is a reasonable starting point. The CRA-specific checks below are what separates a serviceable AR from one that will struggle when the first authority letter arrives.
| Check | What good looks like |
|---|---|
| Domicile | EU-established legal entity in a Member State, with a registered office and a local point of contact. |
| Insurance | Professional indemnity with coverage explicitly extended to CRA scope and CRA product classifications. |
| Sector experience | Demonstrable track record under MDR, the RED cybersecurity delegated act, or RoHS. These are the firms credibly pivoting into CRA work today. |
| Document custody | Platform meeting the 10-year retention obligation required by the mandate, with a tamper-evident audit trail and authority-ready exports. |
| Accountability | A named natural person accountable to authorities, not a generic legal-team mailbox. |
| Language | Capacity to handle corrective-action cooperation in the language of the relevant Member State authority. |
The mandate itself should specify the CRA mandate tasks in full, restate the non-delegable manufacturer duties, set notice and termination terms, and define handover when the manufacturer changes AR. Have it reviewed by counsel familiar with EU product compliance.
Common pitfalls
| Claim | Why it fails |
|---|---|
| "We are non-EU, so we must appoint an AR." | CRA appointment is optional even for non-EU manufacturers. MDR may require an AR for non-EU medical-device manufacturers; RED has its own economic-operator rules but does not turn CRA appointment into a requirement. |
| "Our EU importer is also our AR; one contract covers both." | The roles are legally distinct. Importer obligations attach to whoever places the product on the market; AR obligations attach to whoever holds the written mandate. Combine the entity if you wish, but paper the two functions separately. |
| "The AR signs our EU Declaration of Conformity." | The manufacturer draws up and signs the DoC. The AR may hold it for market surveillance authorities, but the conformity declaration remains a manufacturer act. |
| "We delegated vulnerability handling to the AR." | Vulnerability handling stays with the manufacturer. The AR mandate cannot include the core manufacturer duties excluded from the mandate. |
| "We outsourced incident reporting to the AR." | Reporting is a manufacturer duty. The AR can support communications, but the reporting obligation remains with the manufacturer. |
| "Mandate covers all our products forever." | Mandates are written, time-bound, and product-scoped. Update on each new product line, on each substantial change, and on AR change. |
| "We do not need a CRA mandate; our MDR mandate is enough." | The MDR mandate scope is medical-specific and does not automatically attach to CRA duties. Re-paper a CRA-scoped mandate that lists the CRA document-custody and authority-cooperation tasks and the non-delegable manufacturer duties. |
| "The AR is liable for product defects." | The AR is responsible for the duties listed in the mandate. Product-defect liability and the underlying cybersecurity obligations remain with the manufacturer, subject to any separate national-law exposure. |
Frequently asked questions
Is appointing an authorised representative mandatory under the CRA?
No. The CRA makes AR appointment optional, even for manufacturers established outside the Union. The operative wording is permissive: a manufacturer may appoint an authorised representative by written mandate. MDR can still require an AR for non-EU medical-device manufacturers where that regime applies; RED may involve an authorised representative by mandate, but that is not a CRA appointment duty.
Why would a non-EU manufacturer still appoint an AR under the CRA?
Operational simplification, not legal compulsion. A single EU-established legal contact point reduces friction with market surveillance authorities, who often prefer correspondence with an entity in their jurisdiction and language. The AR can hold the Declaration of Conformity and technical documentation locally for the required retention period. Many non-EU manufacturers already use an MDR AR or RED compliance representative and find it simpler to extend that arrangement to CRA scope. A named EU AR also shortens authority response cycles when a reasoned request arrives.
What can and cannot be delegated to a CRA authorised representative?
The substantive cybersecurity duties cannot be delegated; only documentation custody and authority cooperation can. Essential requirements, vulnerability handling, conformity assessment, and series-of-production controls stay with the manufacturer. The AR mandate at minimum must cover three things: holding the DoC and technical documentation for 10 or more years or the support period if longer, providing information and documentation to authorities on reasoned request, and cooperating on action taken to eliminate risks.
What is the difference between a CRA authorised representative and an EU importer?
They are independent roles. An importer is an EU-established person who places a product bearing a non-EU manufacturer's name or trademark on the EU market, and carries importer obligations regardless of whether an AR exists. An AR, when appointed, takes on the tasks listed in the mandate. They are not substitutes: the importer role is triggered by the commercial supply route, the AR role by a written mandate. One EU entity may hold both, with separate paperwork.
Can my EU importer or distributor act as my authorised representative?
Yes. The CRA does not forbid one EU-established entity from holding both a commercial importer or distributor role and an AR mandate. The functions remain legally distinct: the importer or distributor carries duties from the commercial supply relationship, while the AR carries duties from a written mandate. To combine them, paper a separate CRA mandate, carry professional indemnity sufficient for both roles, and keep a clear contractual line between the functions.
Is the AR liable for product defects, or only for documentation duties?
The AR is responsible for the documentation and cooperation duties in the mandate; product-defect and substantive cybersecurity liability stay with the manufacturer. Mandate scope is bounded by document custody, authority responsiveness, and cooperation on corrective action. The substantive manufacturer obligations cannot be folded into the mandate. National law in some Member States may extend AR exposure further, so the mandate should be drafted carefully.
Is a CRA authorised representative the same as an MDR or RED authorised representative?
No, the regimes overlap but are not interchangeable. MDR makes AR appointment mandatory for non-EU medical-device manufacturers and imposes broader medical-specific duties including vigilance reporting. RED uses its own authorised-representative and economic-operator framework, but it does not make CRA appointment mandatory. CRA makes appointment optional, with narrower duties centred on documentation, authority requests, and corrective-action cooperation. An incumbent MDR AR or RED compliance representative can be a strong starting point, but the mandate must be re-papered for CRA scope and the non-delegation rules.
Does the AR sign the EU Declaration of Conformity?
No. The manufacturer draws up and signs the EU Declaration of Conformity. The AR, when appointed, holds the signed DoC and the technical documentation at the disposal of market surveillance authorities, but the act of declaring conformity is a manufacturer responsibility kept out of the AR mandate.
Can I change my AR after appointment?
Yes. The mandate is a contract between the manufacturer and the AR, and either party can terminate subject to its terms. On change, the new AR takes over custody of the technical documentation and Declaration of Conformity, and the manufacturer should update the contact information communicated to market surveillance authorities. Plan for an explicit handover step in the mandate template.