The authorised representative (AR) under Article 18 is an EU-established person whom a manufacturer may, by written mandate, ask to perform specified CRA tasks on its behalf. Unlike the Medical Devices Regulation (Article 11) or the Radio Equipment Directive (Article 5), the CRA does not require an AR for non-EU manufacturers. Appointment is optional. This page covers when appointing one is worth it, what the AR can and cannot do under Articles 18(2) and 18(3), how the role sits next to the Article 19 importer, and what to look for when picking a partner.
Summary
- Article 18(1) is permissive. "A manufacturer may, by a written mandate, appoint an authorised representative." Appointment is optional. The CRA does not penalise the absence of an AR.
- Article 18(3) sets the maximum scope of what an AR may do: hold the EU Declaration of Conformity and the technical documentation for at least 10 years (or the support period, whichever is longer); provide that documentation to market surveillance authorities on a reasoned request; cooperate on action taken to eliminate risks posed by the product.
- Article 18(2) excludes the substantive duties: Article 13(1) to (11), Article 13(12) first subparagraph, and Article 13(14) cannot be delegated. Annex I essential requirements, vulnerability handling, conformity assessment, and series-of-production controls stay with the manufacturer.
- AR and importer are independent roles. The AR exists only when the manufacturer signs a mandate. The importer exists by definition under Article 3(16) whenever an EU-established person places a non-EU manufacturer's product on the market. Neither role substitutes for the other.
- Penalty exposure splits by article. A manufacturer breach of Articles 13 or 14 is up to EUR 15 000 000 or 2.5% of total worldwide annual turnover under Article 64(2), whichever is higher. An AR breach of its Article 18 mandate falls under Article 64(3): up to EUR 10 000 000 or 2%, whichever is higher. The fine attaches to the legal person whose duty is breached.
- Deadlines: Article 14 vulnerability and incident reporting starts 11 September 2026. The rest of the regime starts 11 December 2027 (Article 71). The AR mandate, when signed, should track these dates.
Should you appoint an authorised representative?
Article 18(1) is permissive, so the decision is operational rather than legal. The factors below cover the typical reasoning. None of them creates a legal obligation; the CRA does not penalise the absence of an AR.
| Factor | Lean toward appointing | Lean toward not appointing |
|---|---|---|
| Manufacturer EU presence | Manufacturer is established outside the Union and has no EU office that can credibly take market surveillance correspondence. | Manufacturer is EU-established, or has an EU subsidiary that already handles regulatory correspondence. |
| Other EU instruments | Product is also covered by MDR or RED, both of which require an AR for non-EU manufacturers. Reusing the same firm for CRA scope simplifies operations. | Product falls only under the CRA, with no parallel MDR or RED AR obligation already in place. |
| Authority correspondence | You want correspondence with market surveillance authorities to flow through a local EU contact in the relevant Member State language and timezone. | You are comfortable handling Article 18(3)(b) reasoned-request responses directly from the manufacturer's headquarters. |
| Document custody | You want the 10-year retention of the DoC and technical documentation held by an EU-established custodian. | You already operate an internal evidence platform that keeps the documentation accessible to authorities on request. |
| Importer route | Multiple EU importers and distributors, and you want a single named AR across the channel rather than splitting accountability. | Single trusted EU importer who already runs Article 19 verification and document retention. |
Most non-EU manufacturers in regulated sectors end up appointing an AR because the operational simplification is worth more than the mandate fee, not because the CRA forces them to.
What an AR is on the hook for: Article 18(3)
The mandate scope is set by the manufacturer in writing, but it must allow the AR to do at least the three duties below. These are what market surveillance authorities will press on first.
| Article | Duty | Verbatim |
|---|---|---|
| 18(3)(a) | Hold the EU Declaration of Conformity and the Annex VII technical documentation for at least 10 years after market placement, or for the support period, whichever is longer. | "keep the EU declaration of conformity referred to in Article 28 and the technical documentation referred to in Article 31 at the disposal of the market surveillance authorities for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer" |
| 18(3)(b) | Provide all information and documentation necessary to demonstrate conformity, on a reasoned request from a market surveillance authority. | "further to a reasoned request from a market surveillance authority, provide that authority with all the information and documentation necessary to demonstrate the conformity of the product with digital elements" |
| 18(3)(c) | Cooperate with market surveillance authorities, at their request, on any action taken to eliminate the risks posed by the product. | "cooperate with the market surveillance authorities, at their request, on any action taken to eliminate the risks posed by the product with digital elements covered by the authorised representative's mandate" |
The mandate is also itself a controlled document. Under Article 18(3) first subparagraph, the AR must provide a copy of the mandate to market surveillance authorities on request.
What stays with the manufacturer: Article 18(2)
Article 18(2) excludes specific manufacturer duties from the AR mandate. They cannot be delegated, regardless of what the mandate text says.
| Excluded scope | What it covers |
|---|---|
| Article 13(1) to (11) | Annex I Part I product compliance, the cybersecurity risk assessment under 13(2) to (4), component due diligence under 13(5) to (7), the support-period determination under 13(8), security update availability under 13(9), and the substantially-modified-software rules under 13(10) and (11). |
| Article 13(12) first subparagraph | Drawing up the Annex VII technical documentation under Article 31 and carrying out the conformity assessment under Article 32. The AR may hold the resulting file under 18(3)(a) but cannot draw it up. |
| Article 13(14) | The series-of-production controls. The manufacturer is the entity that ensures continued conformity for the run of products it places on the market. |
The practical line is sharp: engineering, risk assessment, vulnerability handling, conformity assessment, and series-of-production controls stay with the manufacturer. The AR is a documentation custodian and authority interface, not a substitute manufacturer.
AR and importer: independent roles
The Article 18 AR and the Article 19 importer are separate roles with separate triggers. The AR exists when a manufacturer chooses to appoint one; the importer exists by commercial fact when an EU-established person places a non-EU manufacturer's product on the market. They do not substitute for each other in either direction.
| Authorised representative (Article 18) | EU importer (Article 19) | |
|---|---|---|
| Trigger | Optional. A manufacturer may appoint an AR by written mandate (18(1)). | Status by definition. Whoever, established in the Union, places a product bearing a non-EU manufacturer's name or trademark on the market is the importer (Article 3(16)). |
| Created by | Written mandate from the manufacturer to an EU-established legal or natural person. | The commercial supply route. No appointment, no mandate. |
| Maximum scope | Hold the DoC and technical documentation for 10 or more years; provide them to market surveillance on reasoned request; cooperate on corrective action (18(3)). Article 18(2) excludes the substantive Article 13 duties. | Verify conformity assessment, CE marking, DoC and user instructions; retain documents for 10 or more years; cooperate with authorities; notify on suspected non-compliance and on awareness of vulnerabilities (Article 19(1) to (8)). |
| Substitutes the other? | No. Appointing an AR does not remove importer obligations from whoever places the product on the EU market. | No. Article 19 importer duties exist independently. They neither create nor remove an AR appointment. |
| Same entity allowed? | Yes. One EU-established firm can hold both the AR mandate and the importer role, with separate written paperwork and indemnity covering both. | Same. |
Practical implication: choosing an AR is independent of who imports the product. An EU importer does not relieve the manufacturer of any cybersecurity obligation, and an AR does not relieve the importer of any Article 19 duty. If you want one EU partner to wear both hats, that is allowed; you need a written AR mandate distinct from the commercial supply contract, and indemnity covering both functions.
What to look for when appointing an AR
If your supplier landscape includes incumbents from MDR, RED, or RoHS, that is a reasonable starting point. The CRA-specific checks below are what separates a serviceable AR from one that will struggle when the first authority letter arrives.
| Check | What good looks like |
|---|---|
| Domicile | EU-established legal entity in a Member State, with a registered office and a local point of contact. |
| Insurance | Professional indemnity with coverage explicitly extended to CRA scope and Annex III product classifications. |
| Sector experience | Demonstrable track record under MDR, the RED cybersecurity delegated act, or RoHS. These are the firms credibly pivoting into CRA work today. |
| Document custody | Platform meeting the 10-year retention obligation under 18(3)(a), with a tamper-evident audit trail and authority-ready exports. |
| Accountability | A named natural person accountable to authorities, not a generic legal-team mailbox. |
| Language | Capacity to handle Article 18(3)(c) corrective-action cooperation in the language of the relevant Member State authority. |
The mandate itself should specify Article 18(3) in full, restate the Article 18(2) exclusions, set notice and termination terms, and define handover when the manufacturer changes AR. Have it reviewed by counsel familiar with EU product compliance.
Common pitfalls
| Claim | Why it fails |
|---|---|
| "We are non-EU, so we must appoint an AR." | Article 18(1) is permissive. The CRA does not require an AR even for non-EU manufacturers. MDR Article 11 and RED Article 5 do; the CRA does not. |
| "Our EU importer is also our AR; one contract covers both." | The roles are legally distinct. Article 19 obligations attach to whoever places the product on the market; Article 18 obligations attach to whoever holds the written mandate. Combine the entity if you wish, but paper the two functions separately. |
| "The AR signs our EU Declaration of Conformity." | No. The DoC is drawn up and signed by the manufacturer under Article 28. The AR holds it under 18(3)(a). |
| "We delegated vulnerability handling to the AR." | Article 18(2) excludes Article 13(1) to (11). Annex I Part II vulnerability handling stays with the manufacturer. |
| "The AR runs our Article 14 reporting." | Article 14 is a manufacturer duty. The AR can support communications, but the reporting obligation is on the manufacturer. |
| "Mandate covers all our products forever." | Mandates are written, time-bound, and product-scoped. Update on each new product line, on each substantial change, and on AR change. |
| "We do not need a CRA mandate; our MDR mandate is enough." | The MDR mandate scope is medical-specific and does not attach to CRA duties. Re-paper a CRA-scoped mandate that recites Article 18(3) and the Article 18(2) exclusions. |
| "The AR is liable for product defects." | The AR is responsible only for the duties listed in the mandate, bounded by Article 18(3). Product defect liability and the underlying cybersecurity obligations remain with the manufacturer. |
Frequently asked questions
Is appointing an authorised representative mandatory under the CRA?
No. Article 18(1) reads, verbatim: "A manufacturer may, by a written mandate, appoint an authorised representative." The wording is permissive. The CRA does not require AR appointment as a condition for placing products on the EU market, even for manufacturers established outside the Union. MDR and RED do require an AR for non-EU manufacturers, so a CRA product also covered by those instruments still needs one. (Article 18(1); MDR Article 11; RED Article 5.)
Why would a non-EU manufacturer still appoint an AR under the CRA?
Operational simplification, not legal compulsion. A single EU-established legal contact point reduces friction with market surveillance authorities, who prefer correspondence with an entity in their jurisdiction and language. The AR can hold the Declaration of Conformity and technical documentation locally for the 10-year retention period. Many non-EU manufacturers already use an MDR or RED AR and find it simpler to extend that arrangement to CRA scope. A named EU AR also shortens authority response cycles when a reasoned request arrives. (Article 18(3)(a) and (b).)
What can and cannot be delegated to a CRA authorised representative?
The substantive cybersecurity duties cannot be delegated; only documentation custody and authority cooperation can. Essential requirements, vulnerability handling, conformity assessment, and series-of-production controls stay with the manufacturer. The AR mandate at maximum covers three things: holding the DoC and technical documentation for 10 or more years, providing information and documentation to authorities on reasoned request, and cooperating on action taken to eliminate risks. (Article 18(2); Article 18(3); Article 13(1) to (11), 13(12) first subparagraph, and 13(14).)
What is the difference between a CRA authorised representative and an EU importer?
They are independent roles. An importer is an EU-established person who places a product bearing a non-EU manufacturer's name or trademark on the EU market, and carries Article 19 obligations regardless of whether an AR exists. An AR, when appointed, takes on the tasks listed in the mandate. They are not substitutes: the importer role is triggered by the commercial supply route, the AR role by a written mandate. One EU entity may hold both, with separate paperwork. (Article 3(16); Article 18(1) and 18(3); Article 19.)
Can my EU importer or distributor act as my authorised representative?
Yes. The CRA does not forbid one EU-established entity from holding both a commercial importer or distributor role and an AR mandate. The functions remain legally distinct: the importer carries its duties from the commercial supply relationship, the AR carries its duties from a written mandate. To combine them, paper a separate written AR mandate that recites the Article 18(3) duties, carry professional indemnity sufficient for both roles, and keep a clear contractual line between the two functions. (Article 18(1) and 18(3); Article 19; Article 20.)
Is the AR liable for product defects, or only for documentation duties?
No. The AR is liable only for documentation and cooperation duties under the mandate; product-defect and substantive cybersecurity liability stay with the manufacturer. Mandate scope is bounded at maximum by document custody, authority responsiveness, and cooperation on corrective action. The substantive Article 13 obligations cannot be folded into the mandate. National law in some Member States may extend AR exposure further, so the mandate should be drafted carefully. (Article 18(2); Article 18(3).)
Is a CRA authorised representative the same as an MDR or RED authorised representative?
No, the regimes overlap but are not interchangeable. MDR makes AR appointment mandatory for non-EU manufacturers and imposes broader medical-specific duties including vigilance reporting. RED also makes AR appointment mandatory for non-EU manufacturers. CRA makes it optional, with narrower duties centred on documentation, authority requests, and corrective-action cooperation. An incumbent MDR or RED AR can be a strong starting point, but the mandate must be re-papered for CRA scope and the non-delegation rules. (Article 18(1), 18(2), and 18(3); MDR Article 11; RED Article 5.)
Does the AR sign the EU Declaration of Conformity?
No. The EU Declaration of Conformity is drawn up and signed by the manufacturer. The AR, when appointed, holds the signed DoC and the technical documentation at the disposal of market surveillance authorities, but the act of declaring conformity is a manufacturer responsibility kept out of the AR mandate. (Article 28; Article 18(3)(a); Article 18(2).)
Can I change my AR after appointment?
Yes. The mandate is a contract between the manufacturer and the AR, and either party can terminate subject to its terms. On change, the new AR takes over custody of the technical documentation and Declaration of Conformity, and the manufacturer should update the contact information communicated to market surveillance authorities. Plan for an explicit handover step in the mandate template. (Article 18(1); Article 18(3)(a).)