If your business resells or supplies a product with digital elements on the EU market after the manufacturer or importer, and you do not change the product, the Cyber Resilience Act usually treats you as a distributor. Distributors do not re-run the conformity assessment, but they must check that the visible compliance artefacts are present before making the product available, stop sales when something is missing or non-conformant, pass vulnerability information upstream, cooperate with market surveillance, and notify authorities and users if the manufacturer stops operating.
Summary
- Are you the distributor? You are usually the distributor if you make the product available after the importer or another distributor and do not affect its properties.
- What must be checked before sale or supply? CE marking, product ID, manufacturer details, user information, support-period end date, EU DoC access, importer identification, and necessary documents.
- When must you stop? Do not make the product available if the product or manufacturer's processes appear non-conformant. Inform manufacturer and market surveillance where significant cybersecurity risk exists.
- What continues after sale? Corrective action follow-up, withdrawal or recall where appropriate, vulnerability information to the manufacturer, and market-surveillance notification for significant risk.
- What documents must be ready? The distributor must be able to provide conformity information and documentation on reasoned authority request; there is no distributor-specific 10-year DoC retention rule.
- When do obligations apply? Main distributor obligations apply from 11 December 2027.
Distributor compliance in four numbers: six duty blocks, seven items to check before supply, the second-tier fine and the date everything starts.
Who Is a Distributor under the CRA?
In practical terms, the CRA distributor is the supply-chain actor that makes a product with digital elements available on the Union market after the manufacturer, importer, or another distributor, without changing the product's properties. The three-part test: you are in the supply chain, you are not the manufacturer or importer, and you make the product available unchanged.
If you are the first EU entity placing a non-EU-branded product on the Union market, you are the importer. If you place the product on the market under your own name or trademark, or substantially modify a product already placed on the market, manufacturer obligations apply to you via the rebrand bridge. For the full manufacturer obligation set that then applies, see the manufacturer cluster guide. A separate catch-all covers other third parties that are not the manufacturer, importer, or distributor. For the full role-classification matrix, see who must comply with the CRA.
Core Distributor Duties
| Duty | Key point | Source |
|---|---|---|
| Due care | The general standard. Applies to every act of making available, before and after market placement. | Article 20(1) |
| Pre-market verification | Confirm CE marking present, manufacturer compliance with the product-information duties, importer identification present, and necessary documents provided. | Article 20(2) |
| Refusal and inform | If non-conformity with the essential cybersecurity requirements is suspected, do not make available. If significant cybersecurity risk, inform manufacturer and market surveillance authorities without undue delay. | Article 20(3) |
| Corrective and vulnerability awareness | Take corrective measures, withdraw or recall as appropriate. Inform manufacturer of vulnerabilities without undue delay. If significant cybersecurity risk, immediately inform market surveillance authorities of every Member State of supply. | Article 20(4) |
| Cooperation with market surveillance | On reasoned request, provide all information and documentation needed to demonstrate conformity, in a language the authority can easily understand. | Article 20(5) |
| Manufacturer ceased operations | Inform market surveillance authorities without undue delay, and inform users by any means available. | Article 20(6) |
Distributor vs Importer
The legal trigger is which party first places the product on the Union market.
| Aspect | Distributor | Importer |
|---|---|---|
| Position | Anyone in the supply chain after the importer, other than the manufacturer | First EU entity placing a non-EU-branded product on the Union market |
| Verification | Presence-based: CE, manufacturer product-information duties, importer identification, and necessary documents | Substantive: full importer pre-market check, including conformity assessment carried out and technical documentation drawn up |
| Refusal trigger | Non-conformity with the essential cybersecurity requirements | Same plus failure of any pre-market check |
| Vulnerability awareness | Inform manufacturer; significant risk inform MSAs in every supply Member State | Same scope |
| Documentation | No specific multi-year retention; cooperate on reasoned request | DoC retention 10 years or support period, whichever is longer |
| Penalty tier | EUR 10 000 000 or 2% | EUR 10 000 000 or 2% (same tier) |
For the importer-side detail of the same boundary, see importer vs distributor on the importer page. The conformity assessment, EU DoC and technical file are the manufacturer's responsibility; the distributor verifies their visible artefacts: CE mark, DoC reference, user-information accompaniment, and document-production readiness.
What Distributors Must Check Before Supply
Your job is not to re-run the conformity assessment. Your job is to confirm the visible compliance artefacts are present and to stop supply if anything is missing, stripped, stale, or gives you reason to doubt conformity.
Run this checklist before any unit is made available on the EU market.
- CE is visible, legible and indelible on the product or data plate.
- Packaging-only CE is used only where product marking is not possible.
- Notified body number follows the CE mark where one was involved.
CE is the manufacturer's conformity claim. See the conformity assessment guide.
- Type, batch, serial number or other product identifier is present.
- Identifier is on the product, packaging or accompanying document where appropriate.
- Identifier matches the shipment, SKU or batch being supplied.
Without a traceable identifier, recall and corrective action become impossible.
- Manufacturer name, trade name or trademark is present.
- Postal address and digital contact are present.
- Details also appear in the user information where required.
Use this to route questions, defects and vulnerability information upstream.
- User information and instructions accompany the product.
- Language is suitable for users and market surveillance in the Member State of supply.
- Safe configuration, support and vulnerability-reporting details are included.
English-only instructions are not enough for every EU market.
- Support-period end date is shown before purchase.
- End date includes at least month and year.
- Full EU DoC is included or the simplified DoC gives the exact URL of the full version.
Missing month/year or an unreachable DoC blocks supply.
- EU importer name, postal address and digital contact are present where there is an importer.
- Importer identification has not been removed or hidden.
- DoC reference, user information and supply-chain contacts can be produced for authorities.
Authorities expect this set on first request; missing items trigger a refusal flow.
Supply stops until the gap is closed. A product without local-language user information, importer identification where required, a reachable DoC, or a month-and-year support end date should not be made available.
When Verification Fails
A failed distributor check means the product stays off the market until conformity is restored. If the issue creates significant cybersecurity risk, the distributor must inform the manufacturer and market surveillance without undue delay.
- Stop. Do not make the product available on the Union market until conformity is restored. Storage and return-to-supplier remain possible; sale to end users does not.
- Document. Record which checklist item failed, whether it concerns the product or the manufacturer's processes, the date and signatory.
- Notify upstream in writing. Inform the manufacturer (and the importer where relevant) of the gap and the documentation required.
- Assess cybersecurity risk. Significant risk goes to market surveillance without undue delay. Non-significant gaps continue through the upstream resolution flow.
- Resolve or reject. Make the product available only when all checklist items pass. Otherwise return to the supplier.
After Supply: Corrective Action and Vulnerability Awareness
Two duties continue for the whole period the product is being made available:
If you know or have reason to believe the product or manufacturer's processes are not conformant, escalate upstream and make sure corrective measures, withdrawal or recall happen where appropriate. The technical fix stays with the manufacturer, but further supply stops until the issue is handled.
When you learn of a vulnerability, inform the manufacturer without undue delay. If the product presents significant cybersecurity risk, notify market surveillance in every Member State where you supplied it. The manufacturer separately runs the ENISA reporting stream through the vulnerability reporting flow.
Authority Requests and Manufacturer Shutdown
Provide what is asked, in the local language. When a market surveillance authority makes a reasoned request, provide the information and documentation needed to demonstrate conformity of the product and the manufacturer's processes, in paper or electronic form and in a language the authority can easily understand. Also cooperate on measures taken to eliminate cybersecurity risks posed by products you supplied.
No 10-year retention duty applies to distributors. There is no distributor-specific multi-year document retention rule analogous to the importer rule for keeping the DoC for 10 years or the support period. The practical floor is the document set listed under "Importer and document set" above: kept while the distributor is making the product available, retrievable for any reasoned request during that period, plus a reasonable tail to cover post-market authority queries.
If the manufacturer shuts down, notify authorities and users. If the manufacturer ceases operations and can no longer comply, inform the relevant market surveillance authorities without undue delay and inform users by any means available and to the extent possible. Importers have the same shutdown-notification duty, so distributor and importer notifications usually run in parallel.
Common Pitfalls
| Claim | Why it fails |
|---|---|
| "Our supplier is in the EU, so we are not the importer; that makes us a distributor by default." | Distributor status also requires that you do not affect the product's properties. Repackaging, rebranding, software pre-installation or configuration changes can trigger manufacturer obligations. |
| "We don't need to check anything; the importer already did that." | The distributor check is separate and presence-based: CE present, manufacturer product information present, importer identification present, and necessary documents provided. The importer's verification does not exempt the distributor's own check. |
| "English user instructions are enough for the whole EU." | User information must be in a language easily understood by users and market surveillance of the Member State concerned. Supplying only English into a Member State whose authorities and users do not work in English fails the distributor check. |
| "We only forward vulnerability notices monthly with our other commercial updates." | Vulnerability information must go to the manufacturer without undue delay, and significant cybersecurity risks must go to market surveillance immediately. Monthly batching breaches both standards. |
| "ENISA reporting is the manufacturer's job, so we ignore vulnerabilities." | The ENISA reporting stream is the manufacturer's, but the inform-the-manufacturer duty and the significant-risk inform-MSAs duty are the distributor's. Silence breaches the post-market obligation. |
| "We can keep selling units already in our warehouse after spotting a user-information language gap; only new shipments stop." | Further availability of the non-conformant product stops regardless of where the units physically sit. Existing stock is held, not cleared. |
| "Stripping the importer's contact label keeps our channel partners private." | Importer identification must remain on the product, packaging or accompanying document. Removing it makes the product non-conformant for distributor supply. |
| "We don't need to keep documents; we are just a reseller." | The distributor must provide the documentation set on reasoned request, in the authority's language. A distributor that cannot produce DoC reference, user information or supply-chain contact points is in breach even when the product is conformant. |
Frequently Asked Questions
What is a distributor under the CRA?
An EU supply-chain link that ships the product unchanged. The role is defined by position (after the importer, before the end user) and by neutrality toward the product (no rebranding, no software changes, no configuration that changes intended purpose). Resellers, value-added distributors that only bundle and channel partners that only ship and invoice all fit, provided they leave the product as the manufacturer placed it on the market. If an importer or distributor sells under its own name or substantially modifies the product, the manufacturer obligation switch applies.
Am I a distributor or an importer?
The line is the first placing on the market. You are the importer if you are the first EU entity placing a non-EU-branded product on the Union market. You are the distributor if you make the product available after the importer, without affecting its properties. If you buy a non-EU product from another EU company that already imported it, that other company is the importer and you are the distributor. If you buy directly from the non-EU manufacturer and place the product on the EU market yourself, you are the importer, with the heavier verification set and the 10-year retention duty.
Am I a distributor or a manufacturer?
Article 21 is the statutory bridge between distributor (or importer) and manufacturer. It has two triggers, and both apply to importers and distributors:
"An importer or distributor shall be considered to be a manufacturer for the purposes of this Regulation and shall be subject to Articles 13 and 14, where that importer or distributor places a product with digital elements on the market under its name or trademark or carries out a substantial modification of a product with digital elements already placed on the market."
So the two triggers are: (a) placing the product on the market under your own name or trademark, or (b) carrying out a substantial modification of a product already placed on the market. White-label rebranding, pre-installing your own software, changing the security configuration before resale, repackaging in a way that changes the intended purpose, or modifying firmware all break the distributor role. For importers and distributors, the switch is direct: you become the manufacturer and the full manufacturer regime applies. For the full obligation set that then applies, see the manufacturer cluster guide.
A separate, narrower rule covers a person who is not the manufacturer, importer, or distributor: a third-party reconfigurer, integrator, or modifier that takes a placed product, substantially modifies it, and then makes it available. That person is considered the manufacturer. Under Article 22(2), the manufacturer obligations apply "for the part of the product with digital elements that is affected by the substantial modification or, if the substantial modification has an impact on the cybersecurity of the product with digital elements as a whole, for the entire product." This catch-all does not apply to you if you are already an importer or distributor. The importer-distributor rebrand bridge covers your case.
What exactly does the distributor have to verify before making a product available?
Two checks: CE present, and the upstream paperwork present. The manufacturer must have met product identification, manufacturer identification, user-information accompaniment in a Member State language, support-period end date with month and year, and DoC delivery. The importer must have met its identification duty. Necessary documents must have been provided. The check is presence-based, not a re-run of the conformity assessment.
Does the distributor have to keep the EU Declaration of Conformity for 10 years?
No. The 10-year-or-support-period DoC retention duty is on the importer, not the distributor. The distributor's documentation duty is to provide, on reasoned request from a market surveillance authority, the information and documentation needed to demonstrate conformity, in a language the authority can easily understand. The practical floor is the document set the distributor uses for its own intake check (DoC reference, user information in the supply Member State language, manufacturer and importer contact points), kept while the product is being made available and for a reasonable tail thereafter to cover authority queries.
What does the distributor do when it learns of a vulnerability in a product it has shipped?
Tell the manufacturer immediately, and tell market surveillance if the risk is significant. The first duty is upstream notification without undue delay. The second is parallel notification to the market surveillance authorities of every Member State of supply, with details of the non-compliance and any corrective measures taken. The ENISA reporting stream remains the manufacturer's, not the distributor's.
Are there SME exemptions for distributors?
No. Distributor obligations apply regardless of size. The CRA's only SME-specific concession on administrative fines is for manufacturers and open-source software stewards. Distributors are not in scope of that carve-out. Authorities must also give due regard to the size of the offender when setting fine amounts in individual cases; that is a sentencing factor across the regime, not an obligation exemption.
When do CRA distributor obligations apply?
Distributor obligations apply in full from 11 December 2027. Unlike manufacturers, distributors do not have a separate earlier deadline; the ENISA reporting stream is the manufacturer's duty, not the distributor's. By that date, distributors making products available on the Union market need an intake check, a refusal flow, a vulnerability-awareness flow and a document-production capability in place.