From 11 December 2027, Article 20 of the EU Cyber Resilience Act (Regulation (EU) 2024/2847) makes the distributor responsible for a presence-based check on every product with digital elements before making it available on the Union market: CE mark, manufacturer identification and Annex II information, importer identification, support-period date and DoC. This page covers Article 20 in full, the role boundary against Article 3(16) importer and Article 3(13) manufacturer, and the second-tier penalty.
Summary
- You are a distributor only if you don't touch the product. Anyone who makes a CE-marked product available on the EU market after the importer counts, as long as the product reaches the next link untouched. Rebrand it, repackage it in a way that changes its purpose, pre-install your own software or change its security configuration, and you become the manufacturer instead (Article 3(17)).
- Run a presence check on every shipment. Before making a unit available, confirm the CE mark is on the product, the manufacturer's identification and Annex II instructions accompany it, the support-period end date shows month and year, the DoC is reachable, and the importer's contact details are visible (Article 20(2)).
- Stop the line if anything is missing. If the check fails, or if you have any reason to believe the product or the manufacturer's processes don't meet Annex I, do not make the product available. For significant cybersecurity risk, alert the manufacturer and market surveillance authorities without delay (Article 20(3)).
- Stay alert after the sale. Chase corrective measures or withdrawals when something is wrong, and forward any vulnerability you learn about to the manufacturer without delay. For significant risk, notify the surveillance authorities of every Member State you ship to (Article 20(4)).
- Be ready to produce paperwork. A market surveillance authority can ask, with reasons, for the documents needed to demonstrate conformity, in a language they read easily. Keep the DoC reference, Annex II in the supply language and supply-chain contacts retrievable (Article 20(5)).
- Cover the worst case. If the manufacturer ceases operations, tell the authorities and the users by whatever means you have (Article 20(6)).
- Penalty tier. Distributor breaches sit in the second fine band, up to EUR 10 000 000 or 2% of worldwide annual turnover, whichever is higher (Article 64(3)).
Article 20 in four numbers: six paragraphs of duties, seven items to check before market availability, the second-tier fine and the date everything starts.
Who Is a Distributor under the CRA?
Article 3(17) defines the distributor verbatim:
"Distributor" means a natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its properties.
You are a distributor for CRA purposes if all three apply:
| Element | Test |
|---|---|
| In the supply chain | You take possession or commercial control of the product as it moves from the importer or another distributor toward the end user |
| Other than the manufacturer or the importer | The product does not carry your name or trademark (otherwise Article 3(13) catches you as manufacturer) and you are not the first EU entity placing it on the Union market (otherwise Article 3(16) catches you as importer) |
| Without affecting its properties | You do not modify the product, its software, its packaging insofar as it changes intended purpose, or its security configuration |
If any of the three fails, you are not the distributor. If the product carries your own name or trademark you are the manufacturer under Article 3(13). If you are the first EU entity placing a non-EU-branded product on the Union market you are the importer under Article 3(16). If you substantially modify the product after market placement you are not covered by Article 22 (which excludes distributors), but the modification can pull you back into Article 3(13) when you market the modified version under your own name. For the full role-classification matrix, see who must comply with the CRA.
Article 20 at a Glance
| Para | Duty | Key point |
|---|---|---|
| 20(1) | Due care | The general standard. Applies to every act of making available, before and after market placement. |
| 20(2) | Pre-market verification | Confirm CE marking present, manufacturer compliance with Article 13(15), (16), (18), (19) and (20), importer compliance with Article 19(4), and that the necessary documents have been provided. |
| 20(3) | Refusal + inform | If non-conformity with Annex I is suspected, do not make available. If significant cybersecurity risk, inform manufacturer and market surveillance authorities without undue delay. |
| 20(4) | Corrective + vulnerability awareness | Ensure corrective measures, withdraw or recall as appropriate. Inform manufacturer of vulnerabilities without undue delay. If significant cybersecurity risk, immediately inform market surveillance authorities of every Member State of supply. |
| 20(5) | Cooperation with market surveillance | On reasoned request, provide all information and documentation needed to demonstrate conformity, in a language the authority can easily understand. |
| 20(6) | Manufacturer ceased operations | Inform market surveillance authorities without undue delay, and inform users by any means available. |
Distributor vs Importer
The legal trigger is which party first places the product on the Union market.
| Aspect | Distributor (Article 20) | Importer (Article 19) |
|---|---|---|
| Position | Anyone in the supply chain after the importer, other than the manufacturer | First EU entity placing a non-EU-branded product on the Union market |
| Verification | Presence-based: CE, manufacturer 13(15), (16), (18), (19), (20), importer 19(4), documents provided | Substantive: full Article 19(2) (a) to (d), including conformity assessment carried out and technical documentation drawn up |
| Refusal trigger | Article 20(3): non-conformity with Annex I | Article 19(3): same plus failure of any 19(2) check |
| Vulnerability awareness | Article 20(4): inform manufacturer; significant risk inform MSAs in every supply Member State | Article 19(5): same scope |
| Documentation | No specific multi-year retention; cooperate on reasoned request (20(5)) | DoC retention 10 years or support period, whichever is longer (Article 19(6)) |
| Penalty tier | EUR 10 000 000 or 2% (Article 64(3)) | EUR 10 000 000 or 2% (Article 64(3)) |
For the importer-side detail of the same boundary, see importer vs distributor on the importer page. The conformity assessment, EU DoC and Annex VII technical file are the manufacturer's responsibility; the distributor verifies their visible artefacts (CE mark, DoC reference, Annex II accompaniment) and cooperates on document production rather than holding the file.
Pre-Market Verification Checks (Article 20(2))
Article 20(2) asks the distributor to verify that the manufacturer's identification, instructions and DoC are present, not to re-run the conformity assessment. The lighter check set is matched by a sharper refusal trigger: under Article 20(3), any reason to believe the product or the manufacturer's processes do not conform with Annex I stops market availability until conformity is restored.
Article 20(2) sets a presence-based check list. Run it before any unit is made available.
CE Marking (Article 30, via Article 20(2))
The CE mark is the manufacturer's claim that the product conforms with Annex I. The distributor confirms it is affixed visibly, legibly and indelibly on the product or its data plate. Where size or nature does not permit, on the packaging and accompanying documents. Where a notified body intervened, its four-digit identification number must follow the CE mark. CE only on the outer carton when the product can carry it is non-conformant. See the conformity assessment cluster guide for what the CE mark stands for under each Article 32 module.
Manufacturer Identification and Information (Article 13(15), (16), (18), (19), (20))
Five discrete manufacturer duties cross-referenced from Article 20(2)(b):
| Cite | Duty | Distributor check |
|---|---|---|
| 13(15) | Type, batch or serial number for product identification | Confirm element on product, or on packaging or accompanying document if the product cannot bear it |
| 13(16) | Manufacturer name, trade name or trademark, postal address, digital contact, also reproduced in Annex II | Confirm on product, packaging or accompanying document |
| 13(18) | Annex II information and instructions accompany the product, in a language easily understood by users and market surveillance | Confirm an Annex II document set is present, in the language(s) of the Member State of supply |
| 13(19) | Support-period end date specified at time of purchase, including at least month and year | Confirm month + year visible at point of sale |
| 13(20) | Full DoC accompanies the product, or simplified DoC contains the exact internet address of the full DoC | Confirm DoC reference present and resolvable |
A product without an Annex II document set in the Member State language, or without a month-and-year support-period end date, fails Article 20(2) and triggers Article 20(3).
Importer Identification (Article 19(4), via Article 20(2))
Article 19(4) requires the importer to indicate its name, registered trade name or registered trademark, postal address, email and any other digital contact, on the product, on its packaging or in a document accompanying the product. The distributor confirms the importer identification is present. Absent or stripped importer identification fails Article 20(2) on Article 19(4) grounds.
Necessary Documents Provided (Article 20(2))
Article 20(2)(b) closes with a general requirement: the manufacturer and importer have provided "all necessary documents to the distributor". In practice, this is the document set the distributor needs to satisfy its own Article 20(5) cooperation duty: a copy or reference of the EU DoC, the Annex II information and instructions in the supply Member State language, and the supply-chain contact points (manufacturer single point of contact under Article 13(17), importer postal and digital contact under Article 19(4)). A distributor that cannot produce these on a reasoned market-surveillance request is in breach of Article 20(5), even if the underlying product is conformant.
When Verification Fails
Article 20(3) creates a stop-and-inform duty.
- Stop. Do not make the product available on the Union market until conformity is restored. Storage and return-to-supplier remain possible; sale to end users does not.
- Document. Record which Article 20(2) item failed, whether it concerns the product or the manufacturer's processes, the date and signatory.
- Notify upstream in writing. Inform the manufacturer (and the importer where relevant) of the gap and the documentation required.
- Assess cybersecurity risk. Significant cybersecurity risk: inform the market surveillance authorities under Article 20(3), without undue delay. Non-significant: continue resolution upstream.
- Resolve or reject. Make the product available only when all Article 20(2) items pass. Otherwise return to the supplier.
Post-Market Duties (Article 20(4))
Article 20(4) covers two duties that run for the whole period the product is being made available.
The corrective-measures duty: where the distributor knows or has reason to believe, on the basis of information in its possession, that the product or the manufacturer's processes are not in conformity, the distributor makes sure that the necessary corrective measures are taken to bring them into conformity, or to withdraw or recall the product if appropriate. "Make sure" does not push the technical fix onto the distributor; it requires the distributor to escalate, follow up and stop further availability until the manufacturer has acted.
The vulnerability-awareness duty: upon becoming aware of a vulnerability in the product, the distributor informs the manufacturer without undue delay. Where the product presents significant cybersecurity risk, the distributor immediately informs the market surveillance authorities of every Member State of supply, with details of the non-compliance and any corrective measures taken. The trigger is awareness of the vulnerability, not awareness of an Article 14 reportable incident; the manufacturer separately runs Article 14 reporting through the vulnerability reporting flow.
Cooperation, Documents and Manufacturer Cessation
Article 20(5) requires the distributor, on reasoned request from a market surveillance authority, to provide all the information and documentation, in paper or electronic form, needed to demonstrate the conformity of the product and the manufacturer's processes, in a language easily understood by the authority. The distributor cooperates with the authority on any measures taken to eliminate cybersecurity risks posed by the product.
There is no Article 20-specific multi-year document retention rule analogous to the Article 19(6) ten-year-or-support-period rule for importers. The practical floor is the document set listed under "Necessary documents provided" above: kept while the distributor is making the product available, retrievable for any reasoned request during that period, plus a reasonable tail to cover post-market authority queries.
Article 20(6) addresses one specific failure: the manufacturer ceases operations. On becoming aware of cessation, the distributor informs the relevant market surveillance authorities without undue delay, and informs the users of the products it has placed on the market by any means available and to the extent possible. Article 19(8) places the same duty on the importer; in practice, distributor and importer notifications run in parallel.
Common Pitfalls
| Claim | Why it fails |
|---|---|
| "Our supplier is in the EU, so we are not the importer; that makes us a distributor by default." | Distributor status under Article 3(17) requires also that you do not affect the product's properties. Repackaging, rebranding, software pre-installation or configuration changes can pull you back into Article 3(13) or out of the distributor category entirely. |
| "We don't need to check anything; the importer already did that under Article 19." | Article 20(2) is a separate, presence-based check at the distributor level. CE present, Article 13(15), (16), (18), (19), (20) and Article 19(4) compliance, and necessary documents provided. The importer's Article 19 work does not exempt the distributor's Article 20 work. |
| "Annex II in English is enough for the whole EU." | Article 13(18) requires Annex II in a language easily understood by users and market surveillance of the Member State concerned. The distributor making the product available in a Member State whose authorities and users do not work in English fails Article 20(2). |
| "We only forward vulnerability notices monthly with our other commercial updates." | Article 20(4) second subparagraph: inform the manufacturer "without undue delay" on becoming aware of a vulnerability, and "immediately" inform market surveillance for significant cybersecurity risks. Monthly batching breaches both standards. |
| "Article 14 reporting is the manufacturer's job, so we ignore vulnerabilities." | The Article 14 ENISA stream is the manufacturer's, but the Article 20(4) inform-the-manufacturer duty and the significant-risk inform-MSAs duty are the distributor's. Silence breaches Article 20(4). |
| "We can keep selling units already in our warehouse after spotting an Annex II language gap; only new shipments stop." | Article 20(3) stops further availability of the non-conformant product, regardless of where the units physically sit. Existing stock is held, not cleared. |
| "Stripping the importer's contact label keeps our channel partners private." | Article 19(4) requires importer identification on the product, packaging or accompanying document. Removing it makes the product non-conformant under Article 20(2). |
| "We don't need to keep documents; we are just a reseller." | Article 20(5) requires the distributor to provide the documentation set on reasoned request, in the authority's language. A distributor that cannot produce DoC reference, Annex II or supply-chain contact points is in breach even when the product is conformant. |
Frequently Asked Questions
What is a distributor under the CRA?
An EU supply-chain link that ships the product unchanged. The role is defined by position (after the importer, before the end user) and by neutrality toward the product (no rebranding, no software changes, no configuration that changes intended purpose). Resellers, value-added distributors that only bundle and channel partners that only ship and invoice all fit, provided they leave the product as the manufacturer placed it on the market (Article 3(17); the manufacturer-flip rule at Article 3(13) catches anyone who rebrands or otherwise affects the product).
Am I a distributor or an importer?
The line is the first placing on the market. You are the importer if you are the first EU entity placing a non-EU-branded product on the Union market. You are the distributor if you make the product available after the importer, without affecting its properties. If you buy a non-EU product from another EU company that already imported it, that other company is the importer and you are the distributor. If you buy directly from the non-EU manufacturer and place the product on the EU market yourself, you are the importer, with the heavier verification set and the 10-year retention duty (Articles 3(16) and 3(17); importer obligations at Article 19; distributor obligations at Article 20).
Am I a distributor or a manufacturer?
Touch the product, become the manufacturer. White-label rebranding makes you the manufacturer regardless of where the product was built. Pre-installing your own software, changing the security configuration before resale, repackaging in a way that changes the intended purpose, or modifying firmware all break the "without affecting its properties" condition. Once that condition fails, the analysis is no longer about distribution; it is about manufacturer classification, or for third-party modifiers outside the manufacturer/importer/distributor chain, the substantial-modifier route (Article 3(17) requires "without affecting its properties"; Article 3(13) catches anyone who rebrands or modifies; Article 22 excludes distributors).
What exactly does the distributor have to verify before making a product available?
Two checks: CE present, and the upstream paperwork present. The manufacturer must have met product identification, manufacturer identification, Annex II accompaniment in a Member State language, support-period end date with month and year, and DoC delivery. The importer must have met its identification duty. Necessary documents must have been provided. The check is presence-based, not a re-run of the conformity assessment (Article 20(2)(a) for CE; Article 20(2)(b) for manufacturer compliance with 13(15), (16), (18), (19), (20), and importer compliance with 19(4); failure of any item triggers Article 20(3)).
Does the distributor have to keep the EU Declaration of Conformity for 10 years?
No. The 10-year-or-support-period DoC retention duty is on the importer, not the distributor. The distributor's documentation duty is to provide, on reasoned request from a market surveillance authority, the information and documentation needed to demonstrate conformity, in a language the authority can easily understand. The practical floor is the document set the distributor uses for its own intake check (DoC reference, Annex II in the supply Member State language, manufacturer and importer contact points), kept while the product is being made available and for a reasonable tail thereafter to cover authority queries (retention is on the importer at Article 19(6); the distributor's documentation duty is at Article 20(5)).
What does the distributor do when it learns of a vulnerability in a product it has shipped?
Tell the manufacturer immediately, and tell market surveillance if the risk is significant. The first duty is upstream notification without undue delay. The second is parallel notification to the market surveillance authorities of every Member State of supply, with details of the non-compliance and any corrective measures taken. The ENISA reporting stream remains the manufacturer's, not the distributor's (Article 20(4); Article 14 ENISA reporting remains the manufacturer's duty).
Are there SME exemptions for distributors?
The substantive obligations under Article 20 apply regardless of size. The CRA's only SME-specific concession on administrative fines is for manufacturers and open-source software stewards. Distributors are not in scope of that carve-out. Authorities must also give due regard to the size of the offender (including SMEs and start-ups) when setting fine amounts in individual cases; that is a sentencing factor across the regime, not an obligation exemption (Article 20 applies to all sizes; Article 64(10) carve-out is for manufacturers and OSS stewards, not distributors; sentencing factor at Article 64(5)(c)).
When do CRA distributor obligations apply?
Article 20 applies in full from 11 December 2027. Unlike manufacturers, distributors do not have a separate earlier deadline; Article 14 reporting is the manufacturer's duty, not the distributor's. The distributor's vulnerability-awareness and significant-risk inform-MSAs duties start with the rest of Article 20. By that date, distributors making products available on the Union market need an intake check, a refusal flow, a vulnerability-awareness flow and a document-production capability in place (Article 71 applicability; Article 14 reporting is the manufacturer's stream, not the distributor's; the Article 20(2)/(3)/(4)/(5) obligations all start on 11 December 2027).