If your EU entity is the first to place a non-EU-branded product with digital elements on the EU market, the Cyber Resilience Act usually treats you as the importer. Importers do not run the manufacturer's full conformity programme, but they must verify it before market placement, refuse non-conforming products, identify themselves on the product or accompanying material, cooperate with market surveillance, and retain the EU Declaration of Conformity.
Summary
- Are you the importer? You are usually the importer when your EU entity first places a non-EU-branded digital product on the Union market.
- What must be checked before market placement? Conformity assessment, technical documentation, CE marking, EU Declaration of Conformity, user instructions, product ID, manufacturer contact details, and support-period end date.
- When must you refuse? Do not place the product on the market if the product or the manufacturer's vulnerability-handling processes are non-conformant. Notify the manufacturer and market surveillance where significant cybersecurity risk exists.
- What continues after placement? Corrective measures, withdrawal or recall, vulnerability-awareness reporting to the manufacturer, market-surveillance cooperation, and notification if the manufacturer ceases operations.
- What must be retained? Keep the EU Declaration of Conformity for 10 years or the support period, whichever is longer, and ensure technical documentation can be produced on request.
- When does it apply? Main importer obligations apply from 11 December 2027.
Four checks, retention longer than ten years, two penalty tiers depending on whether you are actually the importer: importer-tier exposure when you stay in the importer role, manufacturer-tier exposure when role escalation makes manufacturer obligations apply.
Who Is an Importer under the CRA?
In practical terms, the CRA importer is the EU-established entity that first places a non-EU-branded product with digital elements on the Union market. The three-part test is: your entity is established in the Union, your entity is first to make the product available on the Union market, and the product bears the name or trademark of a person established outside the Union.
If the product carries your own name or trademark, you are not acting as importer for that product; you are in manufacturer territory. If another EU entity already placed the product on the market, you are usually the distributor. If the non-EU manufacturer has only appointed you by written mandate and you do not place the product on the market, you are the authorised representative. For the full role decision tree, see who must comply with the CRA.
Core Importer Duties
Importer duties group into four clusters: what must be checked before market placement, when the importer must stop, what importer identity information must appear, and what must be retained or provided after placement. The table below maps each duty to the practical check or follow-up it creates.
| Duty | Key point |
|---|---|
| General compliance | Place only products whose cybersecurity requirements and manufacturer processes are CRA-ready. |
| Pre-market verification | Conformity assessment + technical documentation + CE/DoC/user instructions + product ID, manufacturer details, and support-period end date. Importer must be able to provide documents proving fulfilment. |
| Refusal duty | Do not place on market if product or processes are non-conformant. Inform the manufacturer and market surveillance where significant cybersecurity risk is present. |
| Importer identification | Own name, trade name or trademark, postal address, digital contact on product, packaging or accompanying document. |
| Post-market corrective measures | Withdrawal or recall as appropriate. Vulnerability awareness: inform manufacturer without undue delay; inform market surveillance authorities of every Member State of supply where significant cybersecurity risk. |
| Retention | Keep DoC at disposal of authorities for 10 years or support period, whichever is longer. Ensure technical documentation can be made available on request. |
| Cooperation with market surveillance | On reasoned request, provide all information and documentation in a language the authority understands. |
| Manufacturer cessation | Inform market surveillance authorities and, by any means available, the users. |
None of these obligations carry an SME threshold. The small-business relief in the CRA is narrow: it does not remove importer verification, refusal, identification, retention, or cooperation duties.
Importer vs Distributor
The legal trigger is which party first places the product on the Union market.
| Aspect | Importer | Distributor |
|---|---|---|
| Position | Established in the Union; places a product bearing a non-EU person's name on the market | Anyone making the product available after the importer, without affecting its properties |
| Verification | Full pre-market verification including type/batch ID, manufacturer contact and support-period end date | Confirms CE marking and the manufacturer-identification, support-period and DoC artefacts are present |
| Documentation | Must be able to provide documents proving compliance; ensures the technical file can be made available on request | Cooperates with authorities on reasoned request; presence-based verification |
| Refusal duty | Stop and inform when product or processes are non-conformant | Stop and inform when CE, DoC or required artefacts are missing |
| Vulnerability awareness | Notify manufacturer without undue delay; notify market surveillance where significant cybersecurity risk in every Member State of supply | Same duty in scope; route is via the manufacturer |
| Retention | DoC for 10 years after market placement, or for the support period, whichever is longer | None specific; cooperate on reasoned request |
| Penalty ceiling | EUR 10 000 000 or 2% of worldwide annual turnover | EUR 10 000 000 or 2% of worldwide annual turnover |
Calling the role "distribution" in a private agreement does not move the public-law obligation. If your entity first places a non-EU product on the Union market, you are the importer. For the distributor-side detail of the same boundary, see the distributor cluster guide.
The Four Pre-Market Checks
Before the product is placed on the EU market, the importer must complete four checks: that the conformity assessment was carried out, that the technical documentation has been drawn up, that the CE marking, EU Declaration of Conformity and user instructions are in place, and that product identification and manufacturer-contact information meet the disclosure rules.
1. Conformity Assessment Carried Out
The manufacturer must have run the assessment route appropriate to the product class. Request the EU Declaration of Conformity that names the assessment module used and, where a notified body was involved, the certificate number; for products assessed under full quality assurance (Module H), the body's four-digit identification number also follows the CE mark.
| Module | When |
|---|---|
| A internal production control | Default products; Important Class I only when the relevant standards, specifications, or scheme fully apply |
| B + C EU-type examination + production control | Important Class I when the relevant standards, specifications, or scheme do not fully apply; Important Class II; Critical fallback routes |
| H full quality assurance | Alternative to B+C for Important Class I fallback, Important Class II, and Critical fallback routes |
| European cybersecurity certification scheme | Critical products where the certification route has been triggered and an applicable scheme is available; also available where the CRA permits it |
See the conformity assessment cluster guide.
2. Technical Documentation Drawn Up
The importer is not required to hold the full technical file. The importer does need evidence that the file exists and can be produced for authorities on request. In practice, ask the manufacturer for a table of contents covering the technical documentation sections, plus a written commitment to produce the underlying file in a defined window and language. See the technical documentation cluster guide.
3. CE Marking, EU DoC and User Instructions
Three artefacts must travel with the product.
| Artefact | Constraint |
|---|---|
| CE marking | Visible, legible, indelible, on the product or data plate; the CE height may be lower than 5 mm provided it stays visible and legible. The notified-body identification number follows the mark only under full quality assurance (Module H). The CE marking may sit on the packaging only where marking the product itself is not feasible, and then it must also appear on the EU Declaration of Conformity. |
| EU DoC | Either full DoC with the product or simplified DoC containing the exact internet address of the full DoC. Generic "cybersecurity requirements" with no specific essential-requirements reference is a defect. |
| User information and instructions | In a language easily understood by users and market surveillance of the Member State concerned. Manufacturer identity, intended purpose, support-period end date, secure configuration, secure decommissioning, vulnerability-reporting address. |
4. Product ID, Manufacturer Details, and Support End Date
The final importer check is not another certificate. It is a presence check: the product must be identifiable, the manufacturer must be identifiable and contactable, and the support-period end date must be available at the point of purchase.
| Duty | Importer check |
|---|---|
| Type, batch or serial number for product identification (or on packaging if the product cannot bear it) | Confirm element on product or packaging. |
| Manufacturer name, trade name or trademark, postal address, digital contact, also reproduced in the user information | Confirm on product, packaging or accompanying document. |
| Support-period end date specified at time of purchase, including at least month and year | Confirm month + year visible at point of sale. |
A product without a stated month-and-year end date is non-conformant, regardless of every other check passing.
Adjacent duty worth treating as refusal trigger: the single point of contact must let users choose their preferred means of communication and must not be limited to automated tools. A chatbot-only contact is non-conformant. Without a working single point of contact upstream, the vulnerability reporting flow is broken from day one.
The 9-Item Product Information Checklist (Annex II)
Every product with digital elements must reach the importer with nine specific pieces of information. Annex II of the CRA fixes the list, and the importer check is presence-based: if any item is missing, the product cannot be placed on the market.
Name, registered trade name or trademark, postal address, email or other digital contact, plus website where available.
Check at receiptPresent on product, packaging or accompanying document.
Single point of contact for vulnerability reports, plus a reachable Coordinated Vulnerability Disclosure policy.
Check at receiptNon-automated channel, with the CVD policy reachable.
Product name, type, and any extra information (batch, serial, model) that enables unique identification.
Check at receiptType, batch or serial number visible.
Intended purpose, security environment, essential functionalities, and security properties.
Check at receiptStated in the user information.
Known or foreseeable circumstances that may lead to significant cybersecurity risks.
Check at receiptDocumented in the user information.
Where applicable, the internet address where the full EU Declaration of Conformity can be accessed.
Check at receiptURL resolves to a complete DoC.
Type of technical security support, plus the end date of the support period.
Check at receiptEnd date includes at least month and year.
Detailed instructions or a URL covering secure use, change impact, update installation, secure decommissioning, and the auto-update opt-out.
Check at receiptAll sub-items present or addressable through the linked URL.
Where the manufacturer makes the SBOM available to users, the location where it can be accessed.
Check at receiptCheck whether an SBOM is offered, and at what URL.
For how the manufacturer produces each item upstream, see the matching section in the manufacturer cluster guide.
Verifying Non-EU Manufacturer Compliance
Verbal assurances are not importer-check evidence. Send the documentation request before signing any import contract.
SUBJECT: CRA Compliance Documentation Request
We are evaluating [product / model] for import into the European Union under
Regulation (EU) 2024/2847 (Cyber Resilience Act). Please provide the following
before we proceed:
1. EU Declaration of Conformity (full or simplified),
citing the essential cybersecurity requirements and the conformity-assessment module used, with notified
body certificate number where applicable.
2. Technical documentation table of contents, plus a written
commitment to produce the underlying file in [language] within [X] days.
3. Confirmation of the support period (at least 5 years or
the expected in-use period if shorter, with rationale).
4. Support-period end date (month and year) as it will appear at point of
purchase.
5. Single point of contact, with confirmation it is
not limited to automated tools.
6. Coordinated vulnerability disclosure policy.
7. CE marking placement evidence on product or data plate.
8. User instructions in [target Member State language(s)].
Requested response window: [X] business days.
What to Refuse and Why
| Signal | Action |
|---|---|
| Complete documentation | Proceed to importer verification review |
| Partial, balance "in progress" | Hold; document the gap |
| "CE under EMC, RED or LVD" | Insufficient. Request CRA-specific DoC and technical documentation. |
| "Out of CRA scope" verbal claim | Request written scope analysis with the product class and exclusion basis |
| "Notified body certificate pending" | The conformity assessment must be complete before market placement |
| Single point of contact is chatbot only | Non-automated contact-channel failure; refuse |
| DoC date pre-11 December 2027, no CRA-specific update | Refuse |
| Missing notified-body number on Class II / Critical | Refuse |
| Support period under 5 years with no in-use justification | Refuse |
| Missing month + year support-period end date | Refuse |
| Instructions only in manufacturer's domestic language | Refuse for the affected Member State |
| Refusal or non-response | Do not import |
If the Non-EU Manufacturer Has No EU Establishment
A non-EU manufacturer that has no main establishment in the Union routes its vulnerability and incident notifications through a fallback cascade. Article 14(7) fixes the order and the importer's location matters in that order. The cascade is:
"(a) the Member State in which the authorised representative acting on behalf of the manufacturer for the highest number of products with digital elements of that manufacturer is established;
(b) the Member State in which the importer placing on the market the highest number of products with digital elements of that manufacturer is established;
(c) the Member State in which the distributor making available on the market the highest number of products with digital elements of that manufacturer is established;
(d) the Member State in which the highest number of users of products with digital elements of that manufacturer are located."
Two practical consequences for the importer. First, if you are the largest non-AR EU presence for this manufacturer, point (b) likely makes your Member State the coordinator CSIRT for vulnerability and severe-incident reports. Confirm with the manufacturer whether an AR exists under point (a) and whether the AR's Member State or yours is the active route. Second, point (b) is volume-based and can shift between importers across product cohorts. Track product volumes per manufacturer per Member State so that the routing claim can be substantiated if a CSIRT or market surveillance authority asks.
When Verification Fails
A failed verification creates a stop-and-inform duty. The importer must keep the product off the EU market until the product and the manufacturer's processes are brought into conformity.
- Stop. Do not place on the EU market. Customs warehousing or re-export remains possible until conformity is restored.
- Document. Record which pre-market check failed, whether it concerns the product or the manufacturer's processes, the date and signatory.
- Notify the manufacturer in writing. Specify the gap, the documentation required, the timeline.
- Assess cybersecurity risk. Significant risk: inform market surveillance of the Member State concerned. Non-technical risk factors still need an authority route, but the importer workflow remains the same: document, notify, and hold the product.
- Resolve or reject. Proceed only when all four checks pass. Otherwise reject the import.
After market placement, the importer duty shifts to corrective measures, withdrawal or recall as appropriate, manufacturer notification on vulnerabilities without undue delay, and market-surveillance notification in every Member State of supply where the product presents significant cybersecurity risk.
If the Supplier Ceases Operations
When the non-EU manufacturer goes out of business, the importer becomes the messenger. There is a notice duty, but the manufacturer's support obligations do not transfer to the importer. Article 19(8) sets the trigger:
"Where the importer of a product with digital elements becomes aware that the manufacturer of that product has ceased its operations and, as result, is not able to comply with the obligations laid down in this Regulation, the importer shall inform the relevant market surveillance authorities about this situation, as well as, by any means available and to the extent possible, the users of the products with digital elements placed on the market."
Two parties must be told: the relevant market surveillance authorities, and where possible the users of the products already placed on the market (by any means available, to the extent possible). The CRA itself does not require the importer to take over manufacturer-level support, vulnerability handling, security update issuance, or any other manufacturer duty. Manufacturer-side obligations end with the manufacturer.
Stock-handling is a commercial decision, not a statutory duty. The importer typically suspends further placement of affected stock to limit downstream support exposure, but that is risk management, not a statutory obligation. If the importer wants to keep selling, role escalation kicks in: placing the product on the market under its own name or trademark from that point onwards is the rebrand bridge to manufacturer status, with all the engineering, conformity-assessment, and support-period obligations that follow.
Importer, Distributor, or Manufacturer?
The importer page should not carry the whole role matrix. Use the CRA role decision tree for full classification across manufacturer, importer, distributor, authorised representative and open-source steward.
The statutory rebrand trigger sits in Article 3(13):
"'manufacturer' means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge"
The "markets them under its name or trademark" clause is the rebrand trigger. Putting your EU brand on a non-EU OEM product makes you the manufacturer from the first sale onwards. The rebrand bridge routes an importer or distributor caught by this trigger straight into the manufacturer regime. A separate catch-all covers third parties that are not the manufacturer, importer, or distributor. If your situation tips you into manufacturer status, see the manufacturer cluster guide for the full manufacturer obligation set.
For importer work, the practical boundary is this:
| Situation | CRA role or consequence |
|---|---|
| EU entity first places a non-EU-branded product on the Union market | Importer |
| EU entity resells a non-EU-branded product after another EU entity already placed it on the market | Distributor |
| EU entity places the product on the market under its own name or trademark | Manufacturer obligations apply |
| Importer or distributor substantially modifies a product already placed on the market | Manufacturer obligations apply via the importer-distributor rebrand bridge |
| Third party that is not the manufacturer, importer or distributor substantially modifies the product and makes it available | Manufacturer obligations apply via the third-party substantial-modifier rule |
The practical cost of crossing from importer to manufacturer is large: your entity must own or arrange the technical documentation, conformity assessment route, EU Declaration of Conformity, vulnerability-handling process, security-update commitments and vulnerability-reporting path. Keep the original manufacturer's identity visible and avoid security-relevant changes if your business model depends on staying in the importer role.
Documentation and Retention
Keep the EU Declaration of Conformity available to market surveillance authorities for at least 10 years after the product is placed on the market, or for the support period if that is longer. Also make sure the technical documentation can be made available on request. A product with a 12-year support period therefore needs a 12-year importer retention plan.
The importer retains: the full or simplified DoC, the technical-documentation table of contents and the manufacturer's commitment to produce the underlying file, the importer's own four-check verification record (decision, date, signatory), manufacturer correspondence, customs and batch records with first-placement dates, and corrective-measure and notification records.
Where the line moves into manufacturer obligations because you sell under your own brand or substantially modify the product, the retention rule becomes the manufacturer rule: same 10-year-or-support-period duration, plus technical documentation in your own name and the full conformity-assessment evidence chain.
Digital storage is acceptable. Files must remain accessible, readable, and producible within a reasonable window in a language the authority understands.
Common Pitfalls
| Claim | Why it fails |
|---|---|
| "CE means they are compliant." | CE is only one importer check. The EU DoC, technical documentation availability, user information, product ID, manufacturer details and support end date still need verification. |
| "Our supplier has been reliable for years." | Compliance under earlier product directives does not transfer to CRA's vulnerability handling, support-period and reporting regime. |
| "Verbal assurances from our sales contact." | Pre-market verification requires documentation; a sales rep has no legal weight. |
| "We will verify after the shipment arrives." | Verification must occur before market placement. Customs warehousing is fine; market is not. |
| "It is just a sticker with our logo." | If the sticker presents you as the source, manufacturer obligations apply. The direct switch for importers and distributors is automatic, with no size threshold. |
| "The catch-all modifier rule makes us a manufacturer if we modify." | The direct rule for importers and distributors that substantially modify a product or place it under their own name is the importer/distributor escalation; the catch-all for other third parties is separate. |
| "The manufacturer said we could rebrand." | Private agreements cannot rewrite the CRA role. If you place the product on the market under your name or trademark, manufacturer obligations apply. |
| "Our chatbot is the single point of contact." | The single point of contact requires user-chosen means of communication, not limited to automated tools. |
Procurement signals about specific non-EU vendors. In 2021 the European Parliament voted on a resolution restricting internal procurement of Hikvision thermal cameras. The resolution is a political signal about a named Chinese surveillance vendor, not a CRA obligation, but importer due diligence on non-EU surveillance brands should treat such procurement records as part of the wider risk picture alongside the four pre-market checks.
Frequently Asked Questions
What is an importer under the CRA?
An EU entity placing a non-EU-branded product on the Union market. Three elements must all be present: established in the Union, first to make the product available on the Union market, and the product bears a non-EU person's name or trademark. If you place the product on the market under your own brand, you are not acting as importer for that product; manufacturer obligations apply.
Am I an importer or a distributor?
The line is the first placing on the market. You are the importer if you are the first EU entity placing a non-EU-branded product on the Union market. You are the distributor if you make the product available after the importer, without affecting its properties. If you buy a non-EU product from another EU company that already imported it, that other company is the importer and you are the distributor. If you buy directly from the non-EU manufacturer and place the product on the EU market yourself, you are the importer.
Importer vs authorised representative: what is the difference?
Different jobs, and the AR is permissive. Article 18(1) uses the word "may", not "shall":
"A manufacturer may, by a written mandate, appoint an authorised representative."
An AR is therefore not statutorily mandatory. A non-EU manufacturer may or may not appoint one. In practice, you may need either an AR or a contractually committed importer to act as the EU contact, but that is a commercial reality, not a CRA obligation.
Job descriptions differ. The AR is documentation custody for the manufacturer. The importer physically places the product on the market. The AR holds the EU DoC and technical documentation at the disposal of market surveillance authorities and cooperates with those authorities, but does not place the product on the market. The importer carries the four-check verification duty before market placement. A non-EU manufacturer that does appoint an AR for documentation and cooperation still needs an importer (or its own EU entity) to actually place the product on the market. An AR appointment does not transfer engineering, risk-assessment, vulnerability-handling or conformity-assessment duties.
Are there SME exemptions for importers?
No exemption from the obligations themselves. Importer duties apply regardless of size. The CRA's SME concession on penalties is for manufacturers, not importers, and only for the 24h early-warning deadlines. The open-source steward fine derogation under Article 64(10)(b) applies to stewards, not importers. Authorities must give due regard to the size of the offender (including SMEs and start-ups) when setting fine amounts in individual cases, but that is a sentencing factor, not an obligation exemption.
When do CRA importer obligations apply?
From 11 December 2027. From that date, no product with digital elements may be placed on the EU market unless the importer has carried out pre-market verification. Vulnerability and incident reporting starts earlier (11 September 2026) but is a manufacturer obligation; the importer's role is to verify that the manufacturer's single point of contact is in place and not limited to automated tools.
Does rebranding alone make the importer a manufacturer?
Yes in practical effect. An importer or distributor that places the product on the market under its own name or trademark is considered a manufacturer and becomes subject to the full manufacturer regime. The original manufacturer's DoC and CE no longer cover the rebranded product as you place it on the market. The direct rule for importers and distributors is one provision; a separate catch-all covers other third-party modifiers.
Are security patches ever a substantial modification?
Not when the patches are issued by the original manufacturer and preserve intended purpose, behaviour and security architecture. A patch that does more than fix a vulnerability (adds features, changes authentication, expands attack surface) leaves the exemption.
How long must an importer keep the EU Declaration of Conformity?
At least 10 years after the product is placed on the market or for the support period, whichever is longer. A product placed in 2028 with a 12-year support period drives retention until 2040. The same duty requires the importer to ensure the technical documentation can be made available on request. Digital storage is acceptable.
What does the importer have to do if documentation has gaps?
Stop and inform. Do not place on market until the gap is closed. Notify the manufacturer in writing. Where the product presents a significant cybersecurity risk, inform market surveillance of the Member State concerned. The duty also extends to non-technical risk factors; authorities then follow the relevant procedure. Goods may sit in customs warehousing while the gap is open.
What happens to the original CE marking when the EU entity becomes the manufacturer?
It no longer covers the product as the EU entity places it on the market. The EU entity issues its own DoC and affixes CE under its own responsibility.
Does the five-year support period restart when the EU entity becomes the manufacturer?
Yes. The support period runs from the date the EU entity places the rebranded or modified product on the market. The "at least 5 years" floor applies, with the exception that products expected to be in use for less than 5 years take a support period equal to the expected use time. Cost lands in support resources and supplier contracts (the upstream factory must commit inputs for at least your support period).
Does the EU entity need a notified body if the original manufacturer used one?
For Class II or Critical products that are substantially modified, almost always yes. The original certificate was tied to the product as designed; substantial modification invalidates it. Rebranding a Class II or Critical product also requires a fresh DoC in the EU entity's name. See the conformity assessment and product classification guides.