The Cyber Resilience Act imposes many new obligations on manufacturers of digital products. If you fall into that category, you need to take responsibility for the cybersecurity of the products you sell for at least 5 years, among other things. If you are merely importing or distributing products, however, your obligations are much more limited and easy to comply with--see our articles on Importer Obligations and Distributor Obligations. (TODO add links to these articles once published)
But the cyber resilience act also contemplates some situations where importers, distributors, or other individuals or businesses might actually end up with all the responsibilities of being a manufacturer. Article 21 and Article 22 of the CRA lay out the conditions under which that can happen.
Importers and Distributors
If a manufacturer or distributor sells a product under its own name or trademark, it is automatically considered to be the manufacturer. So “white-labeling” products to sell under your own brand is still possible, but comes with quite a lot of new obligations. If white-labeling is a major part of your business strategy, you will need to choose manufacturing partners or suppliers that you have a very high level of trust in. They would need to provide you with all of the required documentation and support under the CRA, including the crucial after-sale support period obligations--and if they don’t deliver, the full responsibility for non-compliance will lie with you. Fines for non-compliance can be up to 2.5% of global annual sales for serious violations, or up to 1% of global annual sales for minor violations like documentation deficiencies.
Additionally, if a manufacturer or distributor makes a “substantial modification” to a product, they are considered to be that product’s manufacturer. Exactly what is a substantial modification? The EU’s Blue Guide on implementation of consumer product rules has a general definition, and the text of the CRA also includes a definition. But because this is potentially a difficult subject with some grey areas, the CRA’s Article 26 also specifically orders the Commission to publish guidance on the matter. This guidance is not yet published, but should be available before the bulk of the CRA’s requirements enter into force in 2027.
Other actors or individuals
It’s also possible for a business or an individual to be considered a manufacturer. The rules are similar to the rules for Distributors and Importers, but a little bit less strict. You still take on manufacturer responsibilities if you make substantial modifications to a product and then re-sell it. However, you only have those obligations with respect to the part of the product you modified. If your modifications go so far as to impact the cybersecurity of the product as a whole, however, you bear responsibility for the entire product. So if you take an embedded computer, add an application to it for a specific purpose, and then sell the pre-installed product, you would likely only have manufacturer obligations for the application you added. If, however, your addition changes the overall cybersecurity risks of that embedded computer compared to the risks the manufacturer included in their risk assessment, you’d be responsible for the whole product. Here, too, we expect to see additional guidance from the Commission on where that line is.
Conclusion
The current text of the CRA makes it clear that making substantial modifications to a digital product and then re-selling it, or selling a digital product under your brand name or trademark, will cause you to be treated as the manufacturer of that product. There are likely to be some grey areas about exactly what can be considered a substantial modification and other interpretation questions; official guidance on interpretation will be forthcoming in the future. For now, the easiest way to reduce the risk of CRA compliance failures is to make sure that your suppliers are reliable, trustworthy, and ideally within Europe.
Get in touch with our experts to learn more