- Manufacturers
- bear the highest responsibilities; ultimately responsible for ensuring compliance
- Importers
- when importing a product to the EU from outside the EU, bears the responsibility for most of what the manufacturer would be responsible for if it were manufactured in the EU. Article 19 lays this out in detail. That means:
- – get a conformity declaration and technical documentation from the manufacturer
- – keep all relevant documentation for 10 years
- – notify regulatory authorities AND the original manufacturer if there’s an exploited vulnerability
- – notify regulatory authorities if the manufacturer is not keeping up with their requirements (e.g. security patching, etc.). This could result in a recall, eventually
- – If the importer has reason to believe that the product is out of conformance with the CRA, they must take corrective measures, up to and including recalling the product. If, for example, a non-EU manufacturer’s product has a serious vulnerability and the manufacturer refuses to patch it, it’s the importer who has the responsibility to recall it.
- White-labeling: If you put your own branding or trademark on a product, you are considered the manufacturer under the CRA, and have all the obligations that implies.
- Substantial modification: If you make any substantial modification to the product you are importing, you are considered the manufacturer under the CRA, and have all the obligations that implies.
- What responsibilities to Importers have under the CRA?
- when importing a product to the EU from outside the EU, bears the responsibility for most of what the manufacturer would be responsible for if it were manufactured in the EU. Article 19 lays this out in detail. That means:
- Distributors
- Article 20 specifies the Distributor’s responsibilities:
- – Verify that the product bears the CE marking
- – Verify that the manufacturer and/or importer have met their obligations (e.g. address of record for the importer, risk assessment from manufacturer, etc.)
- – Inform the manufacturer about any cybersecurity risks that the distributor knows about
- – Inform the regulatory authorities about any “significant” cybersecurity risks, as well as any corrective measures or non-compliance from the manufacturer
- – If the distributor discovers that the manufacturer isn’t able to meet their obligations anymore (e.g. because it has gone out of business), it must inform the regulatory authorities
- White-labeling: If you put your own branding or trademark on a product, you are considered the manufacturer under the CRA, and have all the obligations that implies.
- Substantial modification: If you make any substantial modification to the product you are importing, you are considered the manufacturer under the CRA, and have all the obligations that implies.
- What responsibilities to Distributors have under the CRA?
- Article 20 specifies the Distributor’s responsibilities:
- Sellers
- No new obligations under CRA
- If you are making substantial modification to the products you are selling, or white-labeling them, you are considered the manufacturer, however.
- Buyers
- No new obligations, several new rights:
- – Right to receive appropriate documentation of the cybersecurity risk assessment
- – Right to be informed of a single point of contact for cybersecurity issues with a product
- – Right to receive updates remediating any exploitable vulnerabilities or serious cybersecurity incidents, and for those updates or security patches to be made available without having to accept significant changes in functionality as a condition of receiving the patch
- No new obligations, several new rights:
Summary
Manufacturers bear by far the most responsibility. In the case where the manufacturer is outside of the EU, the importer bears the responsibility for ensuring that the manufacturer meets the obligations of the CRA and maintaining documentation to that effect. If the manufacturer fails to keep up with their aftersales responsibilities during the support period of the product, it’s the importer who’s ultimately financially responsible. Distributors (who are not already importers) also have some limited responsibilities, but the distributors' responsibilities mostly relate to making sure that the manufacturer and/or importer have met their obligations.
Responsibilities
- What responsibilities to Importers have under the CRA?
- What responsibilities do Distributors have under the CRA?
- When does an importer, distributor, or other entity become a manufacturer?
Get in touch with our experts to learn more.