← Back to Blogregulation

The CRA for Non-EU Manufacturers: Selling into the EU Without Getting Caught Out

If you sell products with digital elements into the EU from the UK, US, or anywhere else, the CRA applies to you in full. Here is how the obligations attach and who carries them.

CRAReady Team·

The CRA Follows the Market, Not the Manufacturer's Address

A common misconception among manufacturers outside the EU is that the Cyber Resilience Act is an "EU company" problem. It is not. The CRA applies to any product with digital elements placed on the EU market, regardless of where the manufacturer is established. A US software vendor, a UK hardware company, or an Asian IoT manufacturer selling into the EU carries the same essential requirements, reporting duties, and CE marking obligations as a manufacturer headquartered in Frankfurt.

If your product reaches an EU customer — directly, through a reseller, or bundled into someone else's system — you are in scope.

Who Carries the Obligations in the Supply Chain

The CRA distributes duties across four roles:

  • Manufacturer — designs or produces the product, or has it designed/produced and markets it under their own name or trademark. Carries the full weight of Annex I, vulnerability handling, and Article 14 reporting.
  • Importer — places a product from a non-EU manufacturer on the EU market. Must verify the manufacturer completed conformity assessment, affixed CE marking, and provided the technical documentation.
  • Distributor — makes the product available in the supply chain. Must check CE marking and accompanying documents are present.
  • Authorised representative — an EU-established person a non-EU manufacturer appoints by written mandate to perform specified tasks on their behalf.

The Deemed-Manufacturer Trap (Article 21)

Under Article 21, an importer or distributor is treated as a manufacturer — and inherits the full manufacturer obligations — if they:

  • place the product on the market under their own name or trademark, or
  • make a substantial modification to a product already on the market.

This matters enormously for rebranders and system integrators. If you buy a white-label device and sell it under your own brand into the EU, you are the manufacturer for CRA purposes — not the original producer. Rebadging does not transfer the compliance work to your supplier; it transfers it to you.

What Non-EU Manufacturers Should Do Now

  1. Confirm your route to market. Identify every channel through which your product reaches EU customers, including indirect ones. A single EU reseller is enough to trigger scope.
  2. Appoint an EU importer or authorised representative. Market surveillance authorities need an accountable EU-based contact. Build this into your distribution agreements.
  3. Prepare the technical file to EU expectations. The technical documentation (Annex VII), EU Declaration of Conformity, and CE marking must exist before the product is placed on the market from December 2027. Non-EU test evidence is acceptable, but it must map to Annex I.
  4. Stand up Article 14 reporting from your side of the world. The 24-hour early-warning clock does not pause for time zones. Non-EU manufacturers need an on-call process capable of filing to ENISA and the relevant national CSIRT within 24 hours of becoming aware of active exploitation, from 11 September 2026.
  5. Watch the deemed-manufacturer line. If you rebrand or substantially modify third-party products, budget for full manufacturer compliance — not just importer checks.

The Commercial Reality

Non-EU manufacturers who treat the CRA as optional risk more than fines. Importers and distributors are legally required to refuse non-compliant products, so a missing CE mark or technical file can quietly freeze your EU channel — your goods simply stop moving. Getting CRA-ready is fast becoming a precondition for EU market access, not a paperwork afterthought.

Ready to assess your CRA compliance obligations?

Try the Free Applicability Checker