← Back to Blogregulation

CRA Obligations for Importers and Distributors

Importers and distributors are not off the hook under the CRA. This post explains the distinct obligations each supply chain role faces — and the circumstances in which a distributor can become a manufacturer.

CRAReady Team·

Why the CRA Reaches Beyond Manufacturers

The CRA extends obligations to importers and distributors to prevent non-compliant products from entering the EU market via intermediaries. While manufacturers bear the primary compliance burden, importers and distributors have independent obligations that can attract significant liability.

Importer Obligations

An importer is a company established in the EU that places a product made by a non-EU manufacturer on the EU market. Key obligations:

Before placing on market:

  • Verify the manufacturer has carried out the appropriate conformity assessment
  • Verify a technical file exists
  • Verify CE marking is present and correctly affixed
  • Verify an EU Declaration of Conformity exists
  • Verify the product bears the manufacturer's name, trademark, and contact details

Ongoing:

  • Store and transport products in ways that do not compromise compliance
  • Pass on complaints and non-conformity reports to the manufacturer
  • Cooperate with market surveillance authorities on request
  • Keep records of product batches and their distribution for 10 years

If the importer believes a product is non-compliant, they must not place it on the market and must inform both the manufacturer and market surveillance authorities.

Distributor Obligations

A distributor is a company that makes a product available on the market without substantially modifying it and without the commercial relationship of an importer. Distributors must:

  • Verify CE marking is present and legible
  • Verify the EU DoC is available
  • Verify the product has the required documentation and labelling
  • Not make a non-compliant product available
  • Cooperate with market surveillance authorities

When a Distributor Becomes a Manufacturer

Critical: if a distributor substantially modifies a product — changes its cybersecurity-relevant functionality, rebrands it as their own, or makes changes that affect compliance — they assume the obligations of a manufacturer. This includes:

  • White-labelling a product under their own brand
  • Adding functionality that changes the product's security profile
  • Bundling software that adds capabilities not present in the original

In these cases, a full CRA compliance process — risk assessment, conformity assessment, technical file, DoC, CE marking — must be conducted from scratch.

Practical Steps for Importers and Distributors

  • Build CRA compliance evidence requests into supplier onboarding processes
  • Request and archive EU DoCs and technical file summaries from manufacturers
  • Establish a process for receiving and passing on vulnerability notifications
  • Review contracts to clarify responsibility allocation for CRA compliance

Ready to assess your CRA compliance obligations?

Try the Free Applicability Checker