CRA for UK Companies: Post-Brexit EU Compliance Guide
Brexit did not remove UK companies' obligations to comply with EU product law. Any UK manufacturer, importer, or distributor selling products with digital elements into the EU must meet the full requirements of the Cyber Resilience Act. This guide explains exactly what that means in practice.
The CRA applies to UK companies selling into the EU
EU product law applies at the point of sale — not at the point of manufacture. A UK company that sells products into the EU is treated as a manufacturer or importer under the CRA and carries full compliance obligations. There is no Brexit exemption.
The Post-Brexit Position
Since the UK left the EU single market on 31 December 2020, UK-based companies are treated as third-country manufacturers when they place products on the EU market. This is the same position as a US or Asian company selling into the EU.
As a third-country manufacturer, you have two options:
Appoint an EU Authorised Representative
Under Article 22, a third-country manufacturer must designate an authorised representative established in the EU. The representative acts on your behalf with market surveillance authorities and is named in the Declaration of Conformity. Many UK companies use specialist EU AR service providers for this purpose.
Sell through an EU importer
If you sell your products to an EU-based importer who then places them on the EU market under their name, the importer becomes the economic operator responsible for compliance. This shifts some obligations to the importer — but not all.
CE Marking vs UKCA Marking
CE and UKCA are separate marks for separate markets. They are not interchangeable.
CE Marking
EU market
Required for products placed on the EU market. Demonstrates conformity with applicable EU legislation — including the CRA from December 2027. UK companies selling into the EU must affix CE marking.
UKCA Marking
GB market (England, Scotland, Wales)
Required for products sold on the GB market. Based on retained EU law, maintained separately by OPSS. Northern Ireland continues to require CE marking under the Windsor Framework.
Northern Ireland note: Under the Windsor Framework, Northern Ireland remains aligned with EU product law. Products sold in Northern Ireland require CE marking, not UKCA. If you operate across the UK and EU, CE marking covers the widest geography.
The UK's Own Product Security Law: PSTI Act 2022
The UK has its own product cybersecurity legislation: the Product Security and Telecommunications Infrastructure (PSTI) Act 2022, which came into force on 29 April 2024. It covers connectable consumer products sold in the UK.
PSTI currently implements a subset of ETSI EN 303 645, covering three requirements:
- No default or universal passwords — each device must have a unique password or force the user to set one
- Vulnerability disclosure — manufacturers must publish a point of contact for reporting security issues
- Minimum security update period — manufacturers must state how long security updates will be provided
PSTI is less comprehensive than the CRA. If you comply with CRA Annex I, you will satisfy PSTI requirements for those products — but PSTI covers only consumer products, while the CRA covers all products with digital elements.
Practical Steps for UK Companies
Audit your EU sales
Identify every product line that is sold, licensed, or distributed into EU member states. Include products sold to EU-based distributors or resellers who then sell onward.
Appoint an EU Authorised Representative
Choose an EU AR service provider or establish an EU subsidiary. The AR must be named in your Declaration of Conformity and must be contactable by EU market surveillance authorities. Budget several hundred to a few thousand euros per year for specialist AR services.
Run a CRA classification assessment
Determine whether each product is Default, Class I, Class II, or Critical. The class drives your conformity assessment route — including whether you need a Notified Body established in an EU member state.
Implement Annex I requirements
The security requirements in Annex I apply in full, regardless of where you are based. If your products already comply with PSTI and ETSI EN 303 645, you have a head start — but the CRA is significantly more comprehensive.
Prepare for Article 14 reporting from September 2026
UK companies must report significant incidents to ENISA via the national CSIRT in the EU member state where their Authorised Representative is based, or where the incident has greatest impact.
Monitor UK regulatory developments
The UK government has indicated it intends to update the PSTI regime over time, potentially aligning more closely with the CRA. Monitor OPSS and DSIT announcements.
CRA vs PSTI: Key Differences
| Dimension | EU CRA | UK PSTI Act |
|---|---|---|
| Scope | All products with digital elements | Connectable consumer products only |
| Market | EU 27 member states + EEA | Great Britain (UKCA); NI uses CE |
| Requirements | 13 Annex I security requirements + vulnerability handling + reporting | 3 requirements (passwords, disclosure, update period) |
| Conformity route | Self-cert to Notified Body depending on class | Self-declaration |
| CE/UKCA marking | CE marking required | UKCA marking (or CE in NI) |
| Incident reporting | 24h/72h/14d to ENISA | No equivalent reporting obligation |
| Penalties | Up to €15m or 2.5% global turnover | Up to £10m or 4% global turnover |
| Effective date | Full compliance Dec 2027; reporting Sep 2026 | In force since April 2024 |
CRAReady is built by a UK company (Applied AI, Leicester) and designed to help UK manufacturers navigate both PSTI and CRA compliance from a single platform.
Start your CRA assessment