What the CRA asks of distributors
Chapter II, Article 20 — obligations of distributors.
- VerifyCheck before you make it available
Before making a product with digital elements available on the market, verify it bears the CE marking, that the manufacturer and importer have met their identification duties, and that the required user information and instructions are present.
- PreserveDon't compromise compliance
While the product is under your responsibility, ensure storage and transport conditions don't put its compliance with the essential cybersecurity requirements at risk.
- Act on doubtWithhold, inform, cooperate
If you believe a product is not in conformity, don't make it available until it is. Where it presents a significant cybersecurity risk, inform the manufacturer or importer and the market-surveillance authorities, and cooperate on corrective action.
- CooperateHelp demonstrate conformity
On a reasoned request, provide the information and documentation needed to demonstrate the product's conformity, and cooperate on any action to eliminate the risks posed by products you've made available.
The 24h / 72h / 14-day incident-and-vulnerability reporting under Article 14 sits with the manufacturer. As a distributor, your job is to verify, keep records, and inform the manufacturer and authorities when something looks wrong. The pack gives you exactly those instruments.
The CRA Distributor pack
- Distributor obligations summary
- Due-diligence checklist
- Non-conformity action procedure
- Records & traceability template
- Market-surveillance cooperation
Indicative summary, not legal advice. Obligations depend on the specific product and the current text of Reg (EU) 2024/2847. Confirm with qualified counsel before relying on it.