What the CRA asks of importers
Chapter II, Article 19 — obligations of importers.
- VerifyPlace only conforming products
Before you place a product with digital elements on the EU market, satisfy yourself that the manufacturer carried out the conformity assessment, drew up the technical documentation, affixed the CE marking, and provided the EU Declaration of Conformity and user information.
- IdentifyPut your identity on it
Indicate your name, registered trade name or trademark and a contact address on the product — or, where that's not possible, on its packaging or in a document accompanying it.
- PreserveDon't compromise compliance
While the product is under your responsibility, ensure storage and transport conditions don't put its compliance with the essential cybersecurity requirements at risk.
- Act on doubtWithhold, inform, cooperate
If you believe a product is not in conformity, don't place it on the market until it is. Where it presents a significant cybersecurity risk, inform the manufacturer and the market-surveillance authorities and cooperate on corrective action.
- RecordsKeep the evidence available
Keep a copy of the EU Declaration of Conformity and ensure the technical documentation can be made available to authorities on request, throughout the support period and the retention window.
The 24h / 72h / 14-day incident-and-vulnerability reporting under Article 14 sits with the manufacturer. As an importer, your job is to verify, keep records, and inform the manufacturer and authorities when something looks wrong. The pack gives you exactly those instruments.
The CRA Importer pack
- Importer obligations summary
- Pre-market due-diligence checklist
- Conformity verification record
- Article 14 awareness note
- Records & retention template
- Market-surveillance cooperation
Indicative summary, not legal advice. Obligations depend on the specific product and the current text of Reg (EU) 2024/2847. Confirm with qualified counsel before relying on it.