Importers, Distributors, Third Parties

A comprehensive CRA guide for importers, distributors, and third parties to address cybersecurity risks and vulnerabilities.

In order to comply with the upcoming CRA, they share some obligations with the manufacturers from which they import, distribute or resell the devices.

In some cases, they may even be considered as manufacturers.

IMPORTERS

1- CRA Prerequisites to importing IoT devices

Firstly, by fulfilling the followings prerequisites, importers can ensure CRA compliance and safety while importing IoT products in the EU:

  • Ensure compliance with essential requirements outlined (cf. Annex I).
  • Check that the manufacturer has conducted conformity assessment procedures.
  • Confirm that the technical documentation is prepared, and the product bears the CE marking.
  • Provide contact information. 
  • Include user-friendly instructions and information with the product.

2- Mandatory documentation

Then, to import IoT products within the EU, importers must comply with specific documentation requirements including:

  • Technical Documentation demonstrating compliance.
  • CE Marking.
  • Information and Instructions for users and authorities.
  • Contact Details.
  • EU Declaration of Conformity provided by the manufacturer.

3- CRA Reporting requirements

If an importer suspects that an IoT or the processes implemented do not comply with the essential requirements outlined (cf. Annex I), he must refrain from placing the product on the market and take the necessary steps to bring them into conformity.

Moreover, if the IoT product presents a cybersecurity risk, he must inform both manufacturer and market surveillance authorities through a detailed notification.

In addition, importers have an obligation to promptly inform the manufacturer if they identify any vulnerabilities.

In cases where the manufacturer of an IoT product cannot fulfill its obligations, importers must report this situation to the relevant market surveillance authorities and affected users.

Finally, importers must retain documentation for 10 years.

Legal basis

Importers shall place on the market only products with digital elements that comply with the essential requirements set out in Annex I, Part I, and where the processes put
in place by the manufacturer comply with the essential requirements set out in Annex I, Part II.

Before placing a product with digital elements on the market, importers shall ensure that:

(a) the appropriate conformity assessment procedures referred to in Article 32 have been carried out by the manufacturer;

(b) the manufacturer has drawn up the technical documentation;

(c) the product with digital elements bears the CE marking referred to in Article 30 and is accompanied by the EU declaration of conformity as referred to in Article 13(20) and the information and instructions to the user as set out in Annex II in a language which can be easily understood by users and market surveillance authorities;

(d) The manufacturer has complied with the requirements set out in Article 13(15), (16) and (19).

For the purposes of this paragraph, importers shall be able to provide the necessary documents proving the fulfilment of the requirements set out in this Article.

Where an importer considers or has reason to believe that a product with digital elements or the processes put in place by the manufacturer are not in conformity with this Regulation, the importer shall not place the product on the market until that
product or the processes put in place by the manufacturer have been brought into conformity with this Regulation.

Furthermore, where the product with digital elements presents a significant cybersecurity risk, the importer shall inform the manufacturer and the market surveillance authorities to that effect.

Where an importer has reason to believe that a product with digital elements may present a significant cybersecurity risk in light of non-technical risk factors, the importer shall inform the market surveillance authorities to that effect.

Upon receipt of such information, the market surveillance authorities shall follow the procedures referred to in Article 54(2).

Importers shall indicate their name, registered trade name or registered trademark, the postal address, email address or other digital contact as well as, where applicable, the website at which they can be contacted on the product with digital
elements or ▌ on its packaging or in a document accompanying the product with digital elements. The contact details shall be in a language easily understood by users and market surveillance authorities.

Importers who know or have reason to believe that a product with digital elements which they have placed on the market is not in conformity with this Regulation shall immediately take the corrective measures necessary to ensure that the product with digital elements is brought into conformity with this Regulation ▌, or to withdraw or recall the product, if appropriate.

Upon becoming aware of a vulnerability in the product with digital elements, importers shall inform the manufacturer without undue delay about that vulnerability. Furthermore, where the product with digital elements presents a significant cybersecurity risk, importers shall immediately inform the market surveillance authorities of the Member States in which they have made the product with digital elements available on the market to that effect, giving details, in particular, of noncompliance and of any corrective measures taken.

Importers shall, for at least 10 years after the product with digital elements has been
placed on the market or for the support period, whichever is longer, keep a copy of the EU declaration of conformity at the disposal of the market surveillance
authorities and ensure that the technical documentation can be made available to those authorities, upon request.

Importers shall, further to a reasoned request from a market surveillance authority, provide it with all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements with the essential requirements set out in Annex I, Part I, as well as of the processes put in place by the manufacturer with the essential requirements set out in Annex I, Part II,
in a language that can be easily understood by that authority. They shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by a product with digital elements, which they have placed on the market.

Where the importer of a product with digital elements becomes aware that the manufacturer of that product has ceased its operations and, as result, is not able to comply with the obligations laid down in this Regulation, the importer shall inform
the relevant market surveillance authorities about this situation, as well as, by any means available and to the extent possible, the users of the products with digital elements placed on the market.

Distributors

1- CRA Prerequisites to distribute IoT devices

To begin, by completing those prerequisites, distributors play a crucial role in ensuring the CRA-compliance, safety, and cybersecurity of products with digital elements in the EU:

  • Act with due care in relation to the requirements of the regulation.
  • Check if the product bears the CE marking and if the manufacturer and the importer have fulfilled their obligations.

2- Mandatory documentation

According to the CRA, the mandatory documentation that distributors must have for products with digital elements within the European Union (EU) includes:

  • CE marking.
  • Confirmation of manufacturer and importer compliance.
  • Records of non-conformities.
  • Track of corrective measures taken.
  • Vulnerability Reporting.
  • Records of any communication with market surveillance authorities and;
  • Manufacturer status documentation in case he has ceased its activities.

3- CRA Reporting requirements

Finally, distributors have several responsibilities concerning product compliance and cybersecurity risks. 

Indeed, they must refrain from making non-compliant products available on the market and inform the manufacturer and authorities about any cybersecurity risks. If a product or its processes don’t meet essential requirements, distributors must ensure corrective measures are taken. Moreover, they need to promptly inform the manufacturer of any vulnerabilities and notify authorities about cybersecurity risks. 

In addition, the CRA asks distributors to provide information and documentation demonstrating product conformity and cooperate with authorities to eliminate cybersecurity risks. If a manufacturer ceases operations, distributors should inform authorities and, if possible, notify affected users.

Legal basis

When making a product with digital elements available on the market, distributors shall act with due care in relation to the requirements set out in this Regulation.

Before making a product with digital elements available on the market, distributors shall verify that:

(a) the product with digital elements bears the CE marking;

(b) the manufacturer and the importer have complied with the obligations set out in Article 13(15), (16), (18), (19) and (20) and Article 19(4), and have provided all necessary documents to the distributor.

Where a distributor considers or has reason to believe, on the basis of information in its possession, that a product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements set out in Annex I, the distributor shall not make the product with digital elements available on
the market until that product or the processes put in place by the manufacturer have been brought into conformity with this Regulation. Furthermore, where the product with digital elements poses a significant cybersecurity risk, the distributor shall
inform, without undue delay, the manufacturer and the market surveillance authorities to that effect.

Distributors who know or have reason to believe, on the basis of information in
their possession, that a product with digital elements, which they have made available on the market, or the processes put in place by its manufacturer are not in
conformity with this Regulation shall make sure that the corrective measures necessary to bring that product with digital elements or the processes put in place by
its manufacturer into conformity, or to withdraw or recall the product, if appropriate, are taken.

Upon becoming aware of a vulnerability in the product with digital elements, distributors shall inform the manufacturer without undue delay about that vulnerability. Furthermore, where the product with digital elements presents a significant cybersecurity risk, distributors shall immediately inform the market surveillance authorities of the Member States in which they have made the product with digital elements available on the market to that effect, giving details, in particular, of the non-compliance and of any corrective measures taken.

 

Distributors shall, further to a reasoned request from a market surveillance authority, provide all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements and the processes put in place by its manufacturer with this Regulation in a language that can be easily understood by that authority. They shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by a product with digital elements which they have made available on the market.

Where the distributor of a product with digital elements becomes aware, on the basis of information in its possession, that the manufacturer of that product has ceased its operations and, as result, is not able to comply with the obligations laid down in this Regulation, the distributor shall inform, without undue delay, the relevant market surveillance authorities about this situation, as well as, by any means available and to the extent possible, the users of the products with digital elements placed on the market.

Third parties

The economic operator becomes responsible for complying with the cybersecurity law when making significant modifications to a connected device. This third party then have to follow the same requirements than the ones for manufacturers. 

Nevertheless, this responsibility is not applicable to security patches that do not change the device’s intended function. Additionally, products incorporating digital elements developed or modified exclusively for use by public administrations are also exempt from this responsibility.

Legal basis

A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of the product with digital elements and makes it available on the market, shall be considered to be a manufacturer for the purposes of this Regulation.

That person shall be subject to ▌ the obligations set out in Articles 13 and 14 for the part of the product with digital elements that is affected by the substantial modification or, if the substantial modification has an impact on the cybersecurity of the product with digital elements as a whole, for the entire product.

European flag

Cyber Security News and Events

Check out the latest events on cyber security and the Cyber Resilience Act.