Importers and distributors who rebrand or substantially modify a product assume full manufacturer obligations
- Applies to
- ImporterDistributor
- Source citations
- Art. 21Art. 13Art. 14
- Product classes
- DefaultImportant — Class IImportant — Class IICritical
Plain language
If you are an importer or distributor and you put your own brand name or logo on a product, or you make significant changes to a product (such as modifying its software in a way that affects its security), you stop being just an importer or distributor. The CRA now treats you as the manufacturer, which means you inherit every obligation that comes with that role — risk assessments, technical documentation, EU DoC, CE marking, vulnerability reporting, and more.
Legal text
Article 21 of Regulation (EU) 2024/2847 provides:
An importer or distributor shall be considered to be a manufacturer for the purposes of this Regulation and shall be subject to Articles 13 and 14, where that importer or distributor:
- places a product with digital elements on the market under its name or trademark; or
- carries out a substantial modification of a product with digital elements already placed on the market.
Triggering scenarios
| Scenario | Effect |
|---|---|
| Importer adds its own brand name to the product | Becomes manufacturer |
| Distributor replaces manufacturer name with its own trademark | Becomes manufacturer |
| Importer modifies firmware before resale in a way that affects Annex I compliance | Becomes manufacturer |
| Distributor ships product unchanged under original brand | Remains distributor |
What "substantial modification" means
A substantial modification (Art. 3(30)) is a change to the product following its placing on the market that:
- affects the compliance of the product with the essential cybersecurity requirements in Part I of Annex I; or
- results in a modification to the intended purpose for which the product was assessed
Routine maintenance, repairs, and security updates by manufacturers do not necessarily constitute substantial modifications.
Consequences of being reclassified as manufacturer
On reclassification under Art. 21, the importer or distributor must comply with the full scope of Article 13 (manufacturer obligations) and Article 14 (reporting obligations), including:
- Cybersecurity risk assessment
- Technical documentation (Annex VII)
- EU Declaration of Conformity
- CE marking
- Conformity assessment (Art. 32)
- Vulnerability handling and reporting obligations
- Support period commitment (minimum 5 years)
Related obligations
- Full manufacturer obligations: OBL-ART13-01 through OBL-ART13-16
- Reporting obligations: OBL-ART14-01 through OBL-ART14-04
- Similar rule for any third party: OBL-ART22-01