Any person making a substantial modification and placing the product on the market becomes a manufacturer
- Applies to
- ManufacturerImporterDistributor
- Source citations
- Art. 22(1)Art. 22(2)Art. 13Art. 14
- Product classes
- DefaultImportant — Class IImportant — Class IICritical
Plain language
This rule catches anyone outside the normal supply chain who modifies a product and puts it back on the market. If you customise a product, integrate it into a larger system in a way that changes its security properties, and then sell or supply that system commercially, you may well be a "manufacturer" under the CRA for the modified portion. You would then need to do a new risk assessment, technical documentation, EU DoC, CE marking, and conformity assessment for your modifications.
Legal text
Article 22(1) of Regulation (EU) 2024/2847 provides:
A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of a product with digital elements and makes that product available on the market, shall be considered to be a manufacturer for the purposes of this Regulation.
Article 22(2) specifies the scope of the resulting obligations:
The person referred to in paragraph 1 of this Article shall be subject to the obligations set out in Articles 13 and 14:
- for the part of the product affected by the substantial modification; or
- if the substantial modification has an impact on the cybersecurity of the product as a whole, for the entire product.
Who this applies to
This provision targets, in particular:
- System integrators who substantially modify a PDE before delivering the combined system to end users
- Value-added resellers who alter firmware, operating system configuration, or core security features beyond routine setup
- Service providers who embed a PDE into a managed offering and substantially modify it in the process
The person must make the product available on the market — i.e., supply it in the course of a commercial activity — for the obligation to apply.
What "substantial modification" means
A substantial modification (Art. 3(30)) is a change following market placement that:
- affects compliance with Annex I Part I essential cybersecurity requirements; or
- results in a modification to the intended purpose for which the product was assessed
Scope of new manufacturer obligations
| Scenario | Obligation scope |
|---|---|
| Modification affects a discrete component | Arts. 13 & 14 apply to the modified part |
| Modification affects the whole product's cybersecurity | Arts. 13 & 14 apply to the entire product |
New conformity assessment, technical documentation, EU DoC and CE marking are required for at minimum the affected part.
Related obligations
- Full manufacturer obligations: OBL-ART13-01 through OBL-ART13-16
- Reporting: OBL-ART14-01 through OBL-ART14-04
- Analogous rule for importers/distributors: OBL-ART21-01