Art. 3(18)A distributor is any natural or legal person in the supply chain, other than the manufacturer or importer, who makes a product with digital elements available on the Union market without altering its properties.
11 December 2024 — CRA enters into force
The regulation is legally in effect. Products placed on the market from this date must comply with CRA once the application dates are reached.
11 September 2026 — Vulnerability reporting obligations apply
Article 14 vulnerability and incident reporting to ENISA becomes mandatory. This is the first hard deadline. Manufacturers must have their reporting processes in place before this date.
11 June 2027 — Conformity assessment body notification
Member States must notify conformity assessment bodies to the Commission.
11 December 2027 — Full regulation applies
All CRA requirements apply to all in-scope products. No new products may be placed on the EU market that do not conform.
When making a product with digital elements available on the market, distributors must act with due care and verify that the product bears the CE marking, is accompanied by the required documentation and information, and that the manufacturer and importer (if applicable) have complied with their labelling and identification obligations.
Where a distributor considers or has reason to believe that a product is not in conformity with the CRA's essential requirements, the distributor must not make the product available on the market until conformity is achieved, and must notify the manufacturer and, where applicable, the market surveillance authority.
Distributors must ensure that, while a product with digital elements is under their responsibility, storage and transport conditions do not jeopardise its conformity with the essential cybersecurity requirements.
If a distributor learns that a product they have made available on the market is not in conformity, they must immediately take corrective action including withdrawal or recall if necessary. Where the product poses a significant cybersecurity risk, they must immediately notify the relevant national market surveillance authority.
Upon a reasoned request from a competent authority, distributors must provide all information and documentation necessary to demonstrate the conformity of a product, and cooperate on any corrective action required by that authority.
An importer or distributor is treated as a manufacturer — and is subject to all of Articles 13 and 14 — if they place a product with digital elements on the market under their own name or trademark, or if they carry out a substantial modification of an already-placed product.
Any natural or legal person — other than the original manufacturer, importer, or distributor — who carries out a substantial modification of a product and then makes it available on the market is treated as the manufacturer. That person is then subject to Articles 13 and 14 either for the affected part of the product or, if the modification affects the entire product's cybersecurity, for the whole product.
All economic operators must be able to identify, on request from market surveillance authorities, (a) any economic operator who supplied them with a product, and (b) any economic operator to whom they supplied a product. Records must be maintainable for 10 years from each transaction.
Explore the full obligations library, understand your role, or view the regulatory timeline.