Art. 3(13)A manufacturer is any natural or legal person who develops or manufactures products with digital elements, or has them designed or manufactured, and markets them under their own name or trademark.
11 December 2024 — CRA enters into force
The regulation is legally in effect. Products placed on the market from this date must comply with CRA once the application dates are reached.
11 September 2026 — Vulnerability reporting obligations apply
Article 14 vulnerability and incident reporting to ENISA becomes mandatory. This is the first hard deadline. Manufacturers must have their reporting processes in place before this date.
11 June 2027 — Conformity assessment body notification
Member States must notify conformity assessment bodies to the Commission.
11 December 2027 — Full regulation applies
All CRA requirements apply to all in-scope products. No new products may be placed on the EU market that do not conform.
Manufacturers must design, develop, and produce products with digital elements so that they provide an appropriate level of cybersecurity based on the risks. Security must be addressed throughout the product's lifecycle — from design through decommissioning.
Before placing a product with digital elements on the market, manufacturers must carry out an assessment of the cybersecurity risks associated with the product. The risk assessment must inform the product's design, development, and production, and must be documented as part of the technical file.
Manufacturers must draw up technical documentation containing all information necessary to demonstrate that the product conforms to the CRA essential requirements. The documentation must be kept up to date and retained for ten years from placing on the market (or the product's expected lifetime if longer).
Manufacturers must demonstrate conformity using the procedure appropriate to their product class. Default products may self-certify (Module A). Important Class I products may self-certify if harmonised standards are applied; otherwise a notified body must be involved. Important Class II and Critical products always require a notified body.
Where a software component incorporated in a product with digital elements is not developed by the manufacturer, the manufacturer must exercise appropriate due diligence to ensure that the component does not compromise the product's security. A software bill of materials (SBOM) must be prepared and maintained as part of the technical documentation.
When placing a product with digital elements on the market, manufacturers must ensure the product does not contain any known exploitable vulnerabilities. This obligation applies at the time of distribution and to each subsequent update that is released.
Manufacturers must put in place a policy for coordinated vulnerability disclosure (CVD) and make it publicly accessible. The policy must provide a contact point for reporting vulnerabilities and describe how the manufacturer will handle reports, including acknowledgement timelines and the process for coordinating disclosure with researchers.
Manufacturers must declare the support period for their product and make that information available to users before purchase. The support period must be at least five years, unless the expected use period of the product is shorter. The support-period end date must appear in product documentation and at the point of sale.
Manufacturers must provide security updates free of charge for at least five years (or the expected use period if shorter). Updates must be delivered promptly, separately from functionality updates, and the support-period end date must be disclosed.
Manufacturers must have processes to identify, analyse, and address vulnerabilities in their products throughout the entire support period. Annex I Part II specifies detailed requirements including CVE assignment, CVSS scoring, coordinated disclosure, and timely remediation.
Manufacturers must draw up an EU Declaration of Conformity in accordance with Article 28 and Annex V, stating that the product meets all applicable CRA requirements. The EU DoC must be kept up to date and made available to market surveillance authorities and, where applicable, to users.
Manufacturers must affix the CE marking to their products before placing them on the EU market, as evidence that the product conforms to all applicable CRA requirements. The CE marking must be visible, legible, and indelible, and must not be affixed before the EU Declaration of Conformity is drawn up.
Manufacturers must ensure that each product with digital elements bears a type, batch number, serial number, or other element that allows its identification. For software-only products, the version number serves this purpose.
Manufacturers must indicate their name, registered trade name or trademark, and postal address on the product or its packaging. An electronic contact address (website or email) must also be indicated where available. This enables market surveillance authorities, importers, distributors, and users to contact the manufacturer.
Manufacturers must accompany the product with the information and instructions listed in Annex II, in a language easily understood by users. This includes the product identity, security capabilities, contact for reporting vulnerabilities, the support period end date, and guidance on secure use.
Where a manufacturer has reason to consider that a product placed on the market does not conform with CRA requirements, they must immediately take corrective measures — including withdrawal or recall if necessary. Manufacturers must also cooperate with market surveillance authorities and provide all requested information and documentation.
Manufacturers must report any actively exploited vulnerability in their product to ENISA via the single reporting platform within 24 hours (early warning) and 72 hours (notification). A final report is due within 14 days. This obligation applies from 11 September 2026.
Within 72 hours of becoming aware of an actively exploited vulnerability in a product, manufacturers must submit a detailed vulnerability notification to ENISA via the single reporting platform. This follows the 24-hour early warning (OBL-ART14-01) and must include technical details about the vulnerability and the product affected.
Within 14 days of becoming aware of an actively exploited vulnerability, manufacturers must submit a final report to ENISA containing a complete description of the vulnerability, the corrective measures taken, and whether the vulnerability has been publicly disclosed or a CVE has been assigned.
When a vulnerability is actively exploited, manufacturers must notify affected users without undue delay. The notification must include information sufficient for users to take protective action, including mitigating measures available before a patch is released.
A manufacturer may appoint an authorised representative (AR) by written mandate. The mandate must allow the AR to perform at least three minimum statutory tasks: keeping the EU DoC and technical documentation available to market surveillance for at least 10 years or the support period; providing conformity information on request; and cooperating with market surveillance on corrective measures. Core design and production obligations cannot be delegated to the AR.
Any natural or legal person — other than the original manufacturer, importer, or distributor — who carries out a substantial modification of a product and then makes it available on the market is treated as the manufacturer. That person is then subject to Articles 13 and 14 either for the affected part of the product or, if the modification affects the entire product's cybersecurity, for the whole product.
All economic operators must be able to identify, on request from market surveillance authorities, (a) any economic operator who supplied them with a product, and (b) any economic operator to whom they supplied a product. Records must be maintainable for 10 years from each transaction.
Manufacturers must draw up an EU Declaration of Conformity (EU DoC) that follows the Annex V model structure and contains all specified elements. The EU DoC states that the product meets the applicable essential cybersecurity requirements. A simplified version (Annex VI) may accompany the product provided the full DoC is accessible online. The DoC must be updated whenever relevant changes occur.
Manufacturers must draw up technical documentation before placing a product on the market, and continuously update it (at least during the support period). The documentation must contain all elements listed in Annex VII, demonstrating how the product and the manufacturer's processes comply with the essential cybersecurity requirements in Annex I. It must be kept available to market surveillance authorities for at least 10 years or the support period.
Manufacturers must perform a conformity assessment demonstrating that both the product and the manufacturer's processes meet the Annex I essential requirements, before placing the product on the market. The required procedure depends on the product's classification: Module A self-assessment for default products, third-party assessment for important products in certain circumstances, and mandatory notified-body involvement for Class II important and critical products.
Products with digital elements may be placed on the EU market only where they meet the essential cybersecurity requirements set out in Part I of Annex I, provided they are properly installed, maintained, and used for their intended purpose, and where applicable, the necessary security updates have been installed.
Products with digital elements may be placed on the EU market only where the processes put in place by the manufacturer comply with the essential cybersecurity requirements set out in Part II of Annex I, covering how the manufacturer identifies, handles, and discloses vulnerabilities throughout the support period.
Products whose core functionality falls within a category listed in Annex III are "important products with digital elements" and must undergo a more stringent conformity assessment procedure than default products. Class I important products may use Module A self-assessment only if harmonised standards or common specifications are applied; otherwise a notified body is required. Class II always requires a notified body.
Products whose core functionality falls within Annex IV (hardware security boxes, smart meter gateways, and smartcards/secure elements) are "critical products with digital elements". Once the Commission adopts the relevant delegated act, they must obtain a European cybersecurity certificate at assurance level 'substantial' or higher under a relevant EUCC scheme. Until that delegated act applies, Module B+C or Module H conformity assessment is required.
Explore the full obligations library, understand your role, or view the regulatory timeline.