Manufacturer Obligations (CRA)

Manufacturer obligations under the Cyber Resilience Act (CRA) are the requirements the EU places on producers of products with digital elements. The manufacturer bears the primary responsibility for ensuring the product is secure from design to end-of-life and must document compliance throughout the product's lifecycle.

Back to Dictionary

What is a manufacturer under CRA?

CRA defines a manufacturer as any natural or legal person who develops or produces a product with digital elements and places it on the market under its own name or trademark. This applies regardless of whether the product is hardware with embedded software, a standalone software application or a cloud service delivered alongside a product.

The definition is broad. If you modify an existing product to such an extent that it affects its conformity with the security requirements, you are also considered a manufacturer. The same applies if you market a product under your own brand, even if another party produced it.

The manufacturer bears the heaviest responsibility in CRA's supply chain. Importers and distributors also have obligations, but it is the manufacturer who must ensure the product meets all essential requirements from day one.

Product security requirements

CRA Annex I defines the essential security requirements the manufacturer must fulfil. The product must be designed, developed and produced with security by design as the guiding principle. Concretely, this means:

The product must be delivered with a secure default configuration and without known, exploitable vulnerabilities
Access must be protected with appropriate access control, and default passwords must be avoided
Data in transit and at rest must be protected with encryption or equivalent mechanisms
The attack surface must be minimised, and the product must be designed to limit the impact of a successful attack
The product must be capable of generating security-relevant log data

The requirements are risk-based. Products in the higher risk classes (class I and class II) must undergo stricter conformity assessments, often involving a notified body.

Vulnerability handling and updates

The manufacturer's responsibility does not end at the point of sale. CRA requires you to establish a robust process for vulnerability handling throughout the product's support period:

You must identify and document vulnerabilities, including those in third-party components
Security updates must be provided free of charge and without undue delay
Actively exploited vulnerabilities must be reported to ENISA within 24 hours
You must have a coordinated vulnerability disclosure policy enabling security researchers to report findings

The support period must be at least five years from the date of placing on the market. You must prepare a Software Bill of Materials (SBOM) to keep track of all components and their known vulnerabilities.

For organisations that have already established incident response processes, many of the requirements will be familiar. CRA formalises practices that mature organisations already follow.

Documentation and CE marking

Before you can place a product on the market, you must carry out a conformity assessment. Depending on the product's risk class, this may be done through internal control or with the involvement of a notified body.

You must prepare and maintain technical documentation containing at a minimum:

A description of the product and its intended purpose
Documentation of design and development, including security architecture
Risk assessment and the measures taken to meet the requirements
SBOM and overview of standards applied
EU declaration of conformity

The documentation must be retained for at least ten years after the product is placed on the market. Once everything is in place, the product must be CE marked. The CE mark is your visible proof to authorities and customers that the product complies with CRA.

Sanctions for non-compliance

CRA grants national market surveillance authorities far-reaching powers. They may require you to remedy deficiencies, withdraw the product from the market or recall it from end users.

The fine levels are significant:

Up to EUR 15 million or 2.5% of global annual turnover for breaching the essential security requirements
Up to EUR 10 million or 2% of turnover for other infringements
Up to EUR 5 million or 1% of turnover for providing false information

The real risk is not only the fines. An order to withdraw a product can have far greater financial and reputational consequences.

Frequently Asked Questions about Manufacturer Obligations (CRA)

What obligations do manufacturers have under CRA?

Manufacturers must ensure that products with digital elements meet the essential security requirements in CRA Annex I. This includes security by design, vulnerability handling, preparation of technical documentation, CE marking and provision of security updates throughout the support period.

How long must a manufacturer provide security updates?

The manufacturer must provide free security updates throughout the product's expected lifetime or for at least five years from the date of placing on the market, whichever is shorter. Updates must be available for at least ten years after the last delivery of the product.

What happens if a manufacturer does not comply with CRA?

Breach of the essential security requirements may result in fines of up to EUR 15 million or 2.5% of global annual turnover. In addition, market surveillance authorities may require the product to be withdrawn from the market.

Must manufacturers prepare an SBOM?

Yes. CRA requires manufacturers to prepare a Software Bill of Materials (SBOM) that identifies and documents all components in the product, including third-party libraries and open-source dependencies.

Do the manufacturer obligations also apply to open-source software?

Open-source software developed without a commercial purpose is exempt from CRA. However, if open-source software is integrated into a commercial product, the manufacturer of that product bears the responsibility for ensuring the entire product meets the requirements.