Art. 3(13)A manufacturer is any natural or legal person who develops or manufactures products with digital elements, or has them designed or manufactured, and markets them under their own name or trademark.
Manufacturers must design, develop, and produce products with digital elements so that they provide an appropriate level of cybersecurity based on the risks. Security must be addressed throughout the product's lifecycle — from design through decommissioning.
Before placing a product with digital elements on the market, manufacturers must carry out an assessment of the cybersecurity risks associated with the product. The risk assessment must inform the product's design, development, and production, and must be documented as part of the technical file.
Manufacturers must draw up technical documentation containing all information necessary to demonstrate that the product conforms to the CRA essential requirements. The documentation must be kept up to date and retained for ten years from placing on the market (or the product's expected lifetime if longer).
Manufacturers must demonstrate conformity using the procedure appropriate to their product class. Default products may self-certify (Module A). Important Class I products may self-certify if harmonised standards are applied; otherwise a notified body must be involved. Important Class II and Critical products always require a notified body.
Where a software component incorporated in a product with digital elements is not developed by the manufacturer, the manufacturer must exercise appropriate due diligence to ensure that the component does not compromise the product's security. A software bill of materials (SBOM) must be prepared and maintained as part of the technical documentation.
When placing a product with digital elements on the market, manufacturers must ensure the product does not contain any known exploitable vulnerabilities. This obligation applies at the time of distribution and to each subsequent update that is released.
Manufacturers must put in place a policy for coordinated vulnerability disclosure (CVD) and make it publicly accessible. The policy must provide a contact point for reporting vulnerabilities and describe how the manufacturer will handle reports, including acknowledgement timelines and the process for coordinating disclosure with researchers.
Manufacturers must declare the support period for their product and make that information available to users before purchase. The support period must be at least five years, unless the expected use period of the product is shorter. The support-period end date must appear in product documentation and at the point of sale.
Manufacturers must provide security updates free of charge for at least five years (or the expected use period if shorter). Updates must be delivered promptly, separately from functionality updates, and the support-period end date must be disclosed.
Manufacturers must have processes to identify, analyse, and address vulnerabilities in their products throughout the entire support period. Annex I Part II specifies detailed requirements including CVE assignment, CVSS scoring, coordinated disclosure, and timely remediation.
Manufacturers must draw up an EU Declaration of Conformity in accordance with Article 28 and Annex V, stating that the product meets all applicable CRA requirements. The EU DoC must be kept up to date and made available to market surveillance authorities and, where applicable, to users.
Manufacturers must affix the CE marking to their products before placing them on the EU market, as evidence that the product conforms to all applicable CRA requirements. The CE marking must be visible, legible, and indelible, and must not be affixed before the EU Declaration of Conformity is drawn up.
Manufacturers must ensure that each product with digital elements bears a type, batch number, serial number, or other element that allows its identification. For software-only products, the version number serves this purpose.
Manufacturers must indicate their name, registered trade name or trademark, and postal address on the product or its packaging. An electronic contact address (website or email) must also be indicated where available. This enables market surveillance authorities, importers, distributors, and users to contact the manufacturer.
Manufacturers must accompany the product with the information and instructions listed in Annex II, in a language easily understood by users. This includes the product identity, security capabilities, contact for reporting vulnerabilities, the support period end date, and guidance on secure use.
Where a manufacturer has reason to consider that a product placed on the market does not conform with CRA requirements, they must immediately take corrective measures — including withdrawal or recall if necessary. Manufacturers must also cooperate with market surveillance authorities and provide all requested information and documentation.
Manufacturers must report any actively exploited vulnerability in their product to ENISA via the single reporting platform within 24 hours (early warning) and 72 hours (notification). A final report is due within 14 days. This obligation applies from 11 September 2026.
Within 72 hours of becoming aware of an actively exploited vulnerability in a product, manufacturers must submit a detailed vulnerability notification to ENISA via the single reporting platform. This follows the 24-hour early warning (OBL-ART14-01) and must include technical details about the vulnerability and the product affected.
Within 14 days of becoming aware of an actively exploited vulnerability, manufacturers must submit a final report to ENISA containing a complete description of the vulnerability, the corrective measures taken, and whether the vulnerability has been publicly disclosed or a CVE has been assigned.
When a vulnerability is actively exploited, manufacturers must notify affected users without undue delay. The notification must include information sufficient for users to take protective action, including mitigating measures available before a patch is released.