Can a single entity serve as both authorised representative and importer?

Yes. Art. 3(15) and Art. 3(16) of Regulation (EU) 2024/2847 define distinct roles, but nothing prevents a single EU-established entity from holding both. However, the obligations stack: the entity would have the mandate duties under Art. 18 and the independent verification obligations under Art. 19. The documentation CRACheck generates serves both roles.

Does the authorised representative need technical expertise?

Art. 18(3) requires the representative to provide documentation to authorities and cooperate on risk elimination measures. This implies sufficient understanding of the documentation to respond to authority inquiries. The representative does not need to reproduce the technical file — only to hold it and make it available.

What if I change my authorised representative?

The documentation belongs to you as manufacturer. Transfer the CRACheck-generated PDF set to your new representative. The new representative assumes the Art. 18(3)(a) retention obligation from the date of the new mandate. Ensure continuity — there must be no gap during which no representative holds the documentation.

Does the CRA require all non-EU manufacturers to appoint an authorised representative?

Art. 18 uses permissive language: the manufacturer "may" appoint a representative. It is not mandatory. However, without a representative, you must fulfil Art. 18(3)-equivalent obligations yourself — including making documentation available to EU market surveillance authorities upon request. For practical purposes, most non-EU manufacturers appointing an importer under Art. 19 achieve equivalent market access without a separate representative.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

You manufacture products with digital elements outside the EU and sell them on the European market. Article 18 of Regulation (EU) 2024/2847 allows you to appoint an authorised representative in the EU by written mandate — but the mandate cannot cover design, development, production or vulnerability handling. Those remain yours. The representative holds your documentation and cooperates with authorities on your behalf.

The Cyber Resilience Act creates a specific framework for authorised representatives under Art. 18, distinct from the importer under Art. 19. An authorised representative is a natural or legal person established in the EU who has received a written mandate from the manufacturer (Art. 3(15)). Art. 18(3) defines the minimum mandate scope: retain the EU Declaration of Conformity and technical documentation for at least 10 years, provide documentation to authorities upon request, and cooperate with authorities on risk elimination. But Art. 18(2) sets a hard exclusion: the core manufacturer obligations under Art. 13(1)-(11) and Art. 13(14) — design, development, production, risk assessment, vulnerability handling, ENISA reporting — cannot be delegated. CRACheck generates the 8-document technical file your representative will hold. €149 per product. 15-25 minutes. Browser-side.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

Art. 18

Defines the authorised representative mandate and its hard exclusions

10 years

Minimum documentation retention period by the representative (Art. 18(3)(a))

Art. 13(1)-(11)

Manufacturer obligations that cannot form part of the mandate

How to proceed

Confirm your manufacturer status under Art. 3(13)

You are the manufacturer if you develop or have developed a product with digital elements and market it under your name or trademark. If an EU entity places the product under its own brand, Art. 21 reclassifies that entity as manufacturer — and the representative structure does not apply to them.

Complete the technical documentation first

Art. 18(2) excludes Art. 13(1)-(11) from the mandate. You must complete the cybersecurity risk assessment, technical documentation, vulnerability handling setup and conformity assessment before the representative can hold anything.

Draft the written mandate

Art. 18(1) requires a written mandate specifying tasks. Art. 18(3) sets the minimum: retain declaration of conformity and technical documentation (Art. 18(3)(a)), provide documentation to authorities (Art. 18(3)(b)), cooperate with authorities on risk elimination (Art. 18(3)(c)).

Transfer the documentation package

The representative receives the 8-document technical file plus any engineering documentation per Annex VII. The representative must produce these within the timeframe authorities request.

Establish your ENISA reporting channel independently

Art. 14 reporting obligations remain with you. The representative does not submit notifications. Ensure your internal process meets the 24h/72h/14-day timelines from September 2026.

Maintain documentation throughout the support period

Art. 18(3)(a) requires retention for at least 10 years or for the support period, whichever is longer. Update the representative whenever documentation changes.

Common mistakes

❌

MANDATE OVERREACH

Assuming the representative can handle ENISA notifications

Art. 18(2) of Regulation (EU) 2024/2847 explicitly excludes Art. 13(14) from the mandate scope. Art. 14 reporting — the 24h early warning, 72h notification, 14-day final report to ENISA — remains with the manufacturer. You cannot delegate vulnerability reporting to your EU representative.

❌

ROLE CONFUSION

Conflating the authorised representative with the importer

Art. 3(15) defines the authorised representative as a mandated agent of the manufacturer. Art. 3(16) defines the importer as an EU person placing a product bearing a non-EU name. These are distinct roles. An importer has independent verification obligations under Art. 19. A representative acts within the manufacturer's mandate under Art. 18. One entity can serve as both, but the obligations stack — they do not merge.

❌

DOCUMENTATION GAP

Appointing a representative before completing the technical file

The representative's core function under Art. 18(3)(a) is holding the declaration of conformity and technical documentation. If you appoint a representative before completing Art. 31 documentation, the representative has nothing to hold — and your product lacks the documentation Art. 31 requires at market placement.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Identifies the CRA category. Your representative needs to know the classification to understand which conformity assessment route was followed.

Technical Documentation

The core Art. 31 and Annex VII document. This is what your representative holds under Art. 18(3)(a).

Risk Assessment

Cybersecurity risk assessment per Art. 13(2)-(3). Completed by you — the representative holds the result but does not produce it.

User Information

Annex II information and instructions. Your representative must produce this upon authority request.

Declaration of Conformity

EU Declaration per Art. 28 and Annex V. Art. 18(3)(a) specifically names this as a retention document.

CVD Policy

Coordinated vulnerability disclosure policy per Annex I Part II. Completed by you. Held by the representative.

Notification Template

ENISA notification template per Art. 14. You use this directly — the representative holds a copy for reference.

Obligations Calendar

Key CRA dates with representative retention obligations: 10-year minimum, support period milestones, ENISA reporting from September 2026.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 EU COMPLIANCE SERVICE PROVIDER — TYPICAL PACKAGE

Representative + documentation bundled

€3,000-8,000 per year per product family

Annual recurring contract

Documentation locked to provider's format

Switch cost if you change provider

Provider holds documentation, not you

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history