What are the main obligations for manufacturers under the CRA?

Article 13 of Regulation (EU) 2024/2847 lists over 20 obligations including: designing products per Annex I essential requirements (13(1)), conducting risk assessments (13(2)–(3)), drawing up technical documentation per Annex VII (13(4) referencing Art. 31), implementing vulnerability handling per Annex I Part II (13(6)), reporting to ENISA per Art. 14 (13(6)), providing user information per Annex II (13(19)), displaying the support period end date (13(21)), carrying out conformity assessment per Art. 32 (13(12)), affixing CE marking per Art. 30 (13(12)), and keeping documentation for 10 years or the support period (13(13)).

Who qualifies as a manufacturer under the CRA?

Article 3(13) of Regulation (EU) 2024/2847 defines a manufacturer as any natural or legal person who develops or manufactures products with digital elements, or has them designed, developed or manufactured, and markets them under their name or trademark, whether for payment, monetisation, or free of charge. This includes white-label scenarios where the brand owner is the manufacturer even if development is outsourced.

Can I delegate manufacturer obligations to an authorised representative?

Article 18 of Regulation (EU) 2024/2847 allows non-EU manufacturers to appoint an authorised representative. However, Art. 18(2) specifies that certain obligations cannot be delegated: designing the product per Annex I (Art. 13(1)), risk assessment (Art. 13(2)-(3)), and vulnerability handling (Art. 13(6)). The authorised representative handles administrative obligations like keeping documentation available to authorities.

Is this a subscription?

No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Article 16(m) of Directive (EU) 2011/83 applies. Upon licence activation, you give express consent for immediate generation of the digital content, waiving the 14-day withdrawal right. Refunds are accepted only for a reproducible technical defect.

What if the regulation changes?

If the regulation is amended during your licence validity period, you can regenerate the documentation using the updated version of the generator at no additional cost.

Article 13 of Regulation (EU) 2024/2847 contains over 20 obligations for manufacturers of products with digital elements. Design per Annex I. Risk assessment per Art. 13(2)–(3). Technical documentation per Art. 31 and Annex VII. Vulnerability handling per Annex I Part II. Reporting to ENISA per Art. 14. User information per Annex II. Support period of at least 5 years. CE marking per Art. 30. Conformity assessment per Art. 32. CRACheck generates the documentation covering all of them.

Q: What is the support period and how long must it be?

Article 13(8) of Regulation (EU) 2024/2847 requires the support period to be at least 5 years from market placement, unless the expected product lifetime is shorter than 5 years, in which case the support period must match the expected lifetime. During the support period, the manufacturer must provide security updates free of charge per Art. 13(9).

The manufacturer bears the primary compliance burden under the CRA. Art. 13(1) requires you to ensure the product was "designed, developed and produced in accordance with the essential cybersecurity requirements" of Annex I. Art. 13(2)–(3) requires a risk assessment. Art. 13(4) requires its inclusion in the technical documentation. Art. 13(6) requires vulnerability handling per Annex I Part II and reporting per Art. 14. Art. 13(8)–(9) requires a support period of at least 5 years with free security updates. Art. 13(12) requires conformity assessment and CE marking. Art. 13(13) requires 10-year documentation retention. Art. 13(19)–(21) requires user information per Annex II. CRACheck generates the 8-document package that covers all documentable obligations. 15–25 minutes. €149.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Manufacturer obligations at a glance

Art. 13

Over 20 manufacturer obligations

5 years

Minimum support period — Art. 13(8)

10 years

Documentation retention — Art. 13(13)

The complete manufacturer obligation map

Design per Annex I

Art. 13(1): ensure the product was designed, developed, and produced in accordance with the essential cybersecurity requirements of Annex I Parts I and II.

Risk assessment

Art. 13(2)–(3): undertake a cybersecurity risk assessment covering intended purpose, foreseeable use, operational environment, and all Annex I requirements.

Technical documentation

Art. 13(4) + Art. 31: draw up technical documentation per Annex VII before market placement. Continuously update during the support period.

Vulnerability handling and reporting

Art. 13(6) + Art. 14: implement vulnerability handling per Annex I Part II. Report actively exploited vulnerabilities to ENISA within 24 hours.

Support period and updates

Art. 13(8)–(9): provide security updates free of charge for at least 5 years (or expected product lifetime if shorter). Display end date on packaging per Art. 13(21).

Conformity assessment and CE marking

Art. 13(12): carry out conformity assessment per Art. 32, draw up declaration of conformity per Art. 28, and affix CE marking per Art. 30.

User information

Art. 13(19)–(21): provide clear, understandable information per Annex II in a language determined by the Member State. Display support period end date at point of purchase.

Run CRACheck

CRACheck generates the 8-document package covering all documentable manufacturer obligations: Product Classifier, Technical Documentation, Risk Assessment, User Information, Declaration of Conformity, CVD Policy, Notification Template, and Obligations Calendar.

Three mistakes manufacturers make

❌

WRONG ROLE

Assuming the distributor or integrator bears the manufacturer obligations

Article 3(13) defines the manufacturer as whoever develops or has the product developed and markets it under their name or trademark. If you brand the product, you are the manufacturer under the CRA regardless of who wrote the firmware. White-label brands cannot shift Art. 13 obligations to OEM suppliers through contract terms alone.

❌

SHORT SUPPORT

Setting a support period shorter than 5 years without justification

Art. 13(8) sets a minimum of 5 years from market placement. A shorter period is only permissible if "the expected product lifetime is shorter than 5 years," in which case the support period must match the expected lifetime. A manufacturer that arbitrarily sets a 2-year support period for a product with a 10-year expected lifetime violates Art. 13(8).

❌

DELEGATION ERROR

Delegating all obligations to an authorised representative

Art. 18 allows appointment of an authorised representative for non-EU manufacturers, but Art. 18(2) explicitly excludes key obligations from delegation: product design per Art. 13(1), risk assessment per Art. 13(2)–(3), and vulnerability handling per Art. 13(6). The manufacturer retains direct responsibility for these regardless of representative appointment.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Category per Annex III/IV. Determines the conformity assessment module under Art. 32.

Technical Documentation

Full Annex VII. All 8 points. The backbone of the manufacturer's compliance file per Art. 31.

Risk Assessment

Per Art. 13(2)–(3). Maps all Annex I Part I(2) requirements to your product.

User Information

Per Annex II and Art. 13(19)–(21). All 11 mandatory information categories.

Declaration of Conformity

Per Art. 28 and Annex V. Required by Art. 13(12) before CE marking.

CVD Policy

Per Annex I, Part II, point (5). Required by Art. 13(6) as part of vulnerability handling.

Notification Template

Per Art. 14. Required by Art. 13(6) for reporting to ENISA.

Obligations Calendar

Maps all Art. 13 deadlines: Art. 14 reporting from 11 September 2026, full CRA from 11 December 2027, support period, 10-year retention.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 THE ALTERNATIVE

Hiring a CRA compliance consultancy to map all manufacturer obligations, conduct the risk assessment, produce the Annex VII file, draft the CVD policy, and prepare the conformity assessment documentation.

€20,000–€50,000

3–6 months. One product. Cannot self-regenerate when the product evolves.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history