In an ODM arrangement, who signs the Declaration of Conformity?

The manufacturer under Art. 3(13) of Regulation (EU) 2024/2847 — the entity that markets the product under its name or trademark. In a typical ODM arrangement, this is the brand owner. The factory does not sign unless it also independently places the product on the EU market under its own brand.

Can the factory and brand owner share a single Art. 31 technical file?

If only one entity is the manufacturer (typically the brand owner), only one Art. 31 file is required. If both entities market the product under different brands (dual manufacturer scenario), each needs independent documentation. The engineering data may overlap, but the CRA identifies obligations per manufacturer, not per product design.

Does customising the software UI constitute a substantial modification?

Art. 22 of Regulation (EU) 2024/2847 does not define "substantial modification" with a bright-line test. Recital 38 refers to modifications that affect the product's conformity or change its intended purpose. A cosmetic UI change likely does not qualify. Modifying security-relevant firmware, changing authentication mechanisms, or altering the product's network connectivity behaviour likely does. The Commission may publish guidance under Art. 26(2)(d).

Our factory is in China. Does the CRA apply to them?

If the factory does not place the product on the EU market under its own name, the CRA's manufacturer obligations do not apply to the factory directly. The brand owner who markets the product in the EU is the manufacturer. However, the factory's engineering data is essential for the brand owner to fulfil Art. 13 — hence the contractual need for cybersecurity data sharing.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

Your company operates in an OEM or ODM arrangement. One party designs, another produces, a third markets the product under its brand. Article 3(13) of Regulation (EU) 2024/2847 does not care who built the circuit board. It cares who markets the product under their name or trademark. That party is the manufacturer — and that party bears twenty-one obligations under Article 13.

OEM and ODM arrangements distribute engineering responsibility across multiple entities. The CRA cuts through that distribution with a single test under Art. 3(13): the manufacturer is whoever develops or has developed a product with digital elements and markets it under their name or trademark. In a pure OEM model — where the brand owner specifies the design and the factory produces to specification — the brand owner is the manufacturer. In a pure ODM model — where the factory designs and the brand owner rebrands — the brand owner is still the manufacturer because they market it under their trademark. The factory, unless it also sells the same product under its own brand, is a contract producer outside the CRA's manufacturer definition. Art. 22 adds one more trigger: a substantial modification by any party makes that party the manufacturer for the affected part of the product. CRACheck generates the 8-document Art. 31 technical file. €149 per product. 15-25 minutes. Design data stays in your browser.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

Art. 3(13)

Manufacturer = who markets under their name or trademark, regardless of who designed or produced

Art. 22

Substantial modification by any party creates manufacturer status for the modified part

€15M

Maximum fine for the party classified as manufacturer under Art. 64(2)

How to proceed

Map your arrangement to the CRA's definitions

In OEM: brand owner specifies, factory produces. Brand owner markets under its name → brand owner is manufacturer. In ODM: factory designs, brand owner rebrands. Brand owner markets under its name → brand owner is manufacturer. Factory selling the same product under its own brand separately → factory is also a manufacturer for that separate placement.

Identify substantial modification triggers

Art. 22: if any party (integrator, reseller, customiser) carries out a substantial modification and makes the product available on the market, that party becomes the manufacturer for the affected part — or the entire product if the modification impacts overall cybersecurity.

Allocate documentation responsibility contractually

The manufacturer under Art. 3(13) must produce Art. 31 documentation. If the brand owner lacks engineering data, the OEM/ODM contract must require the factory to provide cybersecurity risk data, component inventories, SBOM, vulnerability handling procedures and support period commitments.

Complete the Art. 31 technical file

Annex VII applies regardless of which party has the engineering capability. The manufacturer of record is responsible for the file's existence and accuracy.

Establish joint vulnerability handling

Art. 13(6) requires the manufacturer to report upstream when a vulnerability is found in an integrated component. In OEM/ODM arrangements, this means a defined communication channel between brand owner and factory, operational by September 2026.

Prepare ENISA reporting under the correct entity

Art. 14 notifications are submitted by the manufacturer. In OEM/ODM, identify which entity will submit — the brand owner as manufacturer or, if the factory is also a manufacturer for its own branded version, both.

Common mistakes

❌

MANUFACTURER MISIDENTIFICATION

Assuming the factory is the manufacturer because it builds the product

Art. 3(13) of Regulation (EU) 2024/2847 does not test who built the product. It tests who markets it under their name. In ODM arrangements, the factory designs and produces, but if the brand owner markets the finished product under its own trademark, the brand owner is the manufacturer. The factory is a contract producer with no CRA manufacturer obligations for that branded product.

❌

DUAL MANUFACTURER BLIND SPOT

Not recognising that both factory and brand owner can be manufacturers simultaneously

If the factory sells the same product under its own brand AND the brand owner sells it under a different brand, both are manufacturers under Art. 3(13) — each for their own market placement. Each must produce independent Art. 31 documentation and each faces Art. 64(2) penalties independently.

❌

MODIFICATION LIABILITY

Making firmware changes after import and not recognising Art. 22

Art. 22 of Regulation (EU) 2024/2847 states that any person who carries out a substantial modification and makes the product available on the market becomes the manufacturer. Customising firmware, changing security configurations, or altering the product's intended purpose can trigger this — even if the original product was CRA-compliant.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Identifies the CRA category for the product as placed on the market by the manufacturer of record.

Technical Documentation

Art. 31 and Annex VII documentation produced by the manufacturer (brand owner). Engineering data sourced from the OEM/ODM factory, structured into the regulatory format.

Risk Assessment

Cybersecurity risk assessment per Art. 13(2)-(3) covering the product as marketed, including factory-provided component data.

User Information

Annex II information under the brand owner's identity, with vulnerability reporting contact and support period.

Declaration of Conformity

EU Declaration per Art. 28 and Annex V issued by the brand owner as manufacturer.

CVD Policy

Coordinated vulnerability disclosure policy under the brand owner's coordination, with factory involvement documented.

Notification Template

ENISA notification template for the entity classified as manufacturer. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Key dates accounting for OEM/ODM contract milestones, support period alignment with factory agreements, Art. 14 from September 2026.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 OEM/ODM COMPLIANCE LEGAL MAPPING

Legal opinion on manufacturer status + documentation

€8,000-25,000 per product family

8-16 weeks

Factory involvement required

Legal opinion only — does not produce Art. 31 file

Re-engagement per product revision

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history