Can I contractually transfer CRA obligations to my factory?

You can contractually require your factory to provide the engineering data, vulnerability handling and security updates you need to fulfil Art. 13. But the CRA obligation itself remains with you as manufacturer under Art. 3(13). If your factory fails to deliver, authorities hold you responsible — not the factory.

My factory already has CE marking for RED. Does that cover the CRA?

No. CE marking under Directive 2014/53/EU (Radio Equipment Directive) covers radio and electromagnetic requirements. Regulation (EU) 2024/2847 is a separate legal act with its own essential cybersecurity requirements under Annex I and its own conformity assessment under Art. 32. A product needs CRA CE marking separately.

What if my factory supplies the same product to competitors under their brands?

Each brand owner who markets the product under their name is a separate manufacturer under Art. 3(13). Each produces their own Art. 31 documentation, issues their own declaration of conformity, and manages their own ENISA reporting. The factory may provide common engineering data, but the CRA obligations are per-manufacturer.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

You source a connected product from a contract manufacturer, apply your brand, and sell it in the EU. You did not design the hardware. You did not write the firmware. But Article 3(13) of Regulation (EU) 2024/2847 defines the manufacturer as whoever markets the product under its name or trademark. The moment your logo goes on the box, the twenty-one obligations of Article 13 go on your balance sheet.

Q: I only add my logo and packaging. Am I really the manufacturer?

Yes. Art. 3(13) of Regulation (EU) 2024/2847 states that the manufacturer is whoever markets the product under its name or trademark, including whoever "has products with digital elements designed, developed or manufactured" by others. Adding your logo and marketing the product under your brand triggers manufacturer status. The extent of your design involvement is irrelevant.

The CRA's manufacturer definition does not require you to have designed or developed the product yourself. Art. 3(13) covers any person who "has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge." This is the white-label scenario: you commission production, you brand the product, you are the manufacturer. Art. 21 reinforces it for importers and distributors: placing a product under your own name or trademark makes you the manufacturer. The cybersecurity risk assessment (Art. 13(2)), the technical documentation (Art. 31), the vulnerability handling (Art. 13(6)-(8)), the ENISA reporting (Art. 14) — all of it is yours. CRACheck generates the 8-document technical file under Art. 31 and Annex VII. €149 per product. 15-25 minutes. Your factory's data stays in your browser.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

Art. 3(13)

Markets under its name or trademark = manufacturer, regardless of who designed it

Manufacturer obligations under Art. 13 that transfer to the brand owner

€15M

Maximum fine under Art. 64(2) for non-compliance with Art. 13

How to proceed

Accept your manufacturer status

Art. 3(13) is unambiguous: if you market the product under your name or trademark, you are the manufacturer. This is not a risk-based determination — it is a definition. If your brand is on the product, you own the compliance.

Map obligations back to your contract manufacturer

You are the manufacturer legally, but your factory has the engineering data. Structure your OEM/ODM contract to require cybersecurity risk assessment data, component inventories, SBOM, vulnerability handling commitments and support period coverage.

Complete the cybersecurity risk assessment

Art. 13(2)-(3): the assessment must be documented and based on technical data from your factory. You sign the declaration; you need the data to support it.

Produce Art. 31 technical documentation

Annex VII requires product description, design and development details, vulnerability handling processes, risk assessment, standards applied, test reports. Your factory provides the technical inputs; you produce the structured documentation as manufacturer.

Establish ENISA reporting capability

Art. 14 applies to you as manufacturer. Your contract manufacturer discovering a vulnerability triggers your 24h notification obligation. Build the communication channel before September 2026.

Define the support period contractually

Art. 13(8) requires vulnerability handling for the support period. If your factory contract ends after 2 years but your product has a 5-year expected lifecycle, you need contractual coverage for the gap — or you personally carry the vulnerability handling obligation.

Common mistakes

❌

MANUFACTURER DENIAL

Claiming you are only the distributor because you did not design the product

Art. 3(13) of Regulation (EU) 2024/2847 does not require design or development activity. It requires marketing under your name or trademark. Art. 21 reinforces: an importer or distributor that places a product under its own name is the manufacturer. Market surveillance authorities will not accept "but I only rebranded it" as a defence.

❌

CONTRACTUAL GAP

No cybersecurity clauses in your OEM contract

As manufacturer under Art. 3(13), you bear Art. 13 obligations but your factory holds the engineering data. Without contractual clauses requiring vulnerability disclosure, SBOM provision, security update delivery and support period coverage, you cannot fulfil Art. 13(5)-(8) — and you cannot produce credible Art. 31 documentation.

❌

SUPPORT PERIOD ORPHAN

Contract manufacturer discontinues the product mid-support period

Art. 13(8) requires vulnerability handling for the entire support period. If your factory exits production and stops delivering security updates, you — as the manufacturer on the market — must still handle vulnerabilities. Art. 19(8) and Art. 20(6) impose notification obligations on importers and distributors when the manufacturer ceases operations, but when you are the manufacturer, the obligation stays with you.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Identifies the CRA category. As white-label manufacturer, you need this to determine your conformity assessment route under Art. 32.

Technical Documentation

Art. 31 and Annex VII documentation. You produce this using engineering data from your factory. This is the document authorities request from you as manufacturer.

Risk Assessment

Cybersecurity risk assessment per Art. 13(2)-(3). Built from your factory's technical data. Your name is on the product — your signature is on the risk assessment.

User Information

Annex II user information with your brand's contact details, vulnerability reporting channel and support period commitment.

Declaration of Conformity

EU Declaration per Art. 28 and Annex V. Issued by you as manufacturer. References your product under your trademark.

CVD Policy

Coordinated vulnerability disclosure policy under your brand. Establishes the reporting channel users and researchers contact.

Notification Template

ENISA notification template per Art. 14. Pre-structured for the 24h/72h/14-day cycle.

Obligations Calendar

Key dates mapped to a white-label manufacturer: Art. 14 from September 2026, full enforcement December 2027, OEM contract renewal milestones.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 COMPLIANCE CONSULTANCY FOR PRIVATE-LABEL SELLERS

Third-party compliance mapping per product line

€5,000-20,000 per product

6-12 weeks

Requires sharing factory specifications with consultant

Report-based — does not produce your Art. 31 file

Re-engagement for each new product or hardware revision

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history