CRA Compliance in Germany
National competent authority, Article 14 CSIRT contacts, and enforcement guidance for Germany manufacturers.
Germany is home to Europe's largest manufacturing sector and one of its most mature national cybersecurity authorities. The BSI (Bundesamt für Sicherheit in der Informationstechnik) has been designated as the national competent authority for CRA enforcement, bringing decades of product security expertise to the role. German manufacturers face a well-established regulatory environment, with the BSI-Gesetz (BSI Act) already mandating incident reporting for critical infrastructure — the CRA extends comparable obligations to a far broader range of product manufacturers.
National Competent Authority (CRA)
BSI
Bundesamt für Sicherheit in der Informationstechnik
The BSI is Germany's federal cybersecurity authority and the designated NCA for the CRA. It has broad powers to issue guidance, conduct market surveillance, and coordinate with ENISA on cross-border enforcement.
https://www.bsi.bund.de →National CSIRT (Article 14 Reports)
CERT-Bund
CERT-Bund
https://www.bsi.bund.de/meldung
https://www.bsi.bund.de/cert →CRA Enforcement in Germany
The BSI has been designated as Germany's national competent authority (NCA) under the CRA, building on its existing mandate under the BSI-Gesetz. BSI already operates market surveillance for certain product categories under the Radio Equipment Directive and NIS2, giving it established tooling and legal precedent for CRA enforcement. Manufacturers placing products with digital elements on the German market — one of the EU's largest — must ensure conformity with Annex I requirements before CE marking and market access. The BSI publishes detailed technical guidance and maintains a register of accredited conformity assessment bodies for products requiring third-party evaluation.
Article 14 Incident Reporting for German Manufacturers
German manufacturers must report actively exploited vulnerabilities and significant security incidents to CERT-Bund, the national CSIRT hosted within BSI, within the Article 14 timeframes: an early warning within 24 hours and a notification within 72 hours. Germany has a well-established electronic reporting portal at bsi.bund.de/meldung used for NIS2 and KRITIS notifications, which will be extended to cover CRA Article 14 obligations. CERT-Bund coordinates with ENISA's ECSIRT network and will relay reports to other member states when products are distributed across the EU. Manufacturers should establish a documented incident response procedure naming CERT-Bund as the Article 14 recipient.
Market Surveillance & Penalties
The BSI's market surveillance division conducts both documentary reviews and technical testing of products. For CRA non-compliance, German law will implement the full CRA penalty regime: up to €15 million or 2.5% of global annual turnover for violations of essential requirements, whichever is higher. The BSI may issue corrective action orders, require product withdrawal, or restrict market access. Germany's existing tradition of robust regulatory enforcement — demonstrated through BSI's enforcement under the BSI-Gesetz and the Telekommunikationsgesetz — signals that CRA market surveillance in Germany will be active rather than reactive.
Support for German Manufacturers
The BSI publishes extensive free guidance for manufacturers, including its IT-Grundschutz framework, which maps closely to CRA Annex I requirements, and its Technische Richtlinien (Technical Guidelines) for specific product categories. The BSI also operates an IT Security Label programme for consumer products that can serve as a stepping stone toward CRA conformity. Germany hosts a dense ecosystem of TÜV and DEKRA accredited conformity assessment bodies capable of supporting Annex IV evaluations. Small and medium-sized enterprises can access the BSI's Mittelstand Digital initiative, which provides subsidised cybersecurity advisory services.
CVD Portal automates your Article 14 notification obligations.
Pre-built notification workflows for CERT-Bund, deadline tracking, CSAF advisory generation, and a public CVD submission portal. Free forever.
Start your free portalFrequently asked
How do I contact the BSI as a manufacturer with a CRA compliance question?+
The BSI operates a manufacturer and business enquiries channel at bsi.bund.de. For CRA-specific queries, manufacturers should use the BSI's official contact form and reference the CRA regulation number (EU 2024/2847). The BSI also publishes sector-specific guidance and hosts events for manufacturers through its Allianz für Cyber-Sicherheit programme, which is free to join and provides access to technical workshops.
Does Germany have national-level CRA implementing legislation?+
Germany will implement the CRA through amendments to the BSI-Gesetz (BSIG) and related regulations. The BSI-Gesetz already contains incident reporting requirements for critical infrastructure operators under NIS2, and the CRA amendments are expected to align Article 14 reporting with the existing KRITIS notification procedures. The Bundestag is expected to pass implementing legislation ahead of the CRA's application date in December 2027.
How does the CRA interact with the BSI-Gesetz and Germany's existing cybersecurity laws?+
The CRA operates alongside but does not replace the BSI-Gesetz. Products that are critical infrastructure components face obligations under both frameworks. Where requirements overlap — for example, incident reporting — manufacturers may be able to satisfy both with a single notification routed through the BSI's unified portal. German manufacturers should conduct a gap analysis mapping their BSI-Gesetz obligations against CRA requirements to identify any additive duties.
CRA guides for neighbouring countries
Need a CRA compliance checklist for your product?
Browse free niche-specific checklists covering classification, Annex I obligations, and CVD requirements.