← CRA Guide
Article 10

Obligations of Manufacturers — Product Security by Design

Article 10 is the central obligation article for manufacturers. It requires that products with digital elements be designed, developed, and produced in accordance with the essential requirements in Annex I, and establishes the documentation, testing, and ongoing security management obligations manufacturers must fulfil.

Effective: September 2026Applies to: All manufacturers of products with digital elements sold in the EU market
Free compliance portal →

Core Manufacturer Obligations Under Article 10

Article 10 establishes that manufacturers must:

  1. Ensure Annex I compliance — Design and produce products that meet all essential security requirements in Annex I Part I (product properties) and Part II (vulnerability handling).
  2. Conduct security risk assessment — Perform and document a cybersecurity risk assessment before placing a product on the market.
  3. Maintain technical documentation — Compile and keep the technical file required for conformity assessment (Article 23 + Annex V).
  4. Apply CE marking — Affix the CE marking to compliant products and issue a declaration of conformity.
  5. Provide security updates — Ensure products can receive security updates for their supported life.
  6. Notify incidents — Report actively exploited vulnerabilities to ENISA per Article 14.
CRA reference:Article 10(1)–(10)

The Cybersecurity Risk Assessment Requirement

Before placing a product on the market, manufacturers must conduct a cybersecurity risk assessment that:

  • Identifies the intended purpose and foreseeable misuse of the product
  • Analyses the threat landscape for the product category
  • Assesses the cybersecurity risks to users
  • Documents the security controls implemented to address those risks
  • Is updated when the product is substantially modified

This risk assessment forms the core of the technical documentation and is reviewed by notified bodies for Annex III products. For self-assessed Default class products, it is the primary evidence of due diligence.

CRA reference:Article 10(2), Annex I

Software Bill of Materials (SBOM) Obligations

Article 10(6) requires manufacturers to identify and document components in their products, including a software bill of materials (SBOM) at minimum covering the top-level dependencies.

  • Tracking of known vulnerabilities in third-party components
  • Compliance with the 'no known vulnerabilities' requirement in Annex I
  • Supply chain security transparency

The SBOM does not need to be publicly available (unlike security advisories), but must be producible quickly for regulatory inspection.

CRA reference:Article 10(6), Annex I Part I(1)

Post-Market Security Obligations

Article 10 is not just about pre-market design. It establishes ongoing post-market obligations:

  • Vulnerability monitoring: Continuously monitor for new vulnerabilities affecting your products and their components.
  • Remediation without undue delay: When a vulnerability is confirmed, act promptly to develop a fix or workaround.
  • Update distribution: Ensure security updates reach users — this may require push notification mechanisms for connected products.
  • End-of-life notification: Inform users when security support for a product ends.
  • Records maintenance: Keep records of vulnerabilities, investigations, and remediations for 10 years.
CRA reference:Article 10(7)–(9), Annex I Part II

CVD Portal helps you comply with Article 10 automatically.

Public submission portal, 48-hour acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever.

Start your free portal

Frequently asked

Does Article 10 apply to products already on the market?+

Article 10 applies to products placed on the EU market after the CRA's application date (September 2026). Products already on the market before that date are not immediately subject to CRA requirements, but substantial modifications to existing products may bring them within scope.

What counts as a 'substantial modification' that triggers CRA re-assessment?+

A substantial modification is one that changes the product's cybersecurity risk profile — for example, adding network connectivity, changing authentication mechanisms, or significantly updating core software components. Cosmetic changes, routine security patches, and minor bug fixes are not considered substantial modifications.

How long must technical documentation be retained?+

Technical documentation must be retained for 10 years after the product is placed on the market, or for the product's supported life if that is longer.

Related CRA Articles

Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersArticle 14Active Exploitation and Incident Reporting — 24h, 72h, and 14-Day ObligationsAnnex IEssential Cybersecurity Requirements for Products with Digital ElementsAnnex IIIImportant Products with Digital Elements — Class I and Class II ClassificationArticle 11Reporting Obligations for Manufacturers — Notifying Authorities

Need a CVD policy that satisfies Article 10?

Download a free CRA-compliant template and deploy it in minutes.

Browse templates →