Article 16 requires manufacturers established outside the European Union who place products with digital elements on the EU market to appoint an authorised representative established within the EU. The authorised representative is the legal point of contact for national market surveillance authorities, ENISA, and other competent bodies. This provision ensures that there is always an EU-based entity accountable for CRA compliance, regardless of where the manufacturer is located.
Who Needs an Authorised Representative
Article 16 applies to manufacturers established outside the European Union who place products with digital elements on the EU market. This includes manufacturers in countries such as the United States, China, South Korea, Japan, Taiwan, and any other non-EU jurisdiction whose products are sold in the EU.
The requirement exists because EU regulatory enforcement relies on the ability of national authorities to contact and interact with responsible legal entities within their jurisdiction. A manufacturer established in a third country cannot easily be reached by an EU market surveillance authority, cannot be summoned before EU courts in the ordinary way, and may not be subject to EU financial penalties. The authorised representative solves this problem by providing an EU-based point of accountability.
The authorised representative must be formally designated in writing by the manufacturer before the product is placed on the EU market. This designation is a prerequisite for CE marking, not an afterthought.
What the Authorised Representative Must Do
The authorised representative has significant legal responsibilities under Article 16. Key obligations include:
Register with market surveillance authorities: The authorised representative's name and address must appear in the EU Declaration of Conformity and in the product's user-facing information, enabling authorities and consumers to contact them.
Maintain the technical file: The authorised representative must hold a copy of the technical documentation and EU Declaration of Conformity and be able to provide them to national authorities on request, typically within a short timeframe (often 10 working days under similar EU regulations).
Cooperate with authorities: When national market surveillance authorities require information, conduct investigations, or require corrective action, the authorised representative is the primary point of contact and must cooperate fully.
Relay Article 14 notifications: Where the manufacturer must report a vulnerability under Article 14, the authorised representative may be responsible for ensuring these notifications reach the relevant national CSIRT.
Notify the manufacturer of enforcement actions: If authorities take corrective action or require product withdrawal, the representative must promptly inform the manufacturer.
Choosing an Authorised Representative
The authorised representative must be a legal entity or natural person established in the EU. They can be a specialist compliance service provider, an EU subsidiary of the manufacturer, an importer who takes on this role, or a dedicated EU regulatory representative firm.
When choosing a representative, manufacturers should consider:
Competence: Does the representative understand cybersecurity product regulation and the CRA specifically? Authorised representative services provided by general compliance firms may not have the technical depth needed for CRA.
Liability: The authorised representative can incur personal liability for CRA violations where the manufacturer has failed to comply. Representatives should have adequate indemnification arrangements and professional liability insurance.
Accessibility: National authorities may require urgent responses. The representative must be reachable quickly and be able to respond within required timeframes.
Mandate scope: The written mandate between manufacturer and representative must clearly define what the representative is authorised to do, particularly whether they can make compliance decisions on behalf of the manufacturer or merely relay communications.
Relationship Between the Authorised Representative and the Importer
Article 16 and Article 17 create two overlapping categories: authorised representatives and importers. Both have EU-based obligations, but they serve different functions.
The authorised representative is specifically appointed by the manufacturer through a written mandate and acts as the manufacturer's legal representative for regulatory purposes. The importer is the entity that physically places the product on the EU market by importing it into EU territory.
In practice, the same entity can be both the authorised representative and the importer. An EU distributor who imports a US manufacturer's products and is also formally appointed as the authorised representative wears both hats simultaneously.
Where they are different entities, the obligations differ: the importer has specific obligations under Article 17 related to verification before placing products on the market, while the authorised representative has the broader mandate to interact with authorities on the manufacturer's behalf.
Termination and Change of Authorised Representative
When an authorised representative relationship ends — because the representative withdraws, the manufacturer terminates the mandate, or the representative entity ceases to exist — the manufacturer must appoint a replacement before continuing to place products on the EU market. Products already on the market under a previous representative's watch do not become non-compliant simply because the representative changes, but ongoing market activity requires a valid representative at all times.
Changes of authorised representative must be reflected in updated EU Declarations of Conformity and in product documentation where the representative's contact details are provided. Where the CE marking documentation references the former representative, updated documentation must be prepared and made available.
Manufacturers should ensure authorised representative agreements include clear provisions for continuity obligations during transition periods to avoid regulatory gaps.
CVD Portal helps you comply with Article 16 automatically.
Public submission portal, 48-hour acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever.
Start your free portalFrequently asked
Can a manufacturer's EU subsidiary act as its authorised representative?+
Yes. An EU-established subsidiary of a non-EU manufacturer can act as the authorised representative, provided it is a legally distinct entity established in the EU and is formally designated through a written mandate. The subsidiary must genuinely hold the technical documentation and be able to interact with authorities independently — it cannot simply route all queries back to the parent without adding value.
Does the authorised representative need to be in the same EU member state where the product is sold?+
No. The authorised representative only needs to be established in any EU member state. Their EU presence enables all 27 member states' authorities to interact with them under EU law. Many manufacturers choose to establish their representative in a member state with a strong tradition of regulatory compliance services, such as Germany, the Netherlands, or Ireland.
What happens if a non-EU manufacturer sells products in the EU without an authorised representative?+
The absence of an authorised representative is itself a CRA violation. Products placed on the EU market without a properly designated authorised representative are non-compliant, which means the CE marking is invalid. Market surveillance authorities can require product withdrawal and impose penalties on the importer or distributor who facilitated the market access, since they would bear joint responsibility.
Is the authorised representative personally liable for the manufacturer's CRA violations?+
The authorised representative can bear liability for failures in their own obligations — such as failure to maintain technical documentation, failure to cooperate with authorities, or failure to relay notifications. They are not automatically liable for the manufacturer's non-compliance with technical requirements, but the line can become blurred where the representative is aware of non-compliance and takes no action.
Need a CVD policy that satisfies Article 16?
Download a free CRA-compliant template and deploy it in minutes.