Article 17

Importer Obligations Under the Cyber Resilience Act

Article 17 places specific obligations on importers — entities that bring products with digital elements manufactured outside the EU into the EU market for the first time. Importers must verify that manufacturers have met their CRA obligations before placing products on the market, and they bear personal liability for non-compliant products they import. This provision creates a compliance gateway role for importers within the EU supply chain.

Effective: September 2026Applies to: EU-based entities importing products with digital elements from non-EU manufacturers

Free compliance portal →

The Importer's Verification Obligation

Article 17 requires importers to perform due diligence before placing a non-EU-manufactured product on the EU market. Specifically, importers must verify that:

The manufacturer has performed the applicable conformity assessment procedure
The manufacturer has drawn up the technical documentation under Annex VII
The product bears the CE marking
The manufacturer has drawn up the EU Declaration of Conformity
The manufacturer has appointed an authorised representative (where required under Article 16)
The product is accompanied by the required user information under Article 13 and Annex II

This verification obligation makes the importer a compliance gatekeeper — they cannot simply pass through products without checking that manufacturers have met their obligations. Importers who knowingly place non-compliant products on the market can face penalties under Article 32.

CRA reference:Article 17(1)

What Importers Must Do When Non-Compliance Is Found

If an importer finds that a product does not comply with the CRA essential requirements, or that the manufacturer has not completed the required conformity assessment, the importer must not place the product on the market until compliance is achieved. The importer must inform both the manufacturer and the market surveillance authorities of the non-compliance.

Where a product presents a serious risk, the importer must immediately inform the national market surveillance authority and the manufacturer. Importers should have processes for handling compliance holds — including storage of non-compliant products, communication with manufacturers, and documentation of the non-compliance findings.

This obligation creates a practical need for importers to have some technical competence in cybersecurity requirements, or to engage technical advisors who can assess manufacturer compliance claims. Simply accepting a manufacturer's declaration without meaningful verification may not meet the Article 17 standard.

CRA reference:Article 17(2)

Importer Information and Traceability Requirements

Article 17 requires importers to ensure traceability — specifically, that their name, registered trade name or mark, and postal address (and website or email address where applicable) are indicated on the product or on its packaging. This enables market surveillance authorities and consumers to identify the EU entity responsible for the product's market entry.

For digital products where physical labelling is not practicable, these details may be provided in the accompanying documentation or in a prominent location on the product's digital interface. The importer's contact details must be in a language easily understood by end users and national authorities in the member state where the product is sold.

Importers must also keep copies of the EU Declaration of Conformity for 10 years after placing the product on the market, and must make these available to authorities on request.

CRA reference:Article 17(3)–(4)

Obligations Regarding Products Already on the Market

Once a product is on the market, importers retain ongoing obligations. Where an importer has reason to believe a product no longer complies with the essential requirements — for example, because new vulnerabilities have been discovered or because the manufacturer has failed to provide security updates — the importer must take corrective action.

Requiring the manufacturer to provide security updates or remediation
Withdrawing the product from sale pending remediation
Recalling products already in users' hands where they present a serious risk
Notifying national market surveillance authorities of a risk

Importers should maintain ongoing communications with manufacturers to receive alerts about newly discovered vulnerabilities and available security updates. Supply agreements with non-EU manufacturers should include contractual obligations requiring manufacturers to inform importers of CRA-relevant events.

CRA reference:Article 17(5)

Sample Testing and Documentation Checks

Article 17 permits importers to carry out sample testing of products that have been placed on the market and to investigate complaints. This is not a requirement to test every product, but rather an authorisation to conduct quality-control checks as part of the ongoing verification obligation.

Practically, importers serving high-volume markets should consider periodic testing of product samples to verify that the conformity documentation reflects the actual product. Discrepancies between declared specifications and actual product characteristics are a compliance risk — both for the manufacturer and for the importer who placed the product on the market.

Importers should document their verification activities, including records of documentation checks, sample testing results, and any communications with manufacturers regarding compliance issues. This documentation demonstrates due diligence in the event of a market surveillance investigation.

CRA reference:Article 17(6)

CVD Portal helps you comply with Article 17 automatically.

Public submission portal, 48-hour acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever.

Start your free portal

Frequently asked

Is every company that imports an electronic product from outside the EU an 'importer' under the CRA?+

An importer under the CRA is specifically a company that places a product on the EU market for the first time in the context of a commercial distribution activity. A company buying products for its own internal use (not for resale) is generally not an importer in the CRA sense. However, any entity that buys non-EU products and resells them to EU customers for the first time is an importer and bears Article 17 obligations.

Can I rely on the manufacturer's CE marking without additional checks?+

No. Article 17 requires importers to verify that the manufacturer has actually completed the required procedures — not merely that a CE marking is present. CE marking can be incorrectly applied, and the importer has an obligation to check that the underlying documentation exists and is in order. The depth of checking required is proportionate to the product's risk class and the importer's knowledge of the manufacturer's quality systems.

What should an importer do if a manufacturer stops providing security updates mid-support-period?+

If a manufacturer ceases providing security updates in breach of their CRA obligations, the importer should first attempt to require the manufacturer to resume updates under the supply agreement. If that fails, the importer should inform national market surveillance authorities and consider whether the product can continue to be sold with adequate user warnings. In serious cases, withdrawal may be necessary.

How long must importers keep records of EU Declarations of Conformity?+

Importers must keep a copy of the EU Declaration of Conformity for 10 years after placing the product on the EU market. This is the same retention period applicable to manufacturers. The declaration must be available to national authorities on request throughout this period.