When Importers and Distributors Are Treated as Manufacturers

Article 19(1)(a) provides that an importer or distributor who places a product on the EU market under their own name or brand is treated as a manufacturer for the purposes of all CRA obligations. This is commonly known as the 'own-label' or 'private-label' scenario.

The practical implication is significant: a company that sources a product from an Asian manufacturer and sells it in Europe under its own brand name cannot rely on the original manufacturer's CE marking and conformity documentation. It must:

• Conduct its own conformity assessment
• Prepare its own technical documentation under Annex VII
• Draw up and sign its own EU Declaration of Conformity
• Affix the CE marking under its own responsibility
• Take on the full Article 13 CVD obligations
• Bear all post-market monitoring and update obligations

This provision affects a large number of retailers and resellers who operate own-label electronics, home automation devices, and consumer IoT products sourced from third-party manufacturers.

Article 19(1)(b) provides that an importer or distributor who modifies a product already placed on the EU market in a way that could affect its compliance with CRA requirements is treated as a manufacturer. This applies to substantive modifications — changes that affect the product's security properties, its software, or its compliance documentation.

Examples of modifications that would trigger Article 19 treatment include:

• Replacing the product's operating system or firmware with a modified version
• Adding software components not covered by the original manufacturer's assessment
• Changing the product's network connectivity or communication protocols
• Modifying the product's authentication or access control mechanisms
• Altering the product's update mechanism in ways that affect its ability to receive security patches

Cosmetic changes that have no bearing on cybersecurity compliance — such as changing the product's colour, packaging, or adding the company's own branding sticker — do not trigger Article 19. The test is whether the modification could affect the product's compliance with the CRA's essential requirements.

A company treated as a manufacturer under Article 19 takes on all the obligations of a manufacturer — including the most demanding post-market obligations. These include:

Full CVD policy: Must establish and publicly maintain a coordinated vulnerability disclosure policy under Article 13.

Article 14 reporting: Must report severe vulnerabilities and security incidents to ENISA through the national CSIRT within the required timeframes.

Security updates: Must provide free security updates for the full support period and cannot rely on the original manufacturer's update infrastructure.

Technical documentation: Must prepare and maintain the full technical file under Annex VII, including the risk assessment, security testing evidence, and SBOM.

Post-market monitoring: Must actively monitor for vulnerabilities in the product, including those that might originate in components sourced from the original manufacturer.

For companies that were previously operating as distributors, the transition to Article 19 manufacturer status involves significant operational changes and compliance investments.

Article 19 creates an important distinction between selling under your own name and authorised reselling. An authorised reseller who sells a product under the original manufacturer's brand, with the original manufacturer's documentation and CE marking, remains a distributor. The manufacturer retains compliance responsibility.

However, companies must be careful about the extent to which they customise product presentation. Adding a significant co-brand or selling under a product name that differs substantially from the manufacturer's original designation can blur the line between authorised reselling and own-label. Companies should obtain clear written guidance from their legal advisors about whether their specific commercial model constitutes own-labelling under Article 19.

Contractual arrangements between the original manufacturer and the reseller can allocate compliance responsibilities, but these contractual arrangements do not override the regulatory obligations — they merely provide a basis for cost recovery and indemnification if the reseller incurs compliance liability.

Companies that know they will be treated as manufacturers under Article 19 should build their compliance obligations into the product sourcing and development process from the outset. This means:

Technical due diligence on source products: Before committing to an own-label product, assess whether it can meet CRA essential requirements. Request SBOM information, security testing evidence, and vulnerability history from the original manufacturer.

Contractual provisions: Include provisions in OEM/ODM agreements that require the original manufacturer to provide security-related information, disclose known vulnerabilities, and continue to supply security update capability for your products.

Security testing budget: Factor in the cost of independent security testing for own-label products as part of the product development and launch budget.

CVD infrastructure: Build or procure CVD process infrastructure — monitoring inbox, triage processes, tracking systems, advisory publication capability — before the product reaches the market.