Article 21 establishes overarching obligations that apply to all economic operators in the CRA supply chain — manufacturers, importers, authorised representatives, and distributors. It creates cross-cutting requirements for supply chain transparency, cooperation with authorities, and information sharing that complement the more specific obligations in earlier articles. Article 21 ensures that the entire distribution chain, not just manufacturers, contributes to market surveillance and compliance.
Cooperation with Competent Authorities
Article 21 requires all economic operators — manufacturers, importers, authorised representatives, and distributors — to cooperate with national market surveillance authorities and other competent authorities on request. This is a broad obligation that encompasses:
- Providing access to technical documentation and compliance records
- Supplying information about the supply chain, including the identities of manufacturers, importers, and distributors
- Facilitating product testing and inspection by authorities
- Implementing corrective actions requested by authorities within specified timeframes
- Participating in investigations into suspected non-compliance or product risks
The cooperation obligation applies regardless of whether the economic operator is itself suspected of non-compliance. An importer who has no independent compliance failure may still be required to provide supply chain information to help authorities trace a non-compliant product to its source.
Supply Chain Transparency
Article 21 requires economic operators to be able to identify who supplied a product to them and to whom they supplied it. This traceability obligation runs up and down the supply chain — operators must be able to trace products both forward (to the next entity in the chain) and backward (to the entity from whom they received it).
The traceability requirement must be fulfilled for a period of 10 years after placing the product on the market. This extended retention period is significant for record-keeping purposes — supply chain records must be maintained for the full decade even when commercial relationships have ended.
For complex supply chains involving multiple tiers of distributors or components from multiple suppliers, the traceability obligation creates a practical need for robust supply chain management systems. Electronic record-keeping with adequate data retention policies is likely necessary to meet this requirement at scale.
Information Sharing on Risks and Non-Compliance
Article 21 creates a proactive information-sharing obligation: economic operators who know or have reason to believe that a product presents a risk to users must immediately inform the relevant national market surveillance authority and the other economic operators in the supply chain who are responsible for the product.
This obligation is not limited to confirmed non-compliance — it applies when an operator 'has reason to believe' a risk exists. This lower threshold means that credible concerns about product security should trigger information sharing even before full investigation. Operators should not wait for definitive proof of a vulnerability before notifying authorities if the available evidence suggests a serious risk.
The information-sharing obligation creates interdependencies within the supply chain: a distributor who learns of a security issue must not simply act unilaterally but must ensure that manufacturers, importers, and authorities are all informed.
Proportionality and Risk-Based Application
Article 21's general obligations are applied in a risk-proportionate manner. The depth of cooperation, the frequency of supply chain monitoring, and the urgency of information sharing are all calibrated to the severity of the risk involved.
For low-risk products with no known issues, the general obligations are largely dormant — operators maintain records and cooperate if asked, but are not required to conduct active compliance monitoring beyond what Article 15 requires of manufacturers. For high-risk products or products where vulnerabilities have been identified, the Article 21 obligations become active and demanding.
The CRA's recitals make clear that economic operators are expected to take a risk-based approach to their obligations — allocating more compliance resources to products that present greater risks to users and society.
Interaction with Other Economic Operator Obligations
Article 21's general obligations complement and reinforce the specific obligations in Articles 16–19. Where those articles establish specific requirements for particular types of economic operator, Article 21 creates the general framework within which all operators must function.
For manufacturers, Article 21 reinforces the post-market monitoring and corrective action obligations in Article 15. For importers and distributors, it reinforces the verification and traceability obligations in Articles 17 and 18. For authorised representatives, it reinforces the cooperation obligations they owe by virtue of their appointment.
The general obligation framework in Article 21 also fills gaps — for example, where a novel supply chain arrangement does not fit neatly into the manufacturer/importer/distributor categories, Article 21's general obligations still apply to ensure that all parties in the chain bear some responsibility for compliance.
CVD Portal helps you comply with Article 21 automatically.
Public submission portal, 48-hour acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever.
Start your free portalFrequently asked
Does Article 21 apply to small businesses that only sell a few CRA-in-scope products?+
Yes, Article 21 applies to all economic operators regardless of size. However, the CRA's proportionality principle means that the practical burden of compliance is lighter for small operators selling low-risk products. Micro-enterprises and small businesses should still maintain basic supply chain records and be prepared to cooperate with authorities, but the depth of their compliance programme can be scaled to their risk profile.
If I receive a request for supply chain information from a market surveillance authority, how quickly must I respond?+
Article 21 does not specify a fixed response time for supply chain information requests. The obligation is to cooperate, which implies responding within a reasonable timeframe. Under similar EU product regulations, authorities typically specify a response deadline in their request — often 10 to 15 working days. Manufacturers and importers should have processes to enable rapid retrieval of supply chain records.
What happens if I share information under Article 21 that later turns out to be incorrect?+
Providing incorrect information to authorities — whether through negligence or intentionally — is itself a compliance issue. Article 21 requires good-faith cooperation with accurate information. Companies should have processes to verify the accuracy of information before providing it to authorities, and should correct any errors promptly if discovered after submission.
Does Article 21 require operators to proactively disclose vulnerabilities they discover, or only to respond to authority requests?+
Article 21(3) creates a proactive obligation: operators must inform authorities and supply chain partners when they have reason to believe a product presents a risk — without waiting to be asked. This proactive duty is in addition to the general cooperation duty triggered by authority requests. The threshold for proactive disclosure is a reasonable belief of risk, not certainty of a confirmed vulnerability.
Need a CVD policy that satisfies Article 21?
Download a free CRA-compliant template and deploy it in minutes.