Free Movement of CRA-Compliant Products in the EU Single Market

Article 4(1) states that member states shall not prohibit or restrict the placing on the market of products with digital elements that comply with the CRA. This is the foundational free movement guarantee of the regulation, giving CRA-compliant products the right to circulate freely throughout all 27 EU member states.

This principle is fundamental to the EU single market and is one of the primary reasons manufacturers should seek CRA compliance proactively. A single EU-wide compliance exercise — completing the relevant conformity assessment, preparing technical documentation, and affixing the CE marking — creates market access for the entire EU, rather than requiring separate national filings or certifications in each member state.

The practical implication is that once your product carries a valid CE marking under the CRA, no member state can block its sale on cybersecurity grounds without invoking the specific safeguard procedures set out in the regulation.

The CE marking affixed under the CRA signals that the manufacturer has completed the applicable conformity assessment, that the product meets the essential cybersecurity requirements in Annex I, and that an EU Declaration of Conformity has been drawn up in accordance with Article 22.

The CE marking is not a quality mark or security certification issued by a third party — for most products (default class), it is a manufacturer's self-declaration supported by technical documentation. For Class I and Class II products listed in Annex III, third-party involvement is required, but the CE marking is still ultimately affixed by the manufacturer.

Affixing a CE marking on a non-compliant product is a serious violation that can attract penalties under Article 32 and may result in product recall. Manufacturers must ensure that CE marking is only applied to products that genuinely meet the essential requirements.

The free movement guarantee is not absolute. Article 4 permits member states to apply existing national provisions that restrict the use of certain products for public security, public order, or public health reasons, where these national rules are compatible with EU law. This is a narrow exception and does not permit general cybersecurity requirements that duplicate or exceed the CRA.

In addition, the CRA's market surveillance provisions allow national authorities to require product withdrawal or recall where a specific product presents an unacceptable risk, even if it bears the CE marking. This is a product-specific remedy, not a general restriction on a product category.

Manufacturers should be aware that the free movement guarantee operates at the level of the product design, not at the level of individual units. If a market surveillance authority identifies a specific defective unit or batch, corrective action may be required for those units without affecting the broader market authorisation.

Article 4 also addresses a practical edge case: products displayed at trade shows, exhibitions, or demonstrations may be exhibited even if they do not yet fully comply with the CRA, provided potential users are clearly informed of the non-compliance and that the product will not be placed on the market until it achieves compliance.

This provision is important for manufacturers in pre-market product development phases who wish to demonstrate working prototypes at EU trade events. The notification to users must be explicit and visible — it is not sufficient to mention non-compliance in small print or to assume visitors are aware that prototypes may not be fully compliant.

For manufacturers who sell into markets beyond the EU — for example, the United States, United Kingdom, Japan, or Australia — CRA compliance provides a CE marking that is specific to the EU. Other markets have their own cybersecurity product frameworks: the US Cyber Trust Mark, the UK PSTI Act requirements, or Japan's IoT security labels.

While some technical requirements overlap (particularly around patch management and vulnerability disclosure), CRA compliance alone does not automatically satisfy the requirements of other markets. However, the rigorous technical documentation and conformity assessment processes required for CRA compliance will generate evidence that can be leveraged for other market certifications, potentially reducing the overall compliance burden.