← CRA Glossary
CRA Legal Terms

Manufacturer Obligations (CRA)

Manufacturer obligations under the EU Cyber Resilience Act are the comprehensive set of cybersecurity duties that apply to any entity that designs, develops, or produces a product with digital elements for the EU market. These obligations span product design, vulnerability handling, market surveillance cooperation, and post-market security support.

Manufacturer obligations under the EU Cyber Resilience Act are the comprehensive set of cybersecurity duties that apply to any entity that designs, develops, or produces a product with digital elements for the EU market. These obligations span product design, vulnerability handling, market surveillance cooperation, and post-market security support.

CRA Legal Terms
Free CVD portal →

What Are Manufacturer Obligations Under the CRA?

Article 13 of the EU Cyber Resilience Act is the central provision establishing manufacturer obligations. Manufacturers must: (1) conduct a cybersecurity risk assessment and incorporate its findings throughout the product lifecycle; (2) design, develop, and produce products in accordance with the Annex I essential cybersecurity requirements; (3) exercise due diligence when integrating third-party components; (4) identify and document all components in the product (SBOM); (5) provide security updates for the minimum support period; (6) establish a coordinated vulnerability disclosure process; (7) cooperate with market surveillance authorities; and (8) ensure the product bears a CE marking and is accompanied by a Declaration of Conformity and complete technical documentation.

CRA reference:Article 13

Notification Obligations Under Article 14

Beyond the ongoing product security obligations, Article 14 imposes specific time-bound notification duties on manufacturers. When a manufacturer becomes aware that a product they have placed on the market contains an actively exploited vulnerability, they must notify ENISA within 24 hours. This early warning notification must be followed within 72 hours by a more detailed incident report. A final report must be submitted no later than 14 days after the initial notification. Manufacturers must also notify ENISA and market surveillance authorities of any serious incidents affecting the security of their products. These are strict deadlines — manufacturers must have operational processes in place to detect, assess, and notify within these timeframes.

CRA reference:Article 14

Post-Market Obligations and Vulnerability Handling

Manufacturer obligations do not end at market placement. Throughout the product's support period, manufacturers must: actively monitor for vulnerabilities in their products and all integrated components; develop and deploy patches without undue delay; communicate the severity and availability of patches to users in clear language; operate a functioning CVD process that receives and processes researcher reports; publish security advisories (ideally in CSAF format) when vulnerabilities are remediated; and maintain and update the technical documentation. The SBOM must be updated with each product release. Manufacturers must also maintain the ability to receive, validate, and respond to vulnerability reports for the duration of the support period.

CRA reference:Article 13(3)(4)(5)(6), Article 14

Common Mistakes

A pervasive misunderstanding is that CRA compliance is a pre-market exercise — a set of boxes to check before CE marking is affixed — after which obligations are minimal. In reality, the CRA's most operationally demanding obligations are post-market: ongoing vulnerability monitoring, patch development and delivery, CVD process operation, ENISA reporting, and user communication. Manufacturers who have not resourced a product security function (PSIRT or equivalent) before market placement will be unable to meet Article 14's 24-hour notification window when an actively exploited vulnerability is discovered.

CRA reference:Article 13, Article 14

CVD Portal makes Manufacturer Obligations (CRA) compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

What is the 24-hour notification rule under Article 14 of the CRA?+

Article 14(1) requires manufacturers to notify ENISA within 24 hours of becoming aware that a vulnerability in one of their products is being actively exploited. This early warning notification must be followed within 72 hours by a more detailed notification, and a final comprehensive report within 14 days. These are strict regulatory deadlines. Manufacturers must have monitoring processes, incident response plans, and defined escalation paths in place to meet these timelines.

Does the CRA apply to manufacturers established outside the EU?+

Yes. The CRA applies to any product with digital elements placed on the EU market, regardless of where the manufacturer is established. Non-EU manufacturers must designate an authorised representative established in the EU before placing products on the market. The authorised representative acts as the regulatory contact point in the EU and is responsible for ensuring the manufacturer's compliance documentation is accessible to market surveillance authorities.

How long must a manufacturer retain technical documentation?+

Manufacturers must retain technical documentation, the Declaration of Conformity, and related conformity evidence for ten years after the last product of the model was placed on the market. This ten-year retention period applies regardless of whether the product is still being sold or supported. Manufacturers should establish document management processes that ensure this documentation remains accessible and is not inadvertently destroyed during corporate restructuring or system migrations.

Related terms

Economic Operator (CRA)Economic operators are the legal entities in the supply chain — manufacturers, authorised representatives, importers, and distributors — upon whom the EU Cyber Resilience Act places specific obligations. The manufacturer bears the primary and most extensive obligations, but importers and distributors have supplementary duties that can result in them inheriting manufacturer obligations if the original manufacturer is non-compliant.Coordinated Vulnerability Disclosure (CVD)CVD is the process by which a security researcher privately reports a vulnerability to the affected vendor, who then develops and releases a fix before the vulnerability is made public. Under the EU Cyber Resilience Act, manufacturers of products with digital elements are legally required to establish a CVD process.Product Security Incident Response Team (PSIRT)A PSIRT is a dedicated organisational function responsible for receiving, investigating, and coordinating responses to security vulnerabilities and incidents in a manufacturer's products. The EU Cyber Resilience Act's vulnerability handling obligations effectively require manufacturers to have PSIRT-equivalent capabilities.EU Cyber Resilience Act (CRA)The EU Cyber Resilience Act (Regulation (EU) 2024/2847) is a horizontal EU regulation that establishes mandatory cybersecurity requirements for products with digital elements placed on the EU market. It entered into force on 10 December 2024, with most obligations applying from 11 December 2027.

CRA articles using this term

Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersArticle 14Active Exploitation and Incident Reporting — 24h, 72h, and 14-Day ObligationsAnnex IEssential Cybersecurity Requirements for Products with Digital ElementsArticle 10Obligations of Manufacturers — Product Security by Design

Browse the full CRA Compliance Checklist

See how Manufacturer Obligations (CRA) fits into your complete CRA compliance programme.

View checklists →