What are the responsibilities of the Importers and distributors?

While there are similarities in the responsibilities of importers and distributors in relation to the Cyber Resilience Act, such as ensuring compliance, taking corrective measures, and cooperating with authorities, importers have additional responsibilities related to the initial placement of the product on the market, such as ensuring the conformity assessment procedures have been carried out and providing their contact information on the product. Distributors, on the other hand, focus more on verifying compliance and taking action if non-compliance is identified. ​

The responsibilities of the importer are as follows:

  • Ensure Compliance: Importers must only place products with digital elements on the market that comply with the essential requirements set out in Section 1 of Annex I and where the processes put in place by the manufacturer are compliant with the essential requirements set out in Section 2 of Annex I. ​
  • Verification Before Market Placement: Before placing a product on the market, importers must ensure that:
  • The appropriate conformity assessment procedures have been carried out by the manufacturer. ​
  • The manufacturer has drawn up the technical documentation.
  • The product bears the CE marking and is accompanied by the EU declaration of conformity and the necessary information and instructions for use in a language easily understood by users and market surveillance authorities. ​
  • The manufacturer has complied with the requirements set out in Articles 10(9a), 10(9b), and 10(10a). ​
  • Non-Compliance Action: If an importer considers or has reason to believe that a product or the processes put in place by the manufacturer are not in conformity with the regulation, they must not place the product on the market until it has been brought into conformity. ​ If the product presents a significant cybersecurity risk, the importer must inform the manufacturer and the market surveillance authorities. ​
  • Contact Information: Importers must indicate their name, registered trade name or trademark, postal address, email address, or other digital contact, and, where applicable, the website on the product, its packaging, or in a document accompanying the product. ​ This information must be in a language easily understood by users and market surveillance authorities. ​
  • Corrective Measures: Importers who know or have reason to believe that a product they have placed on the market is not in conformity with the regulation must immediately take corrective measures to ensure the product is brought into conformity, or to withdraw or recall the product if appropriate. ​ They must also inform the manufacturer about any vulnerabilities and notify the market surveillance authorities if the product presents a significant cybersecurity risk. ​
  • Documentation Retention: Importers must keep a copy of the EU declaration of conformity and ensure that the technical documentation can be made available to market surveillance authorities for at least ten years after the product has been placed on the market or for the support period, whichever is longer. ​
  • Cooperation with Authorities: Importers must provide all necessary information and documentation to market surveillance authorities upon request and cooperate with them on any measures taken to eliminate cybersecurity risks posed by the products they have placed on the market. ​
  • Notification of Manufacturer’s Cease of Operations: If an importer becomes aware that the manufacturer has ceased operations and cannot comply with the obligations laid down in the regulation, they must inform the relevant market surveillance authorities and, to the extent possible, the users of the products placed on the market. ​
Introduction

Responsibilities of the distributor are not exactly the same as those of the importer. ​ Here are the specific responsibilities of the distributor:

  • Due Care: Distributors must act with due care in relation to the requirements of the regulation when making a product with digital elements available on the market. ​
  • Verification Before Market Placement: Before making a product available on the market, distributors must verify that:
  • The product bears the CE marking. ​
  • The manufacturer and the importer have complied with their respective obligations, including providing all necessary documents to the distributor.
  • Non-Compliance Action: If a distributor considers or has reason to believe that a product or the processes put in place by the manufacturer are not in conformity with the essential requirements, they must not make the product available on the market until it has been brought into conformity. ​ If the product poses a significant cybersecurity risk, the distributor must inform the manufacturer and the market surveillance authorities without undue delay. ​
  • Corrective Measures: Distributors who know or have reason to believe that a product they have made available on the market is not in conformity with the regulation must ensure that corrective measures are taken to bring the product or the processes into conformity, or to withdraw or recall the product if appropriate. ​ They must also inform the manufacturer about any vulnerabilities and notify the market surveillance authorities if the product presents a significant cybersecurity risk. ​
  • Cooperation with Authorities: Distributors must provide all necessary information and documentation to market surveillance authorities upon request and cooperate with them on any measures taken to eliminate cybersecurity risks posed by the products they have made available on the market. ​
  • Notification of Manufacturer’s Cease of Operations: If a distributor becomes aware that the manufacturer has ceased operations and cannot comply with the obligations laid down in the regulation, they must inform the relevant market surveillance authorities and, to the extent possible, the users of the products placed on the market. ​