The role of the importer becomes relevant within the proposed Cyber Resilience Act (CRA-E) when he makes available a product with digital elements bearing the name or trademark of a (legal) person and being established outside the European Union on the Union market for the first time.

In the event that a manufacturer is located in a third country, an importer established in the Union must always be involved in the product supply chain, whereas the legal figure of the importer is not required if a manufacturer is located within the EU, since the product with digital elements must not be placed on the market by an intermediary in this case.

In principle, the importer is not involved in the manufacturing process, but only in the distribution of the product with digital elements. This circumstance is also taken into account by the CRA-E with the obligations laid down in Art. 13 CRA-E.

Art. 13 (1) CRA-E stipulates that importers shall only place on the market and thus first making available on the Union market products with digital elements that are compliant with the essential requirements in Annex I. In practice, this will include two main courses of action: On the one hand, the importer can make the product with digital elements available on the Union market by reselling it to the distributor. On the other hand, he can also sell the product directly to the end customer. This is because the regulation defines “making available” on the market in Art. 3 (23) CRA-E as “any supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge.” Moreover, the concept of a distributor (Art. 3 (21) CRA-E) differs from that of an importer (Art. 3 (20) CRA-E) only by the fact that the former merely makes the product with digital elements available on the market and is neither a manufacturer nor importer.

The importer must ensure that the essential cybersecurity requirements are met and that the manufacturer has implemented appropriate procedures to address vulnerabilities. Since this can be demonstrated with the help of the declaration of conformity, the technical documentation and the other information and instructions for use to be attached in accordance with Annex II, the importer must ensure pursuant to Art. 13 (2), (5) CRA-E that the aforementioned evidence is available and attached to the product with digital elements. This evidence can be attached either in electronic form (e. g. via an internet address) or in paper form and must be written in a language which can be easily understood by users.

In this context, Art. 13 (3) CRA-E clarifies that the importer may not place the product on the market if there are doubts about conformity. Consequently, there is a high liability risk here and thus also a high review effort for the importer. In addition, Art. 13 (4) CRA-E stipulates that the importer must deposit his own contact information with the product with digital elements, which underpins his responsibility for ensuring conformity. This is also supported by the fact that, according to Art. 13 (6) CRA-E, the importer must take corrective measures himself for the products with digital elements that he places on the market and must inform the manufacturer and, if necessary, the market surveillance authorities if a vulnerability is identified.

In addition, according to Art. 13 (7) CRA-E, the importer shall keep a copy of the EU declaration of conformity for a period of ten years from the date on which the product with digital elements was placed on the market and present it to the market surveillance authority upon request. According to Art. 17 (2) CRA-E, the same retention period applies to contact information of all economic operators from whom the importer has obtained products with digital elements or to whom he has supplied such products. Furthermore, market surveillance authorities and product users must be informed as soon as the importer becomes aware that the manufacturer of a product with digital elements ceased its operations, Art. 13 (9) CRA-E.

The CRA-E provides a special feature in Art. 15. According to this, the importer is considered a "deemed" manufacturer if he makes a substantial modification to a product with digital elements that has already been placed on the market, with the consequence that he is subject to the obligations of the manufacturer at least for the parts of the product that are affected by the substantial modification. According to Art. 3 (31) CRA-E, a substantial modification takes place if the product with digital elements is modified after it has been placed on the market in such a way that the intended use determined during the conformity assessment is changed or if the modification has a general impact on the conformity of the product and its requirements in Annex I Section 1. Thus, as soon as the importer interferes with the nature of a product with digital elements that has been placed on the market, there is a risk that his scope of obligations will be greatly expanded.

Practical recommendations:

Companies that import digital products into the Union market should review both the material and personnel scope provisions of the CRA-E to determine whether they fall within the definition of the importer. If this is the case, we recommend that appropriate processes be put in place to adequately address the extensive verification obligations, as there is a high risk of liability in this regard. Furthermore, it should be ensured as far as possible that no significant changes are made to the imported products with digital elements in order not to fall under the manufacturer fiction.

In our CRA-Update series, we regularly present information on the proposed Cyber Resilience Act and keep you informed about changes in the ongoing legislative process. In each of our articles, we give you a brief overview of a specific topic, presenting the most important aspects and practical implications.