EU digital legislation

CRA-Update – Episode 5: What are the obligations of the distributor under the CRA-E?

Being the last economic operator in the supply chain of products with digital elements, the distributor falls within the scope of the proposed Cyber Resilience Act (CRA-E) as well.

According to the definition in Art. 3 (21) CRA-E, a (legal) person can only fall under the term of the distributor if it makes a product with digital elements available on the Union market without affecting its properties and without being already qualified as a manufacturer or importer.

This already shows that the regulation clearly distinguishes the distributor from other economic operators and emphasizes his role as the last part in the value chain. This circumstance is also reflected in the obligations of the distributor mentioned under Art. 14 CRA-E, which are mainly limited to testing, storage and reporting obligations.

Art. 14 (1) CRA-E stipulates that the trader must comply with the provisions of the CRA-E with due care when making a product with digital elements available on the market. Thus, the regulation also constitutes liability for the distributor, even if he is not involved in the manufacturing process but only distributes the product. The liability is mainly limited to the examination of the product and the processes put in place by the manufacturer, as follows from Art. 14 (1-3) CRA-E. Accordingly, the distributor firstly has to check whether the product with digital elements is accompanied by the required information and instructions, the EU declaration of conformity, the CE marking and the importer's contact details in paper or electronic form. In case of doubt about the conformity of the product or the manufacturer's procedures, he is not allowed to make the product with digital elements available on the market, but must first ensure conformity, Art. 14 (3) CRA-E. If the product also poses a significant cybersecurity risk, the manufacturer and the market surveillance authorities must be informed of this circumstance.

If the product with digital elements has already been made available on the market by the distributor and it subsequently turns out that the requirements in Annex I are not met, the distributor must immediately take the necessary corrective measures or withdraw the product with digital elements from the market or recall it, according to Art. 14 (4) CRA-E. If a vulnerability is identified, the manufacturer and, in the case of a significant cybersecurity risk, the market surveillance authority must be informed. According to Art. 3 (38) CRA-E, which refers to Art. 6 (15) NIS-2 Directive, a vulnerability is a weakness, susceptibility or flaw that can be exploited in the event of a cyber threat.

Furthermore, Art. 14 (5) CRA-E stipulates that information and documents on the proof of conformity of the product with digital elements and the procedures specified by the manufacturer must be submitted to the market surveillance authorities at their request and also prescribes cooperation with those authorities.

As well as for the other economic operators, the ten-year retention period for contact information of all economic operators from whom he has obtained products with digital elements or to whom he has supplied such products also applies to distributors as specified in Art. 17 (2) CRA-E. On top of that, market surveillance authorities and product users must be informed as soon as the distributor becomes aware that the manufacturer of a product with digital elements ceased its operations, Art. 14 (6) CRA-E.

In addition, the distributor, like the importer, falls under the regulation of Art. 15 CRA-E. According to this, the distributor is considered a "deemed" manufacturer if he makes a substantial modification to a product with digital elements that has already been placed on the market, with the consequence that he is subject to the obligations of the manufacturer at least for those parts of the product that are affected by the substantial modification. According to Art. 3 (31) CRA-E, a substantial modification takes place if the product with digital elements is modified after it has been placed on the market in such a way that the intended use determined during the conformity assessment is changed or if the modification has a general impact on the conformity of the product and its requirements in Annex I Section 1. Thus, as soon as the distributor interferes with the nature of a product with digital elements that has been placed on the market, there is a risk that his scope of obligations will be greatly expanded.

Practical recommendations:

Companies that distribute products with digital elements should, in particular, review the provisions on the material scope of the CRA-E to determine whether the products they offer are covered by the CRA-E. If this is the case, we recommend that appropriate processes be put in place to adequately address the extensive examination obligations, as there is a high risk of liability in this regard. Furthermore, it should be ensured as far as possible that no significant changes are made to the distributed products with digital elements in order to avoid falling under the manufacturer fiction.

In our CRA-Update series, we regularly present information on the proposed Cyber Resilience Act and keep you informed about changes in the ongoing legislative process. In each of our articles, we give you a brief overview of a specific topic, presenting the most important aspects and practical implications.

Lawyer, Associate
Alexander Weiß
Lawyer, Associate
Alexander Weiß

Go back

CRA-Update

CRA-Update – Episode 10: Penalties under the CRA-E

With the proposed Cyber Resilience Act (CRA-E), the European Commission has set itself the goal of strengthening the security of products with digital elements with horizontal legal requirements in order to better protect the European internal market from growing cyber threats. Concerning this matter, the regulation contains a large number of obligations that apply to all economic operators in a product supply chain, namely manufacturers, importers and distributors.

CRA-Update – Episode 9: Surveillance authorities

The Commission's draft for the Cyber Resilience Act (CRA-E) mentions different authorities with different tasks for monitoring and compliance with the standards of the regulation.

CRA-Update – Episode 8: The conformity assessment procedure

In order to demonstrate the conformity of products with digital elements with the requirements of the proposed Cyber Resilience Act (CRA-E), manufacturers must carry out a so-called conformity assessment procedure in accordance with Art. 24 (1) CRA-E. For this purpose, the CRA-E basically provides for three different types of procedures, for each of which information can be found in Annex VI. The procedures mentioned there are based on Decision 768/2008/EC, which aims to establish a common framework for legislation harmonizing the conditions for the marketing of products and provides for conformity assessment procedures for this purpose.

CRA-Update – Episode 7: What are vulnerability handling processes put in place by manufacturers and when are they compliant under the CRA?

According to Art. 1 (c) of the planned Cyber Resilience Act (CRA-E) this regulation should also include provisions for vulnerability handling processes put in place by manufacturers. The purpose of these processes is to ensure the cybersecurity of products with digital elements during the whole life cycle.

CRA-Update – Episode 6: When is a product with digital elements in conformity with the requirements of the CRA-E?

The planned Cyber Resilience Act (CRA-E) aims to establish uniform EU cybersecurity requirements for products with digital elements in order to handle the growing threat of cyberattacks. For this purpose, the regulation stipulates numerous obligations that primarily affect the manufacturers of such products.

 

CRA-Update – Episode 5: What are the obligations of the distributor under the CRA-E?

Being the last economic operator in the supply chain of products with digital elements, the distributor falls within the scope of the proposed Cyber Resilience Act (CRA-E) as well.

According to the definition in Art. 3 (21) CRA-E, a (legal) person can only fall under the term of the distributor if it makes a product with digital elements available on the Union market without affecting its properties and without being already qualified as a manufacturer or importer.

CRA-Update – Episode 4: What are the obligations of the importer under the CRA-E?

The role of the importer becomes relevant within the proposed Cyber Resilience Act (CRA-E) when he makes available a product with digital elements bearing the name or trademark of a (legal) person and being established outside the European Union on the Union market for the first time.

CRA-Update – Episode 3: What are the obligations of the manufacturer under the CRA-E?

In comparison to the other economic operators, the manufacturer is subject to the most comprehensive obligations of the proposed CRA (CRA-E). This is probably because the manufacturer significantly controls the development of the product with digital elements, determines its characteristics and can thus influence the inherent cybersecurity risks. The specific obligations for manufacturers are set out in Art. 10 and 11 of the proposed CRA.

CRA-Update – Episode 2: Who falls within the scope of the proposed CRA?

According to section II of the proposed CRA the regulation will apply to so-called economic operators such as manufacturers, authorised representatives, importers and distributors of products with digital elements.

CRA-Update – Episode 1: Which products fall within the scope of the proposed CRA?

The current proposal for a new European Cyber Resilience Act by the European Commission from 15th September 2022 (CRA) applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network (see recital 7 and Art. 2 (1) of the proposed CRA).