Source: OJ L 2024/2847, 20.11.2024

Current language: EN

Article 20 Obligations of distributors

Summary What does Article 20 of the CRA regulation say?

This article sets out the obligations that apply specifically to distributors — those in the supply chain who make products with digital elements available on the EU market without affecting their properties.

It sits alongside Articles 13 and 19, which cover manufacturers and importers respectively, and together these articles form the framework of obligations across the supply chain.

Distributors are cast as a final checkpoint before a product reaches the market: they must verify that the CE marking is in place and that manufacturers and importers have met their key documentation and information obligations.

Beyond pre-market checks, the article also governs what distributors must do when they discover non-compliance or vulnerabilities after a product is already on the market, including their duty to report to manufacturers and market surveillance authorities and to cooperate with those authorities on request.

Important points:

  • Verify, before making a product available, that it bears the CE marking and that all required documentation from the manufacturer and importer has been provided.
  • If you become aware of a vulnerability or non-compliance after the product is on the market, inform the manufacturer without undue delay and, where a significant cybersecurity risk exists, immediately notify the relevant market surveillance authorities.
  • If the manufacturer has ceased operations and can no longer meet its obligations under this Regulation, inform the relevant market surveillance authorities without undue delay and, to the extent possible, the users of the affected products.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. When making a product with digital elements available on the market, distributors shall act with due care in relation to the requirements set out in this Regulation.

    1. Before making a product with digital elements available on the market, distributors shall verify that:

      1. the product with digital elements bears the CE marking;

      2. the manufacturer and the importer have complied with the obligations set out in Article 13(15), (16), (18), (19) and (20) and Article 19(4), and have provided all necessary documents to the distributor.

    1. Where a distributor considers or has reason to believe, on the basis of information in its possession, that a product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential cybersecurity requirements set out in Annex I, the distributor shall not make the product with digital elements available on the market until that product or the processes put in place by the manufacturer have been brought into conformity with this Regulation. Furthermore, where the product with digital elements poses a significant cybersecurity risk, the distributor shall inform, without undue delay, the manufacturer and the market surveillance authorities to that effect.

    1. Distributors who know or have reason to believe, on the basis of information in their possession, that a product with digital elements, which they have made available on the market, or the processes put in place by its manufacturer are not in conformity with this Regulation shall make sure that the corrective measures necessary to bring that product with digital elements or the processes put in place by its manufacturer into conformity, or to withdraw or recall the product, if appropriate, are taken.

    2. Upon becoming aware of a vulnerability in the product with digital elements, distributors shall inform the manufacturer without undue delay about that vulnerability. Furthermore, where the product with digital elements presents a significant cybersecurity risk, distributors shall immediately inform the market surveillance authorities of the Member States in which they have made the product with digital elements available on the market to that effect, giving details, in particular, of the non-compliance and of any corrective measures taken.

    1. Distributors shall, further to a reasoned request from a market surveillance authority, provide all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements and the processes put in place by its manufacturer with this Regulation in a language that can be easily understood by that authority. They shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by a product with digital elements which they have made available on the market.

    1. Where the distributor of a product with digital elements becomes aware, on the basis of information in its possession, that the manufacturer of that product has ceased its operations and, as result, is not able to comply with the obligations laid down in this Regulation, the distributor shall inform, without undue delay, the relevant market surveillance authorities about this situation, as well as, by any means available and to the extent possible, the users of the products with digital elements placed on the market.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod