2026-04-19·14 min read·

CRA Art.18: Importer Obligations — Product Verification, EU Market Compliance, and Supply Chain Liability (Developer Guide 2026)

Post #464 in the sota.io EU Cyber Compliance Series

The EU Cyber Resilience Act (Regulation (EU) 2024/2847, "CRA") does not stop at manufacturers. Three other categories of economic operator have their own directly applicable obligations: authorised representatives (Art.12), importers (Art.18), and distributors (Art.19). These obligations exist because market surveillance authorities cannot always reach non-EU manufacturers directly — so the CRA builds liability into every stage of the supply chain that touches the EU market.

Article 18 is the importer's compliance anchor. If your EU-based company buys software or hardware from a non-EU source and places it on the EU market under your own commercial arrangements, you are almost certainly an importer under the CRA. The compliance burden is substantial: you cannot simply pass the liability upstream. EU importers carry independent obligations that attach the moment a product crosses into the EU market.

Critical deadline: 11 December 2027. Art.18 applies in full from that date. The exception: the vulnerability notification provisions of Art.14 and Art.15 apply from 11 September 2026 — meaning importers who are caught in the supply chain of products with actively exploited vulnerabilities face notification obligations even before the full importer framework kicks in.

Who Is an Importer Under the CRA?

Art.3(16) defines an importer as any natural or legal person established in the Union that places a product with digital elements from a third country on the market.

The three operative elements are:

1. "Established in the Union" — the importer must have a legal presence in an EU member state. A UK company routing products through an EU subsidiary, or a non-EU entity operating via an EU branch, can qualify as an importer depending on the facts.

2. "From a third country" — the product originates outside the EU/EEA. A product manufactured in the US, Japan, South Korea, India, or the UK and sold in the EU passes through an importer.

3. "Places on the market" — the importer makes the product available for the first time on the EU market. A company that simply moves stock between EU warehouses without being the party that first introduces the product is not an importer (they may be a distributor).

Common Importer Scenarios in Software and SaaS

The importer category is often misunderstood as applying only to hardware. In practice, software creates many importer scenarios:

Scenario	Importer?
EU reseller buys US SaaS licences and sells them to EU customers	Likely yes — unless the US vendor sells directly and the EU entity is merely an agent
EU system integrator bundles non-EU software into a product and sells it as their own offering	Yes — they become the manufacturer, not merely an importer
EU distributor resells packaged software from a non-EU vendor	Yes — if they first introduce it to the EU market
EU company uses a non-EU library in their product (but it is not placed on the market separately)	No — the EU company is the manufacturer of the product; Art.9 due diligence applies instead
EU subsidiary of a US software company sells software developed by the US parent	Potentially — depends on whether the subsidiary is designated as authorised representative (Art.12) or acts as importer

The boundary between manufacturer and importer is a genuine legal grey area, particularly for software products. If your entity has material influence over the security requirements, development process, or vulnerability handling of the product, you are more likely a manufacturer (with Art.13 obligations) than an importer (with Art.18 obligations). If you simply commercialise another party's finished product in the EU market without modifying its core security properties, you are an importer.

The Art.18 Obligation Matrix

Art.18 imposes a tiered set of obligations on importers, broadly structured around three duties: verify before placing, maintain during the product lifecycle, and cooperate with authorities.

Obligation 1: Pre-Market Verification (Art.18(1))

Before placing a product with digital elements on the EU market, importers must verify that:

a) The manufacturer has carried out the appropriate conformity assessment procedure.

The applicable conformity assessment procedure depends on the product category:

Default: internal production control (Art.32, Annex VIII) — manufacturer self-declares conformity
Class I products (higher risk, Annex III Part I): EU-type examination by a notified body, or internal production control with third-party supervision
Class II products (highest risk, Annex III Part II): third-party conformity assessment by a notified body

Importers cannot rely on a bare assertion from the manufacturer. You need documentary evidence: a Declaration of Conformity (DoC), a test report, or a notified body certificate where applicable.

b) The manufacturer has drawn up the technical documentation.

Art.13(12) requires manufacturers to maintain technical documentation throughout the product's lifecycle and for at least 10 years after placing the product on the market. Importers must verify that this documentation exists and is accessible — not that they have read it in full, but that the manufacturer has created it and can produce it on request by market surveillance authorities.

c) The product bears the required CE marking and is accompanied by the required information.

The CE marking (Art.28) and the EU Declaration of Conformity (Art.27) must be in place before the product enters the EU market. Importers who place products without CE marking face the same enforcement exposure as manufacturers who fail to mark.

d) The product is accompanied by the instructions and information for the user.

Art.13(18) requires manufacturers to provide instructions for secure installation, operation, and disposal of the product. Importers must check that this documentation accompanies the product and is in a language accessible to EU consumers in the target market (Art.18(4)).

Obligation 2: Affix Importer Contact Details (Art.18(3))

Importers must affix their name, registered trade name or registered trade mark, postal address, and electronic contact point to the product. For software products where physical labelling is not possible, this information must appear in the digital interface, documentation, or website associated with the product.

This requirement serves a practical enforcement function: it allows end users and market surveillance authorities to identify the EU-based party responsible for the product when the non-EU manufacturer is not directly reachable. The importer becomes the first point of contact in any enforcement action.

Where the product's size or nature does not permit labelling, the contact details must appear on the packaging or in the accompanying documentation.

Obligation 3: Non-Compliant Product Handling (Art.18(5) and Art.18(6))

If an importer believes or has reason to believe that a product does not conform to CRA requirements, the importer:

Must not place the product on the market until conformity is established
Must inform the manufacturer of the non-conformity
Must inform the relevant market surveillance authority in the member state where the importer is established

This is a significant active duty. An importer who discovers a security deficiency in a product but places it on the market anyway faces independent liability — the manufacturer's non-compliance does not shield the importer.

If a product that has already been placed on the market is found to be non-compliant, the importer must:

Cooperate with the manufacturer to take corrective action
Ensure that the corrective action is taken
If necessary, withdraw or recall the product
Immediately inform market surveillance authorities in all affected member states

Obligation 4: 10-Year Documentation Retention (Art.18(2))

Importers must keep a copy of the EU Declaration of Conformity available to market surveillance authorities for 10 years after the product has been placed on the market. This 10-year window aligns with the manufacturer's obligation and ensures that documentation remains accessible throughout the product's foreseeable operational lifetime.

For software products with continuous delivery cycles, the 10-year clock is reset with each version that is "placed on the market" as a new product. Importers of subscription SaaS or continuously updated software should establish version-tracking procedures that record which conformity assessment and DoC corresponds to each product release cycle.

Obligation 5: Storage and Transport (Art.18(7))

Importers must ensure that, while a product is under their responsibility, storage or transport conditions do not jeopardise its conformity with the essential requirements.

For software products, this obligation is primarily about maintaining the integrity of software artefacts during distribution:

Code signing and integrity verification for software packages
Secure distribution channels that prevent tampering
Supply chain security controls covering build artefacts, containers, and package repositories

Obligation 6: Cooperation with Market Surveillance Authorities (Art.18(8))

Importers must, upon a reasoned request from a market surveillance authority, provide all information and documentation necessary to demonstrate the conformity of a product. This includes:

The EU Declaration of Conformity
Technical documentation (or a reference to where it is held by the manufacturer)
Conformity assessment reports or notified body certificates
Information about the location of the manufacturer's technical documentation

Importers must also cooperate with market surveillance authorities in any corrective action taken to eliminate risks posed by a product.

Importers vs Manufacturers vs Distributors

Understanding the obligation boundaries is critical for compliance planning:

Dimension	Manufacturer (Art.13)	Importer (Art.18)	Distributor (Art.19)
Primary obligation	Design secure products, maintain SBOM, manage vulnerabilities	Verify manufacturer compliance, affix own details, retain documentation	Verify CE marking and documentation, supply chain traceability
Conformity assessment	Performs or commissions	Verifies was performed	Verifies CE marking present
Technical documentation	Creates and maintains	Retains copy for 10 years	Does not hold independently
Vulnerability handling	Directly responsible	Reports through manufacturer	Reports to manufacturer
CE marking	Applies	Verifies	Verifies
Market introduction	Places first	Places from third country	Makes available (not first introduction)
Manufacturer-equivalent trigger	N/A	Sells under own name, modifies product	Sells under own name, modifies product

Critical rule: when an importer becomes a manufacturer. Art.20 provides that if an importer places a product on the market under their own name or trademark, or modifies the product in a way that may affect compliance with essential requirements, they assume full manufacturer obligations under Art.13. This is the most significant liability trap for software importers: rebranding, white-labelling, or substantively modifying a third-party product triggers the full manufacturer compliance burden.

Practical Compliance Scenarios

Scenario A: EU Reseller of US Security Software

An EU-based cybersecurity firm resells a US vendor's endpoint detection and response (EDR) tool to European enterprises. The US vendor has no EU establishment and has not designated an authorised representative.

Importer obligations triggered:

Verify that the US vendor has performed the appropriate conformity assessment (EDR tools are likely Class I under Annex III due to their privileged system access)
Check that a DoC and technical documentation exist and are accessible
Ensure the CE marking is affixed before distribution
Affix own name and contact details to the product (or its packaging/documentation)
If vulnerabilities are actively exploited in the EDR tool before September 2026, cooperate on ENISA notification via manufacturer
Maintain DoC copies for 10 years per product version

Key risk: If the US vendor cannot produce a conformity assessment or DoC, the importer cannot legally place the product on the EU market — and cannot create one themselves.

Scenario B: EU SaaS Platform Integrating Non-EU Components

An EU-based SaaS platform integrates a US-developed AI processing module as a separately licensed component sold to enterprise customers as a distinct product. The EU company licences the module and sells sub-licences to EU customers.

Analysis: The AI module, sold separately to EU customers, is likely a "product with digital elements" placed on the EU market by the EU company acting as importer (or potentially manufacturer if they control its development). The applicable obligations depend on:

Whether the EU entity is the manufacturer (if they have meaningful development control) or an importer (if the US entity is the sole developer)
Whether the module is placed on the market as a distinct product or embedded in a larger product

Recommendation: If the EU entity cannot determine this classification with confidence, the safer position is to assume manufacturer obligations for the combined product and importer obligations for any separately sold components from the non-EU source.

Scenario C: EU Subsidiary of Non-EU Parent

The EU subsidiary of a South Korean hardware manufacturer with embedded firmware sells the parent company's products to EU customers. The parent is the technical manufacturer.

Options under CRA:

The EU subsidiary is designated as authorised representative (Art.12) by the parent — the parent remains manufacturer, the subsidiary holds technical documentation and cooperates with MSAs
The EU subsidiary operates as importer (Art.18) — it places the parent's products on the EU market and carries Art.18 obligations
The EU subsidiary operates as manufacturer (Art.13) if it markets the products under its own brand

Most large corporate groups choose option 1 for clarity: a formal Art.12 mandate from the non-EU parent to the EU subsidiary, clearly defining the representative's powers and scope. Option 2 is simpler to set up but creates independent importer liability without the structured mandate framework.

Python CRAImporterChecker

The following implementation provides a compliance self-assessment tool for EU importers:

from dataclasses import dataclass, field
from enum import Enum
from datetime import date, timedelta
from typing import Optional
import json

class ConformityStatus(Enum):
    VERIFIED = "verified"
    PENDING = "pending"
    MISSING = "missing"
    NOT_APPLICABLE = "not_applicable"

class ProductClass(Enum):
    DEFAULT = "default"           # Internal production control (Annex VIII)
    CLASS_I = "class_i"           # Annex III Part I — higher risk
    CLASS_II = "class_ii"         # Annex III Part II — highest risk

@dataclass
class ImportedProduct:
    product_id: str
    manufacturer_name: str
    manufacturer_country: str       # ISO 3166-1 alpha-2, e.g. "US", "JP"
    product_class: ProductClass
    date_placed_on_market: date
    
    # Art.18 verification checklist
    conformity_assessment_verified: ConformityStatus = ConformityStatus.PENDING
    technical_documentation_accessible: bool = False
    ce_marking_present: bool = False
    user_instructions_language_verified: bool = False
    
    # Importer details affixed
    importer_name_affixed: bool = False
    importer_contact_affixed: bool = False
    
    # Documentation retention
    doc_of_conformity_copy_held: bool = False
    
    # Risk flags
    suspected_non_conformity: bool = False
    corrective_action_taken: bool = False
    msa_notified: bool = False

class CRAImporterChecker:
    """Checks CRA Art.18 importer compliance for a portfolio of products."""
    
    def __init__(self, eu_importer_name: str, eu_importer_country: str):
        self.importer_name = eu_importer_name
        self.importer_country = eu_importer_country
        self.products: list[ImportedProduct] = []
        self.cra_full_deadline = date(2027, 12, 11)
        self.notification_deadline = date(2026, 9, 11)
    
    def add_product(self, product: ImportedProduct) -> None:
        self.products.append(product)
    
    def days_until_deadline(self) -> int:
        return (self.cra_full_deadline - date.today()).days
    
    def check_product(self, p: ImportedProduct) -> dict:
        issues = []
        warnings = []
        
        # Pre-market verification
        if p.conformity_assessment_verified != ConformityStatus.VERIFIED:
            issues.append(
                f"Art.18(1)(a): Conformity assessment not verified. "
                f"Class {p.product_class.value} requires "
                f"{'notified body involvement' if p.product_class != ProductClass.DEFAULT else 'self-declaration'}"
            )
        
        if not p.technical_documentation_accessible:
            issues.append(
                "Art.18(1)(b): Technical documentation accessibility not confirmed. "
                "Must verify manufacturer holds and can produce documentation on MSA request."
            )
        
        if not p.ce_marking_present:
            issues.append(
                "Art.18(1)(c): CE marking not confirmed present. "
                "Product cannot be placed on EU market without CE marking."
            )
        
        if not p.user_instructions_language_verified:
            warnings.append(
                "Art.18(4): User instructions language not verified. "
                "Must be accessible in language(s) of target EU member states."
            )
        
        # Importer details
        if not p.importer_name_affixed:
            issues.append(
                "Art.18(3): Importer name/trademark not affixed to product or documentation."
            )
        
        if not p.importer_contact_affixed:
            issues.append(
                "Art.18(3): Importer postal address and contact point not affixed."
            )
        
        # Documentation retention
        retention_deadline = p.date_placed_on_market + timedelta(days=365 * 10)
        if not p.doc_of_conformity_copy_held:
            issues.append(
                f"Art.18(2): Copy of EU Declaration of Conformity not held. "
                f"Must retain until {retention_deadline.isoformat()} (10 years from market placement)."
            )
        
        # Non-conformity handling
        if p.suspected_non_conformity and not p.msa_notified:
            issues.append(
                "Art.18(5)-(6): Suspected non-conformity identified but market surveillance authority "
                "not notified. Immediate notification required."
            )
        
        # Class I/II specific warnings
        if p.product_class in (ProductClass.CLASS_I, ProductClass.CLASS_II):
            if p.conformity_assessment_verified != ConformityStatus.VERIFIED:
                issues.append(
                    f"Art.18(1)(a) + Annex III: Class {p.product_class.value} product requires "
                    "notified body involvement. Internal production control alone is insufficient."
                )
        
        score = max(0, 100 - (len(issues) * 15) - (len(warnings) * 5))
        
        return {
            "product_id": p.product_id,
            "manufacturer": f"{p.manufacturer_name} ({p.manufacturer_country})",
            "class": p.product_class.value,
            "compliance_score": score,
            "status": "COMPLIANT" if score >= 80 else "NON-COMPLIANT" if score < 50 else "PARTIAL",
            "issues": issues,
            "warnings": warnings,
            "retention_until": (p.date_placed_on_market + timedelta(days=365 * 10)).isoformat(),
        }
    
    def full_report(self) -> dict:
        product_reports = [self.check_product(p) for p in self.products]
        total_issues = sum(len(r["issues"]) for r in product_reports)
        non_compliant = [r for r in product_reports if r["status"] == "NON-COMPLIANT"]
        
        return {
            "importer": self.importer_name,
            "importer_country": self.importer_country,
            "products_assessed": len(self.products),
            "total_issues": total_issues,
            "non_compliant_products": len(non_compliant),
            "days_until_cra_full_deadline": self.days_until_deadline(),
            "products": product_reports,
        }

# Example usage
if __name__ == "__main__":
    checker = CRAImporterChecker(
        eu_importer_name="ExampleEU GmbH",
        eu_importer_country="DE"
    )
    
    checker.add_product(ImportedProduct(
        product_id="edr-tool-v3.2",
        manufacturer_name="SecureVendor Inc",
        manufacturer_country="US",
        product_class=ProductClass.CLASS_I,
        date_placed_on_market=date(2027, 6, 1),
        conformity_assessment_verified=ConformityStatus.PENDING,
        ce_marking_present=True,
        doc_of_conformity_copy_held=True,
        importer_name_affixed=True,
        importer_contact_affixed=False,
    ))
    
    report = checker.full_report()
    print(json.dumps(report, indent=2))

The Art.20 Trap: When Importers Become Manufacturers

Art.20 is the provision that keeps legal teams awake. It provides that if an importer or distributor:

Places the product on the market under their own name or trademark, or
Modifies a product already placed on the market in a way that may affect compliance with the essential requirements

...they assume the obligations of a manufacturer under Art.13. This is not a milder burden — it is the full obligation stack: security-by-design, SBOM, vulnerability handling, conformity assessment, CE marking, technical documentation, and 10 years of security update support.

In software practice, the modification trigger is broad:

Modifications that likely trigger Art.20:

Rebranding or white-labelling a third-party software product
Adding a custom authentication layer or access control mechanism
Integrating additional modules that process user data or expose new APIs
Forking a third-party product and releasing it under your own version scheme
Packaging a non-EU open-source project as a commercial product under your trademark

Modifications that likely do not trigger Art.20:

Distributing the software in the original vendor packaging without modification
Translating user-facing documentation into EU languages without changing the software
Configuring the software for a specific deployment without modifying its security properties
Providing resale licences without taking custody of the software artefact

The boundary is not always clear. If your modifications affect any Annex I requirement — secure defaults, authentication, cryptography, data minimisation, update mechanisms — Art.20 will apply.

20-Item Art.18 Compliance Checklist

Pre-Market Verification

Doc-01: Obtained written confirmation from manufacturer that conformity assessment procedure has been completed
Doc-02: Verified product class classification (Default / Class I / Class II) against Annex III criteria
Doc-03: For Class I products: confirmed notified body involvement in conformity assessment
Doc-04: For Class II products: confirmed notified body issued certificate (not internal declaration alone)
Doc-05: Confirmed manufacturer holds technical documentation and can produce it on MSA request
Mark-01: Verified CE marking is affixed to product or packaging
Mark-02: Obtained copy of EU Declaration of Conformity from manufacturer
Doc-06: Verified product is accompanied by user instructions/documentation
Lang-01: Confirmed user instructions are available in language(s) of target EU member states

Importer Details

ID-01: Importer name (or registered trademark) affixed to product, packaging, or digital interface
ID-02: Importer postal address affixed
ID-03: Importer electronic contact point (email or web form) affixed
ID-04: Affixed details are legible, durable, and visible without disassembly

Documentation Retention

Ret-01: Copy of EU Declaration of Conformity stored in compliance management system
Ret-02: Retention schedule set for 10 years from date of market placement (per product version)
Ret-03: Version-control procedure in place to track which DoC corresponds to which product release

Non-Conformity Handling

Risk-01: Process documented for identifying and escalating suspected non-conformity before market placement
Risk-02: Procedure in place to notify manufacturer and relevant MSA if non-conformity discovered post-placement
Risk-03: Product withdrawal and recall process defined and tested

Art.20 Boundary Management

Art20-01: Legal analysis completed to confirm importer role (vs manufacturer) for each product in portfolio

This article is part of the sota.io CRA series. Related posts:

Key Takeaways

If you are an EU company placing non-EU software or hardware on the EU market:

You are an importer under CRA Art.18 (unless you are the manufacturer, or unless a formal Art.12 authorised representative relationship has been established)
You cannot legally place a non-compliant product on the EU market, regardless of what the manufacturer has or has not done
You carry independent obligations that include verification, documentation retention for 10 years, and mandatory notification of market surveillance authorities for non-conforming products

The Art.20 trap is the biggest practical risk: white-labelling, rebranding, or substantively modifying a non-EU product converts your importer liability into full manufacturer liability. Any contractual arrangement with the upstream manufacturer should address this explicitly.

The 11 December 2027 deadline is the full compliance trigger. But the vulnerability notification obligations of Art.14 (ENISA 24h reporting for actively exploited vulnerabilities) and Art.15 (CVD policy) apply from 11 September 2026 — even for importers caught in the notification supply chain.

Start with a supply chain audit: map every product in your EU distribution portfolio, classify by product type and CRA product class, identify who bears manufacturer obligations, and implement the Art.18 verification checklist for everything else. The window between now and December 2027 is shorter than it appears once legal review, conformity assessment, and supply chain negotiation timelines are factored in.