2026-04-19·13 min read·

CRA Art.19: Distributor Obligations — Market Availability, Non-Conformity Response, and Supply Chain Compliance (Developer Guide 2026)

Post #465 in the sota.io EU Cyber Compliance Series

The EU Cyber Resilience Act (Regulation (EU) 2024/2847, "CRA") distributes compliance obligations across four categories of economic operator: manufacturers (Art.13), authorised representatives (Art.12), importers (Art.18), and distributors (Art.19). Each layer has calibrated obligations matched to its position in the supply chain. Distributors — those who make products available on the EU market without being the manufacturer or importer — carry the lightest individual burden, but that burden is still real, directly applicable, and enforceable.

Article 19 is the distributor's compliance anchor. If your company resells, integrates, or makes available software or hardware products produced by another party, and you are neither the manufacturer nor the EU-based importer, you are likely a distributor under the CRA. Your obligations are narrower than an importer's, but misunderstanding them — or assuming you have none — is a compliance gap that market surveillance authorities will exploit.

Critical deadline: 11 December 2027. Art.19 applies in full from that date. As with all CRA provisions, the vulnerability notification requirements of Art.14 and Art.15 apply earlier — from 11 September 2026 — meaning distributors caught in a supply chain involving products with actively exploited vulnerabilities face notification obligations before the full distributor framework comes into force.

Who Is a Distributor Under the CRA?

Art.3(17) defines a distributor as any natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market.

Three key points follow from this definition:

1. Residual category — distributor is what you are if you are not a manufacturer and not an importer. You cannot be both manufacturer and distributor for the same product. If you modify the product materially, you become a manufacturer (see Art.20, discussed below).

2. "Makes available on the market" — Art.3(20) defines making available on the market as any supply of a product for distribution, consumption, or use on the Union market in the course of a commercial activity, whether for payment or free of charge. This is broader than "selling": distributors include cloud resellers, marketplace operators, system integrators, and bundlers who include third-party components in their offerings.

3. No geographic requirement — unlike importers (who must be established in the Union), distributors can be EU or non-EU entities, so long as they make products available on the EU market. In practice, non-EU distributors with no establishment will face enforcement difficulties, but the obligation exists regardless.

Common Distributor Scenarios in Software and SaaS

Scenario	Distributor?
EU cloud reseller bundles third-party software licences into a managed service offering	Yes — making product available on EU market
EU marketplace operator lists hardware/software from multiple vendors	Yes — each listing is making available on the market
EU system integrator deploys third-party software in a customer environment unchanged	Yes — if they are not the importer and not modifying the product
EU system integrator customises third-party software with security patches or new modules	Potentially manufacturer — depends on whether modification is "substantial" under Art.3(23)
EU subsidiary resells parent company's product under the parent's brand unchanged	Potentially distributor — unless designated as importer under Art.18(3)
EU-established SaaS vendor using a third-party security component it does not expose separately	Neither — the component is not placed on the market separately; Art.9 due diligence applies

The boundary between distributor and importer is determined by who first introduces the product to the EU market. If a non-EU manufacturer sells directly to EU end-users without going through a formal EU intermediary, the first EU entity that makes it commercially available may be an importer, not a distributor. The first-in-EU-market rule is fact-specific.

The Art.19 Obligation Matrix

Art.19 imposes three categories of obligation on distributors: pre-availability verification, non-conformity response, and authority cooperation. Each is directly applicable.

Obligation 1: Pre-Availability Verification (Art.19(1))

Before making a product with digital elements available on the EU market, a distributor must verify that:

a) The product bears the CE marking.

Art.28 requires manufacturers to affix the CE marking before market placement. Distributors must check that the CE marking is present and legible. Unlike importers, distributors are not required to verify the underlying conformity assessment — they are checking the visible output of that process.

b) The product is accompanied by the EU Declaration of Conformity (DoC) or a web reference to it.

Art.27(3) allows the DoC to be made available via a URL rather than physically accompanying each unit. Distributors must verify that the DoC is accessible — either physically present or linkable from the product, packaging, or documentation.

c) The product is accompanied by the instructions and information for the user in a language that can be easily understood by users in the Member State where the product is made available.

This is the language compliance obligation. Art.13(18) requires manufacturers to provide instructions for secure installation, operation, and disposal. Art.19(1)(c) requires distributors to verify that these exist in an appropriate language for the target market. A German distributor making a product available in Germany must verify German-language instructions exist — not merely English.

d) The manufacturer and the importer have complied with their obligations under Art.13(12) and Art.18(3) respectively.

This is a conditional verification: distributors must check that manufacturers have drawn up technical documentation and that importers have affixed their contact details. The distributor is not required to read the technical documentation or verify its content — the obligation is to confirm that these compliance artefacts exist.

Practical Verification Workflow

The pre-availability verification is a four-point checklist, not a deep-dive audit. A distributor's due diligence process can be structured as:

Check	What to Verify	Acceptable Evidence
CE marking	Visible and legible on product/packaging	Physical inspection or product image
DoC availability	Accessible URL or physical document	URL check; document receipt
Language compliance	Instructions in target market language	Language review of documentation
Manufacturer/importer compliance	Technical documentation drawn up; contact details affixed	Vendor attestation; contract clause

Distributors who skip pre-availability verification and discover non-conformity after product availability face compounded liability: they must execute the non-conformity response protocol (below) and explain why verification failed.

Obligation 2: Non-Conformity Response (Art.19(2))

If a distributor has reason to believe that a product with digital elements does not conform to Art.10, Art.11, Art.13(12), Art.13(14)–(15), or the requirements in Annexes I and II, it must not make the product available until it has been brought into conformity.

The trigger is "reason to believe" — a lower standard than certainty. Distributors who receive credible complaints, discover missing CE marking mid-distribution, or learn of a manufacturer recall have reason to believe even without independent technical verification.

When non-conformity is suspected or confirmed, the distributor must:

a) Inform the manufacturer and, where applicable, the importer.

The notification must be substantive: it must identify the specific non-conformity concern, the product and version, and the market where the product has been or would be made available. Distributors who notify upstream parties through informal channels (a Slack message, a support ticket) without creating a written record with a date-stamp are not adequately evidencing compliance.

b) Ensure that corrective measures are taken.

"Ensure" does not mean the distributor must personally take corrective action — manufacturers and importers carry that obligation under Art.13(14) and Art.18(2). But distributors must follow up. If the manufacturer does not respond, the distributor's obligation is to suspend market availability and escalate to market surveillance authorities.

c) Inform the market surveillance authorities of the Member State where the distributor operates.

If the product poses a risk, the distributor must notify the MSA directly. Art.19(2) does not require the distributor to wait for manufacturer action before notifying the MSA — where there is a risk to users, the MSA notification obligation is independent.

d) Not make the product available until brought into conformity.

The distribution hold is mandatory from the moment of non-conformity discovery. Distributors who continue to distribute a known non-conforming product face direct enforcement liability, not merely derivative liability as a supply chain participant.

Obligation 3: Market Surveillance Cooperation (Art.19(4))

Distributors must cooperate with market surveillance authorities, including by:

Providing all information and documentation necessary to demonstrate conformity
Identifying the manufacturer, importer, and any other economic operators in the supply chain
Taking action with the manufacturer or importer when requested by the MSA

The cooperation obligation extends to records: distributors who cannot identify their supply chain — who manufactured the product, which importer placed it on the EU market, what version was distributed to which customer — are failing the Art.19(4) obligation even if the product itself is compliant.

Record retention: Art.19 does not specify an explicit retention period, but Art.13(12) establishes 10 years for manufacturers. Distributors should align their supply chain records with the 10-year window to ensure they can respond to MSA inquiries throughout the product's lifecycle. A product placed on the market in 2027 may be subject to an MSA investigation in 2035 — records lost after three years of regular business retention cycles will not support a compliance defence.

Distributor vs Importer vs Manufacturer: The Key Differences

Understanding where the distributor obligation begins and ends requires mapping it against Art.18 (importer) and Art.13 (manufacturer). The key distinctions:

Obligation Element	Manufacturer (Art.13)	Importer (Art.18)	Distributor (Art.19)
Conformity assessment	Carry out	Verify carried out	Not required to verify
Technical documentation	Draw up and maintain	Verify exists	Verify manufacturer drew up
CE marking	Affix	Verify present	Verify present
DoC	Draw up	Retain copy	Verify accessible
Contact details	Manufacturer name/address	Affix own details	Not required to affix
Language compliance	Provide in target language	Verify in place	Verify in target language
Non-conformity response	Corrective action + recall	Corrective action	Suspend + notify upstream + notify MSA
Record retention	10 years	10 years (aligned)	Implicit 10 years (best practice)
Vulnerability handling	Full Art.14/15 obligations	Support manufacturer	Inform users and MSA
Penalty exposure	Up to €15M / 2.5% turnover	Aligned to manufacturer scale	Up to €10M / 2% turnover (Art.64(5))

The penalty differential reflects the calibrated obligation: distributors face lower fines because their obligations are narrower. But the fines are real — €10 million or 2% of global annual turnover is not a minor compliance risk for a mid-size software distributor.

The Art.20 Transformation Trigger: When a Distributor Becomes a Manufacturer

Art.20 is the most important provision for distributors to understand because it is the most commonly triggered transformation.

A distributor becomes a manufacturer and takes on all obligations under Art.13 when it:

a) Makes a product available on the market under its own name or trademark.

If you rebrand a product — affixing your company name, logo, or trademark to it — you become the manufacturer, regardless of who actually built the product. The EU regulator treats the party presenting the product to the market as the responsible economic operator when that party has chosen to put their name on it.

b) Makes a substantial modification to an already placed product.

Art.3(23) defines a substantial modification as one that:

Affects the compliance of the product with the essential cybersecurity requirements in Annex I, or
Changes the intended purpose of the product for which the product was assessed

Modifications that trigger the transformation include:

Adding security-relevant features or removing existing ones
Changing the authentication mechanism, access control model, or encryption implementation
Patching vulnerabilities in a way that alters the product's security architecture
Extending the product's network connectivity in ways not covered by the original conformity assessment

Modifications that do not trigger the transformation include:

UI reskinning or cosmetic changes
Translating documentation or localising language
Configuration changes within parameters the manufacturer's conformity assessment already covered
Performance optimisations that do not affect security properties

The Art.20 Trap in Software Distribution

The Art.20 transformation trap is particularly acute in software:

Scenario 1: Managed service with configuration hardening A distributor takes a vendor's software product and deploys it in a "hardened" configuration for enterprise customers — removing default accounts, tightening network exposure, enabling audit logging. If these changes are outside the scope of the manufacturer's conformity assessment, the distributor may have made a substantial modification and become the manufacturer.

Scenario 2: OEM white-label resale A distributor licenses a security tool from a non-EU vendor and sells it under its own brand. Even if no code changes are made, the use of the distributor's name makes it the manufacturer under Art.20(a). This is the most commonly overlooked transformation trigger.

Scenario 3: Bundled security patches A distributor acquires software, discovers a known vulnerability, and patches it before distribution. If the patch materially changes the security properties of the product, the distributor has made a substantial modification and is now the manufacturer — required to carry out a new conformity assessment.

The safe path: if your company's name is on it, or if you have changed anything security-relevant, treat yourself as the manufacturer and apply Art.13 obligations from the outset. The compliance cost of Art.19 is much lower than the cost of discovering mid-investigation that Art.20 applies.

Distributor-Specific Considerations for SaaS and Cloud Products

Software-as-a-service products present distributor challenges that hardware-oriented CRA guidance often ignores.

When Is a SaaS Product "Made Available on the Market"?

Art.3(20) includes supply "for distribution, consumption, or use" — which covers SaaS. A cloud reseller who bundles a SaaS licence into a managed service package is making the underlying SaaS product available on the EU market. The distributor obligations of Art.19 attach.

The key question for SaaS distributors is whether they are:

A mere channel — the SaaS vendor contracts directly with the end-user, the distributor earns a referral fee. In this structure, the distributor may not be "making the product available" under Art.3(20) — the vendor is doing it directly.
A value-add reseller — the distributor contracts with the end-user in its own name, manages the relationship, and holds the commercial risk. In this structure, the distributor is making the product available and Art.19 applies.
A bundler — the distributor includes the SaaS in a broader offering (e.g., a managed security service). If the SaaS component is separately identifiable, Art.19 applies to it. If the distributor has integrated it so deeply that the bundled product is a new product, Art.20 may apply.

Version Management and Continuous Updates

SaaS products update continuously. Distributors who carry out a pre-availability verification at contract inception may not realise that the underlying product has changed materially — including security-relevant changes — since the initial check.

Best practice: distributors of SaaS products should contractually require vendors to notify them of:

Any changes to the CE marking status
Any updates to the DoC
Any security incidents that would trigger Art.14/15 notifications upstream
Any manufacturer changes that affect the conformity assessment

This notification obligation protects the distributor's Art.19(2) "reason to believe" threshold: if the vendor is contractually required to notify non-conformities, a distributor who has not received notification has a stronger compliance defence.

Python Implementation: CRADistributorChecker

A structured distributor compliance verification can be implemented as follows:

from dataclasses import dataclass, field
from enum import Enum
from typing import Optional
import datetime


class ConformityStatus(Enum):
    CONFORMING = "conforming"
    NON_CONFORMING = "non_conforming"
    UNKNOWN = "unknown"
    SUSPENDED = "suspended"


class TransformationRisk(Enum):
    NONE = "none"                    # Pure pass-through distributor
    OWN_NAME = "own_name"            # Art.20(a): own name/trademark applied
    SUBSTANTIAL_MODIFICATION = "substantial_modification"  # Art.20(b): security change
    BOTH = "both"


@dataclass
class DistributorProductRecord:
    product_id: str
    product_name: str
    manufacturer_name: str
    importer_name: Optional[str]
    target_markets: list[str]        # ISO 3166-1 alpha-2 codes

    # Pre-availability verification (Art.19(1))
    ce_marking_verified: bool = False
    ce_marking_verified_date: Optional[datetime.date] = None
    doc_accessible: bool = False
    doc_url: Optional[str] = None
    doc_verified_date: Optional[datetime.date] = None
    instructions_language_verified: bool = False
    instructions_languages: list[str] = field(default_factory=list)
    manufacturer_tech_doc_confirmed: bool = False
    importer_contact_details_confirmed: bool = False

    # Art.20 transformation risk
    own_name_applied: bool = False
    security_modifications_made: bool = False
    modification_description: Optional[str] = None

    # Availability status
    availability_status: ConformityStatus = ConformityStatus.UNKNOWN
    suspension_reason: Optional[str] = None
    suspension_date: Optional[datetime.date] = None

    # MSA cooperation
    supply_chain_records: list[dict] = field(default_factory=list)
    non_conformity_notifications: list[dict] = field(default_factory=list)


class CRADistributorChecker:

    def __init__(self, product: DistributorProductRecord):
        self.product = product
        self.findings: list[str] = []

    def check_pre_availability(self) -> bool:
        """Art.19(1): Full pre-availability verification checklist."""
        passed = True

        if not self.product.ce_marking_verified:
            self.findings.append("FAIL [Art.19(1)(a)]: CE marking not verified")
            passed = False

        if not self.product.doc_accessible:
            self.findings.append("FAIL [Art.19(1)(b)]: DoC not verified accessible")
            passed = False

        # Language check: each target market must have instructions
        for market in self.product.target_markets:
            if market not in self.product.instructions_languages:
                self.findings.append(
                    f"FAIL [Art.19(1)(c)]: No instructions in language for market {market}"
                )
                passed = False

        if not self.product.manufacturer_tech_doc_confirmed:
            self.findings.append(
                "FAIL [Art.19(1)(d)]: Manufacturer technical documentation not confirmed"
            )
            passed = False

        if self.product.importer_name and not self.product.importer_contact_details_confirmed:
            self.findings.append(
                "FAIL [Art.19(1)(d)]: Importer contact details not confirmed"
            )
            passed = False

        return passed

    def check_art20_transformation(self) -> TransformationRisk:
        """Art.20: Determine if distributor has become a manufacturer."""
        own_name = self.product.own_name_applied
        modification = self.product.security_modifications_made

        if own_name and modification:
            self.findings.append(
                "CRITICAL [Art.20]: Own name + substantial modification → distributor is now MANUFACTURER. "
                "Apply full Art.13 obligations including conformity assessment."
            )
            return TransformationRisk.BOTH
        elif own_name:
            self.findings.append(
                "CRITICAL [Art.20(a)]: Own name/trademark applied → distributor is MANUFACTURER. "
                "Full Art.13 obligations required."
            )
            return TransformationRisk.OWN_NAME
        elif modification:
            self.findings.append(
                f"CRITICAL [Art.20(b)]: Security modification detected ('{self.product.modification_description}') "
                "→ potential substantial modification. Legal review required. May be MANUFACTURER."
            )
            return TransformationRisk.SUBSTANTIAL_MODIFICATION

        return TransformationRisk.NONE

    def record_non_conformity(
        self,
        description: str,
        notified_manufacturer: bool,
        notified_importer: bool,
        notified_msa: bool,
        notification_date: datetime.date,
    ) -> None:
        """Art.19(2): Record non-conformity discovery and notifications."""
        self.product.availability_status = ConformityStatus.SUSPENDED
        self.product.suspension_reason = description
        self.product.suspension_date = notification_date

        record = {
            "date": notification_date.isoformat(),
            "description": description,
            "manufacturer_notified": notified_manufacturer,
            "importer_notified": notified_importer,
            "msa_notified": notified_msa,
        }
        self.product.non_conformity_notifications.append(record)

        if not notified_manufacturer:
            self.findings.append(
                "FAIL [Art.19(2)]: Non-conformity not notified to manufacturer"
            )
        if not notified_msa:
            self.findings.append(
                "WARN [Art.19(2)]: Consider whether MSA notification is required (risk to users)"
            )

    def generate_msa_supply_chain_report(self) -> dict:
        """Art.19(4): MSA cooperation — produce supply chain traceability record."""
        return {
            "product_id": self.product.product_id,
            "product_name": self.product.product_name,
            "manufacturer": self.product.manufacturer_name,
            "importer": self.product.importer_name,
            "target_markets": self.product.target_markets,
            "availability_status": self.product.availability_status.value,
            "pre_availability_checks": {
                "ce_marking": self.product.ce_marking_verified,
                "doc_accessible": self.product.doc_accessible,
                "doc_url": self.product.doc_url,
                "language_verified": self.product.instructions_language_verified,
                "manufacturer_tech_doc": self.product.manufacturer_tech_doc_confirmed,
            },
            "art20_risk": self.check_art20_transformation().value,
            "non_conformity_history": self.product.non_conformity_notifications,
        }

    def full_compliance_report(self) -> dict:
        pre_availability_ok = self.check_pre_availability()
        art20_risk = self.check_art20_transformation()
        return {
            "overall_status": "COMPLIANT" if (
                pre_availability_ok
                and art20_risk == TransformationRisk.NONE
                and self.product.availability_status != ConformityStatus.SUSPENDED
            ) else "NON_COMPLIANT",
            "pre_availability_ok": pre_availability_ok,
            "art20_transformation_risk": art20_risk.value,
            "availability_status": self.product.availability_status.value,
            "findings": self.findings,
        }

The Art.19 × Art.18 Intersection: When Both Apply

In complex supply chains, the same entity can have obligations under both Art.18 and Art.19 for different products in their portfolio. A company that is the EU-based importer for Product A (applying Art.18) may be a pure distributor for Product B (applying Art.19).

The critical intersection is the Art.18(3) / Art.19(1)(d) handshake:

Importers must affix their contact details to the product (Art.18(3))
Distributors must verify that importers have done so (Art.19(1)(d))

If a distributor receives a product and the importer's contact details are missing, the distributor faces two options:

Refuse to distribute until the importer complies
Notify the importer and give a reasonable deadline, then report to the MSA if the importer does not comply

Distributors who simply pass through a non-conforming product — without CE marking, without verifiable DoC, without importer contact details — and claim ignorance will find that Art.19(1) imposed an affirmative verification duty they failed to discharge.

Distributor Obligations When the Manufacturer Is Non-EU

The CRA's supply chain design assumes that the EU market is the end of the chain for enforcement purposes. When a manufacturer is based outside the EU:

The importer (Art.18) is the primary EU-enforcement anchor for pre-market compliance
The authorised representative (Art.12) handles ongoing market surveillance contact
The distributor (Art.19) is the last-line check at the distribution stage

For distributors dealing with non-EU manufacturers, the practical risk is that the manufacturer may be slow or unresponsive to non-conformity notifications. Art.19(2) does not excuse the distributor from its obligations because the manufacturer is foreign — the distributor must suspend and notify the MSA regardless of manufacturer response.

The practical implication: distributors dealing with non-EU manufacturers need contractual provisions that:

Require the manufacturer to maintain CRA conformity throughout the product lifecycle
Require immediate notification of any events that would affect conformity status
Provide the distributor with access to technical documentation on MSA request
Give the distributor the right to suspend distribution and seek indemnification if the manufacturer fails to comply

20-Item CRA Distributor Compliance Checklist (December 2027)

Pre-Availability Verification (Art.19(1))

1. CE marking visible and legible on all products or product packaging
2. EU Declaration of Conformity accessible (physical or verified URL)
3. DoC version and date recorded in vendor file
4. Instructions available in language(s) of all target Member States
5. Language compliance documented per market (not just "English available")
6. Manufacturer's technical documentation confirmed as drawn up (vendor attestation or contract clause)
7. Importer's contact details affixed to product (where importer is in supply chain)
8. Pre-availability checklist completed and dated before first distribution

Art.20 Transformation Risk Assessment

9. Own-name/trademark analysis completed: no company branding applied to product
10. Modification log reviewed: no security-relevant changes made to product
11. Legal assessment obtained if any modification is borderline substantial
12. If own name or substantial modification: Art.13 manufacturer obligations triggered

Non-Conformity and Incident Response (Art.19(2))

13. Non-conformity discovery protocol documented (who receives reports, timelines)
14. Manufacturer and importer notification template prepared
15. MSA notification process established (contact point per target Member State)
16. Distribution suspension procedure in place (who authorises hold, how quickly)
17. All non-conformity notifications logged with date and recipient

MSA Cooperation (Art.19(4))

18. Supply chain records maintained: manufacturer, importer, product version, distribution date
19. Record retention aligned to 10-year window (minimum — align with Art.13(12))
20. MSA cooperation procedure documented (who is the designated point of contact)

Key Takeaways for Development and Product Teams

If you distribute but do not manufacture: Run the four-point Art.19(1) checklist before every new product or product version you make available. Document it. The verification cost is low; the non-conformity liability is not.

If you apply your name to a product: Stop. You are now the manufacturer under Art.20(a). Engage your legal team and plan a conformity assessment before market availability.

If you patch or configure a product: Determine whether the change is substantial under Art.3(23). If it affects security properties that were covered by the conformity assessment, you may be the manufacturer under Art.20(b).

If your non-EU manufacturer goes silent after a non-conformity report: Suspend distribution and notify the MSA. The CRA does not allow distributors to hide behind unresponsive upstream parties.

If you are a SaaS reseller: Your relationship structure matters. If you contract directly with end-users in your own name for third-party SaaS, you are making that product available and Art.19 applies. Negotiate vendor notification obligations into your reseller agreement now, before the December 2027 deadline.

Internal Links

CRA Art.18: Importer Obligations — upstream Art.19 dependency
CRA Art.12: Authorised Representatives — third pillar of CRA supply chain compliance
CRA Art.13: Manufacturer Obligations — what Art.20 transformation triggers
CRA Art.9: Open Source Due Diligence — component-level supply chain obligations
CRA Art.2: Scope — whether your product is in scope at all