CRA Art.35: Formal Non-Compliance — CE Marking Irregularities, Documentation Gaps, and Corrective Measures (Developer Guide 2026)
The Cyber Resilience Act's enforcement framework distinguishes between two categories of non-compliance. The first — covered by Articles 32 through 34 — concerns products that present actual or potential cybersecurity risks to users, infrastructure, or the digital ecosystem. The second, addressed by Article 35, concerns formal violations: administrative and documentary failures that do not necessarily mean the product is unsafe, but do mean it is not legally compliant with how the CRA requires manufacturers to document, mark, and declare compliance.
Article 35 is the provision market surveillance authorities use when they find a CE mark affixed to a product that did not complete the required conformity assessment, or when technical documentation is absent or incomplete, or when the EU declaration of conformity is missing or incorrectly structured. These are correctable violations — and the Article 35 procedure is designed to give manufacturers a defined opportunity to correct them before escalation.
What Formal Non-Compliance Means Under the CRA
"Formal non-compliance" is a term of art in EU product legislation. It does not mean the product is necessarily dangerous. It means the manufacturer has failed to complete, correctly implement, or maintain one or more of the regulatory requirements that the CRA imposes on the path to market.
The most common categories of formal non-compliance under Article 35 include:
CE marking irregularities. The CE marking must meet specific visual requirements — minimum dimensions, approved graphical form, prohibition on imitations — and must appear in the right place. Marking a product with a CE symbol that does not meet the required graphical specifications, placing it in a location where it is not clearly visible, or affixing it with an incorrectly formatted notified body identification number all constitute formal non-compliance. More seriously, affixing a CE mark to a product that has not completed the required conformity assessment procedure — or that no longer meets the conditions under which it was originally marked — is a substantive CE marking violation under Article 35.
Missing or deficient EU Declaration of Conformity. Every product with digital elements placed on the EU market must be accompanied by an EU declaration of conformity (EU DoC). Article 35 applies when the EU DoC is absent entirely, when it is present but does not contain all required elements, when it references the wrong standards or technical specifications, or when it was signed by someone without the authority to bind the manufacturer. The EU DoC is a legal document — errors in its structure, content, or signatory authority create formal non-compliance regardless of the product's actual security properties.
Incomplete or missing technical documentation. Article 22 of the CRA establishes what the technical documentation must contain: the product description, design and production information, vulnerability handling procedures, conformity assessment records, and supporting evidence for each security requirement. If a market surveillance authority requests technical documentation during an inspection and the manufacturer cannot provide documentation that meets Article 22's requirements, Article 35 applies. The gap could be a missing SBOM, an incomplete vulnerability disclosure policy, or a failure to document the security testing methodology.
Conformity assessment procedure deficiencies. Certain categories of products — those classified as important or critical under Annex III — must undergo third-party conformity assessment. If a manufacturer has self-certified a product that required notified body involvement, or if the conformity assessment certificate has expired and the manufacturer has not initiated renewal, the resulting non-compliance falls under Article 35.
Registration failures. Products that fall under Article 32's registration requirement — critical products in particular — must be registered in the ENISA database before being placed on the market. Failure to register, or registering with incorrect or incomplete information, constitutes formal non-compliance under Article 35.
How the Article 35 Procedure Works
The Article 35 procedure follows a structured sequence that gives manufacturers notice, an opportunity to cure, and — if they fail to cure — escalating consequences.
Step 1: Identification by a Market Surveillance Authority
The procedure begins when a national market surveillance authority, in the course of its normal market surveillance activities, identifies indicators of formal non-compliance. This identification can come from:
- Physical inspection of product markings during customs or market checks
- Review of EU DoC documents submitted as part of an investigation into a related complaint
- Sampling of technical documentation during a scheduled manufacturer audit
- Referral from a notified body that identified documentation deficiencies during an aborted conformity assessment
- Cross-border information sharing through the ICSMS system, where another Member State's MSA has flagged the same product
The MSA does not need to prove that the product presents a cybersecurity risk to initiate Article 35 proceedings. The formal violation — the CE marking error, the missing documentation, the incomplete DoC — is itself sufficient grounds to open the procedure.
Step 2: Notification to the Manufacturer
Once the MSA has identified formal non-compliance, it must notify the manufacturer (or, where the manufacturer is not established in the EU, the authorised representative or importer) of its findings. The notification must specify:
- The nature of the formal non-compliance identified
- The specific regulatory provision being violated (for example, Article 20 on CE marking requirements, Article 28 on the EU DoC, or Article 22 on technical documentation)
- The timeframe within which the manufacturer must take corrective action
- What corrective action is required to cure the violation
- The consequences of failing to take corrective action within the specified timeframe
The timeframe for corrective action is set by the MSA based on the nature and severity of the formal violation. A simple CE marking formatting error that can be corrected in production might warrant a short deadline. Reconstructing missing technical documentation that should have been prepared before market placement might require more time — but the deadline still applies, and the MSA does not extend it indefinitely.
Step 3: Manufacturer's Corrective Response
The manufacturer's obligation upon receipt of the Article 35 notification is to take the corrective action specified within the deadline. Depending on the violation, corrective action might include:
For CE marking irregularities: Correcting the marking on all units in inventory before further market placement, implementing a field correction or relabelling programme for units already distributed, and providing the MSA with evidence that the marking now meets the required specifications.
For EU DoC deficiencies: Reissuing the declaration with the correct content, signing it with the appropriate authority, and ensuring the corrected document accompanies the product. If the product was placed on the market before the DoC deficiency was identified, the manufacturer must also update the DoC for units already in the distribution chain.
For technical documentation gaps: Preparing or completing the missing documentation elements — SBOMs, vulnerability handling procedures, security testing records — and making the complete documentation available to the MSA for review within the specified timeframe.
For conformity assessment deficiencies: Engaging a notified body to complete the required third-party assessment if the manufacturer has been self-certifying a product that required external assessment. This is the most resource-intensive corrective action because it cannot be completed quickly — and manufacturers who failed to complete the correct assessment before market placement will face both the cost of retroactive assessment and the risk that the product fails.
For registration failures: Completing registration in the ENISA database with correct and complete information, and notifying the MSA once registration is confirmed.
In each case, the manufacturer must provide the MSA with evidence of corrective action. The MSA does not accept a manufacturer's assertion that the violation has been corrected without documentation.
Step 4: Escalation for Non-Compliance
If the manufacturer fails to take corrective action within the specified timeframe, or if the corrective action taken does not actually cure the violation, the MSA moves to escalation. Article 35 gives MSAs the following escalation powers:
Prohibition of market placement. The MSA can prohibit the manufacturer, importer, and distributors from placing further units of the product on the EU market until the formal non-compliance is corrected. This is not a product recall — units already in the hands of end users are not affected — but it stops further sales.
Restriction of market availability. For products already distributed, the MSA can require distributors to stop making the product available, effectively removing it from active sale in the Member State.
Market withdrawal. If the formal non-compliance is sufficiently serious — for example, if the product has never completed any conformity assessment procedure at all — the MSA can require the product to be withdrawn from the market entirely, including from distributors' stock.
The severity of the escalation measure must be proportionate to the nature of the formal non-compliance. An MSA cannot impose market withdrawal as a first response to a CE marking formatting error. The escalation ladder — from prohibition of new placements to market withdrawal — is calibrated to the gravity of the violation and the manufacturer's response to the initial notification.
Step 5: Notification to the Commission and Other Member States
When an MSA takes escalation measures under Article 35, it must notify the European Commission and all other Member States through the SAFETY Gate system (and, for more complex cases, ICSMS). The notification includes:
- The identity of the product and economic operators
- The nature of the formal non-compliance identified
- The corrective action requested and the manufacturer's response
- The escalation measures imposed
- Any objections or responses from the manufacturer
This notification triggers the possibility of EU-wide action. Other Member States can review the notified information and take equivalent measures in their own jurisdictions. If multiple Member States have identified the same formal non-compliance for the same product, the Commission can coordinate a unified response to avoid inconsistent enforcement across the single market.
The Relationship Between Article 35 and Other CRA Enforcement Articles
Understanding Article 35 requires placing it in the broader enforcement architecture of the CRA:
Article 32 establishes the general market surveillance powers that MSAs exercise across all products with digital elements. It is the framework within which Article 35 operates — Article 35 is one specific application of those general powers, applied to the specific category of formal non-compliance.
Article 34 governs products presenting significant cybersecurity risk. If a formal non-compliance identified under Article 35 also involves a product that presents a significant cybersecurity risk — for example, a product that lacks a required conformity assessment and also contains an actively exploited vulnerability — the MSA will typically escalate to Article 34 rather than proceeding under Article 35 alone. The two procedures can run in parallel, but the Article 34 fast-track powers take priority when risk is present.
Article 33 creates the Union Safeguard Procedure — the mechanism by which the Commission reviews national market surveillance measures when Member States disagree about whether those measures are justified. If an MSA imposes escalation measures under Article 35 and the manufacturer or another Member State challenges the measures, Article 33 provides the review mechanism.
The key distinction is one of risk. Article 35 is explicitly reserved for formal violations that do not present a significant cybersecurity risk. When risk is present — even if the underlying violation is also a formal one — the appropriate procedure shifts to Article 34.
Common Article 35 Failure Patterns for Developers and Manufacturers
Most Article 35 findings that reach the escalation stage stem from predictable patterns. Understanding these patterns lets manufacturers address them before market surveillance identifies them.
CE Marking at Launch Without Completed Assessment
The most consequential Article 35 failure is affixing a CE mark and placing a product on the market before the conformity assessment procedure is complete. For Class I products (self-certification path), this means the manufacturer has not actually completed the internal documentation review and risk assessment required to sign the EU DoC. For Class II and III products (requiring notified body involvement), this means the manufacturer has proceeded to market placement before the notified body has issued its assessment.
This failure pattern often arises from schedule pressure. The conformity assessment process takes time, and product launch dates do not always accommodate that time. Manufacturers who launch before assessment is complete face exactly the situation Article 35 is designed to address — and they face it with no completed documentation to present to an MSA.
Stale Technical Documentation
Technical documentation is not a one-time deliverable. The CRA requires documentation to reflect the current state of the product, including its current vulnerability handling procedures, its current SBOM, and its current security testing records. Manufacturers who prepare technical documentation at launch and then fail to update it as the product evolves will eventually face a gap between what the documentation says and what the product does.
Market surveillance authorities can request technical documentation at any point during the product's lifecycle. A manufacturer whose documentation was accurate at launch in 2025 but has not been updated through three major firmware releases will likely face an Article 35 finding if documentation is requested in 2027.
Distributor Chain Gaps
Importers and distributors share responsibility for ensuring that the products they handle have the required CE marking and accompanying documentation. An importer who places products on the EU market without verifying that the manufacturer has completed the required conformity assessment, or without ensuring that the EU DoC accompanies the product, creates Article 35 exposure for themselves.
Distributors are typically not responsible for the content of the technical documentation — that obligation rests with the manufacturer. But distributors are responsible for ensuring that the CE marking is present and visually intact on products they handle, and that they have not taken any action that would affect the product's compliance with the conditions under which it was certified.
Post-Certification Modifications
A product that completes conformity assessment and receives a CE mark is certified in a specific configuration. If the product subsequently undergoes modifications that affect its security properties — new functionality, changed network protocols, updated cryptographic libraries — the manufacturer must assess whether those changes require a new or updated conformity assessment.
Article 20 of the CRA addresses substantial modification: changes that create a new cybersecurity risk or significantly alter the product's compliance with the essential requirements. If an Article 20 substantial modification occurs and the manufacturer does not initiate a new conformity assessment, the existing CE mark no longer reflects the product's current compliance status. When a market surveillance authority identifies this gap, it is a formal non-compliance under Article 35.
Practical Compliance Checklist for Manufacturers
To minimise Article 35 exposure, manufacturers should maintain the following as live documents throughout the product lifecycle:
class CRAFormalComplianceChecker:
def __init__(self, product_name: str, product_class: str):
self.product_name = product_name
self.product_class = product_class # "I", "II", or "III"
self.checks = {}
def check_ce_marking(self, marking_specs: dict) -> dict:
issues = []
if marking_specs.get("height_mm", 0) < 5:
issues.append("CE marking height below 5mm minimum")
if not marking_specs.get("proportions_maintained"):
issues.append("CE marking proportions altered — only uniform scaling permitted")
if marking_specs.get("notified_body_id") and not marking_specs.get("nbo_id_format_correct"):
issues.append("Notified body identification number format incorrect")
if not marking_specs.get("visible_on_product"):
issues.append("CE marking not visible on product or accompanying documentation")
return {"compliant": len(issues) == 0, "issues": issues}
def check_declaration_of_conformity(self, doc: dict) -> dict:
required_elements = [
"product_name_model",
"manufacturer_name_address",
"authorised_representative", # if non-EU manufacturer
"declaration_statement",
"eu_legislation_referenced",
"standards_or_specs_referenced",
"notified_body_details", # if applicable
"place_date_of_issue",
"authorised_signatory_name_function",
"signature",
]
missing = [e for e in required_elements if not doc.get(e) and e != "authorised_representative"]
return {
"compliant": len(missing) == 0,
"missing_elements": missing,
"needs_update": doc.get("last_updated") != doc.get("current_product_version"),
}
def check_technical_documentation(self, docs: dict) -> dict:
required = {
"product_description": "General description and intended use",
"design_information": "Design and production details including diagrams",
"sbom": "Software bill of materials",
"vulnerability_handling": "Vulnerability disclosure and handling policy",
"security_requirements_evidence": "Evidence for each CRA essential requirement",
"conformity_assessment_records": "Records of conformity assessment procedure",
"eu_doc_copy": "Copy of EU declaration of conformity",
}
status = {}
for key, description in required.items():
status[key] = {
"present": bool(docs.get(key)),
"current": docs.get(f"{key}_version") == docs.get("current_product_version"),
"description": description,
}
gaps = [k for k, v in status.items() if not v["present"] or not v["current"]]
return {"compliant": len(gaps) == 0, "gaps": gaps, "detail": status}
def check_conformity_assessment_path(self, assessment: dict) -> dict:
if self.product_class == "I":
required_path = "self_certification"
if assessment.get("path") != "self_certification":
return {"compliant": False, "issue": "Class I product should use self-certification path"}
elif self.product_class in ["II", "III"]:
required_path = "notified_body"
if assessment.get("path") != "notified_body":
return {
"compliant": False,
"issue": f"Class {self.product_class} product requires notified body assessment",
}
if not assessment.get("certificate_valid"):
return {"compliant": False, "issue": "Notified body certificate expired or not issued"}
return {"compliant": True, "path": required_path}
def full_compliance_report(
self,
marking_specs: dict,
doc_of_conformity: dict,
technical_docs: dict,
assessment_info: dict,
) -> dict:
ce_result = self.check_ce_marking(marking_specs)
doc_result = self.check_declaration_of_conformity(doc_of_conformity)
tech_result = self.check_technical_documentation(technical_docs)
assessment_result = self.check_conformity_assessment_path(assessment_info)
all_compliant = all([
ce_result["compliant"],
doc_result["compliant"],
tech_result["compliant"],
assessment_result["compliant"],
])
return {
"product": self.product_name,
"overall_compliant": all_compliant,
"article_35_risk": "LOW" if all_compliant else "HIGH",
"areas": {
"ce_marking": ce_result,
"declaration_of_conformity": doc_result,
"technical_documentation": tech_result,
"conformity_assessment": assessment_result,
},
}
Article 35 and Penalties
Formal non-compliance under Article 35 is not just a procedural problem. It is a prerequisite condition for penalty proceedings under Article 64 of the CRA. Article 64 specifies administrative fines for different categories of CRA violation:
- Non-compliance with the essential requirements (Article 10 and Annex I): up to EUR 15 million or 2.5% of worldwide annual turnover
- Non-compliance with other obligations (including formal obligations): up to EUR 10 million or 2% of worldwide annual turnover
- Provision of incorrect information to authorities: up to EUR 5 million or 1% of worldwide annual turnover
The formal violations addressed by Article 35 — CE marking irregularities, missing documentation, incomplete conformity assessment — fall under the "other obligations" category, making them subject to fines up to EUR 10 million or 2% of global turnover. These are not trivial amounts. For a developer or manufacturer who dismisses documentation requirements as administrative paperwork, the penalty exposure should reframe that assessment.
The fines are imposed by Member State authorities under their own national procedures, and Member States are expected to implement penalty structures consistent with Article 64 by the CRA's application date. The Article 35 correction procedure gives manufacturers a defined opportunity to avoid penalties by correcting violations promptly — but persistent or repeated formal non-compliance is likely to attract penalty proceedings in addition to market restriction measures.
Summary
| Violation Type | Article 35 Applicability | Corrective Action | Escalation |
|---|---|---|---|
| CE marking formatting error | Yes | Correct marking in production | Market placement prohibition |
| CE mark affixed without completed assessment | Yes | Complete assessment or remove mark | Market withdrawal |
| Missing EU Declaration of Conformity | Yes | Prepare and issue correct DoC | Market placement prohibition |
| Incomplete technical documentation | Yes | Complete missing elements | Market placement prohibition |
| Stale technical documentation (post-modification) | Yes | Update to reflect current product | Market placement prohibition |
| Wrong conformity assessment path | Yes | Engage notified body if required | Market placement prohibition |
| Significant cybersecurity risk | No — use Art.34 | — | Art.34 interim measures |
| Product failing essential requirements | No — use Art.32 | — | Art.32 corrective action |
Article 35 is the CRA's administrative enforcement mechanism — the procedure that handles compliance failures before they become safety crises. Manufacturers who treat documentation as a genuine operational responsibility, maintain their technical documentation through the product lifecycle, and verify CE marking and DoC completeness before market placement will rarely encounter Article 35 proceedings. Those who treat compliance as a launch-day checkbox will eventually face an MSA with a deadline and escalation authority.
The essential requirement is straightforward: if you have placed a CE mark on a product, you must have completed the procedure that entitles you to do so, and you must be able to demonstrate that fact to any market surveillance authority that asks.