Distributor Obligations (Art. 17)
Overview
Distributors are economic operators in the supply chain that make a product with digital elements available on the market without being a Manufacturer or Importer. The CRA imposes due diligence obligations on them that are primarily focused on verification and cooperation.
LEGAL BASIS
Art. 17 CRA: The Distributor shall act with due diligence in relation to the requirements of this Regulation when making a product with digital elements available on the market.
Art. 3 No. 22 CRA: "Distributor" means any natural or legal person in the supply chain that makes a product with digital elements available on the market without being a Manufacturer or Importer.
When Is BAUER GROUP a Distributor?
BAUER GROUP acts as a Distributor when:
- Finished software products from other manufacturers are redistributed to customers (without own modification)
- Hardware with embedded software from a third-party manufacturer is supplied to end customers
- Products are offered through an own webshop or marketplace where BAUER GROUP is neither the Manufacturer nor the Importer
DISTINCTION
- Distributor --> Unmodified redistribution
- Importer --> First placing on the market of a non-EU product
- Manufacturer --> Own product or substantial modification (--> Art. 20)
Obligations in Detail
1. Due Diligence (Art. 17 Para. 1)
Before a product is made available, the Distributor must verify:
- [ ] Product bears the CE marking
- [ ] EU declaration of conformity (or simplified version with URL) is enclosed
- [ ] Manufacturer has provided contact details on the product
- [ ] For imported products: Importer has provided their contact details
- [ ] Product has a unique identification (type, batch, serial number)
2. Distribution Stop in Case of Non-Conformity (Art. 17 Para. 2)
If the Distributor has reason to believe that a product is non-compliant:
- Do not make the product available until conformity is established
- Inform the Manufacturer or Importer
- Inform the Market Surveillance authorities if a serious risk exists
3. Storage and Transport Conditions (Art. 17 Para. 3)
Ensure that storage and transport do not compromise conformity:
- Ensure integrity of software distribution media
- Use secure download channels
- No tampering with software during distribution
4. Cooperation with Authorities (Art. 17 Para. 4)
Upon request from Market Surveillance authorities:
- Provide all required information and documents
- Assist in eliminating risks
- Be able to identify the Manufacturer and Importer
5. Reporting Obligations (Art. 17 Para. 5)
Upon becoming aware of an actively exploited vulnerability or a severe incident:
- Inform the Manufacturer without delay
- If the Manufacturer does not respond: inform the Importer
- If neither responds: Report directly to ENISA and the national CSIRT
6. Corrective Measures (Art. 17 Para. 6)
If the Distributor determines that an already distributed product is non-compliant:
- Take corrective measures (recall, warning to customers)
- Inform Market Surveillance authorities
- Document all measures
Checklist for Distributors
Before Making Available
- [ ] CE marking verified
- [ ] EU declaration of conformity is available (or URL to simplified version)
- [ ] Manufacturer's contact details present on the product
- [ ] Importer's contact details (if non-EU product) present
- [ ] Product identification present
- [ ] No knowledge of non-conformity or serious risks
Ongoing
- [ ] Track customer complaints and security warnings
- [ ] Forward manufacturer security advisories to customers
- [ ] Support manufacturer recall actions
- [ ] Distribution channels integrity-secured
Difference Between Distributor and Importer
| Criterion | Distributor | Importer |
|---|---|---|
| Role | Making available on the market | First placing on the market |
| Verification depth | Formal verification (CE, DoC) | Substantive verification (conformity assessment) |
| Own labelling | Not required | Mandatory (name, address) |
| Document retention | Not explicitly required | 10-year obligation |
| ENISA reporting obligation | Subsidiary (if Manufacturer does not respond) | Subsidiary (if Manufacturer does not respond) |
Liability and Penalties
| Violation | Penalty |
|---|---|
| Making non-compliant products available (despite knowledge) | Up to EUR 15 million or 2.5% of annual turnover |
| Failure to exercise due diligence | Up to EUR 10 million or 2% of annual turnover |
| False information to authorities | Up to EUR 5 million or 1% of annual turnover |
Details: Penalties