Back to Blog
Industrial MachineryIndustrial ComponentsIoTSmart HomeEmbedded SystemsCRA ComplianceCyber Resilience ActWhite LabelImporter

CRA Friday Facts: Why Your Logo Makes You the Manufacturer

"We're just an importer." Wrong, the moment your logo is on the product. The CRA turns white-label vendors into manufacturers, with all the obligations.

April 24, 2026
4 min read
Maximilian Heck

"We're just an importer. The Cyber Resilience Act applies to the manufacturers in China." That sounds logical. But it's wrong the moment your name or brand is on the product.

Industrial product with nameplate labeled 'Your Logo' and CE mark in a warehouse with shipping cartons

Who is a manufacturer under the CRA?

The EU Cyber Resilience Act is unambiguous here: Anyone placing a product with digital elements on the market under their own name or brand qualifies as a manufacturer. Not as an importer. Not as a distributor. As a manufacturer. With all the obligations.

The definition sits in Article 3 and is reinforced in Article 21: Importers and distributors become manufacturers under the regulation as soon as they place a product on the market under their own name or brand, or modify it substantially enough that it is treated as a new product.

That means: Whoever puts the logo on takes on the responsibility. Risk assessment, SBOM, Security by Default, vulnerability management, reporting obligations, technical documentation. All of it sits with you. Not with your supplier in Shenzhen.

Why white-label vendors are especially affected

Companies with their own brands and white-label products are especially affected. The classic business model of buying product in Asia, branding it as your own and selling it in Europe now requires significant compliance effort on your side.

Anyone who used to review the CE papers from the upstream supplier and pass them on now bears the responsibility themselves, for all CRA-specific requirements, not just for the formal declaration of conformity.

Typical scenarios:

  • Own-brand vendors in smart home or IoT segments rebranding OEM hardware
  • Machinery integrators distributing finished control components from suppliers under their own label
  • Distributors adapting white-label devices for the European market
  • Online retailers with private labels for consumer electronics

In all cases: The moment your logo leaves the warehouse on the product, you are the addressee of all CRA obligations.

Myth vs. fact

Myth: We only import, so we're not affected.

Fact: Your logo on the product makes you the manufacturer under the CRA, with the full list of obligations.

What you should check now

Don't wait until 2027. Review your supplier contracts now and anchor concretely:

1. SBOM delivery obligation. Format, update frequency, delivery point. No defensible conformity statement and no vulnerability management without an SBOM.

2. Access to technical documentation. You must be able to substantiate the conformity assessment, without design data and source documentation from the supplier, that becomes difficult.

3. Contractually guaranteed vulnerability support. Response times matching the 24-hour reporting obligation. If your Chinese supplier needs three days for an initial response, you've long since missed the deadline.

4. Lifecycle update obligations. The CRA requires security updates for the expected useful life. Your supplier must support this horizon, contractually.

5. Audit rights and exit paths. What happens at contract end or supplier insolvency? Without access to design data, your product is unmaintainable after the next switch.

More on delegating liability to suppliers is covered separately.

Frequently asked questions

Am I an importer or a manufacturer when selling white-label products? The moment your name, brand, or logo is on the product, you are a manufacturer under the CRA, not an importer.

What does the CRA say about white-label arrangements? The CRA treats whoever places a product on the market under their own label as the manufacturer. Risk assessment, SBOM, vulnerability management, and reporting obligations sit with you.

What obligations do I have as a white-label vendor under the CRA? All manufacturer obligations: risk assessment, SBOM, Security by Default, continuous vulnerability management, 24-hour ENISA reporting, technical documentation, and the EU declaration of conformity.

Can my supplier in China handle CRA compliance for me? No. The CRA does not allow liability delegation. Contractual arrangements govern the internal relationship but do not change your public-law obligation.

Conclusion

Your logo makes you the manufacturer under the CRA. The obligations cannot be delegated, not even via supplier contracts.

Those who start today aligning supplier contracts on SBOM data, response times, update obligations, and data access will have a functioning compliance stack in 2027. Those who wait risk fines and recalls, and stand alone in the first ENISA inquiry.

A structured CRA roadmap helps close the gaps in your supply chain before market surveillance does it for you.

Every Friday I debunk a CRA myth here.

Share:

Continue Reading

CRA Friday Facts: Why SMEs Are Fully Affected Too

The CRA applies to every manufacturer with digital elements, 8 employees or 17,000. SME relief reduces bureaucracy, not the security standard.

Read more

CRA Friday Facts: CE Marking Done. Compliance Is an Ongoing Obligation

The CRA makes cybersecurity a continuous obligation. Without ongoing monitoring, documentation, and updates, conformity is lost, even after the EU declaration of conformity is signed.

Read more

CRA Friday Facts: No Grandfathering, the Production Date Doesn't Count

There is no CRA grandfathering by production date. What counts is placing on the market, the day a unit actually reaches the EU market.

Read more

Ready to tackle CRA compliance?

Kunnus gives manufacturers of every size the tools to achieve full CRA compliance — from SBOM management to ENISA reporting, in one platform.

View Industry SolutionFree CRA Assessment