Summary

A distributor under the EU Cyber Resilience Act (CRA) is an entity that makes products with digital elements available on the market as part of a commercial activity.

Relevant CRA Provisions

– Recital 20, Recital 78
– Article 20, Article 21, Article 23

Detailed Explanation

A distributor is defined under the CRA as an entity that supplies products with digital elements for distribution or use on the Union market in the course of a commercial activity. This includes entities that host products on open repositories but only if they make such software available on the market and supply it for distribution or use as part of a commercial activity. The CRA specifies that merely hosting products does not constitute making them available on the market unless it is part of a commercial activity. Additionally, entities providing online intermediation services or operating online marketplaces may be considered distributors if they also distribute products with digital elements.

Obligations for Stakeholders

– Distributors: Must act with due care regarding CRA requirements, verify compliance of products with digital elements before making them available on the market, ensure products bear the CE marking, and confirm that manufacturers and importers have complied with specified obligations. Distributors must not make non-compliant products available and must inform manufacturers and market surveillance authorities of any significant cybersecurity risks. They are also required to take corrective measures, inform authorities of vulnerabilities, and cooperate with market surveillance authorities upon request.