CRA FAQ

The term Manufacturer is defined in Article 3(13) of the CRA:

‘manufacturer’ means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;

Yes, a manufacturer can also be an open-source software steward.

This can happen whenever a manufacturer releases open source software and meets the requirements to be the open-source software steward of that project.

A manufacturer of commercial open source software can even be the open-source software steward of the community edition of the same project that it commercializes. In such a case, it has manufacturer obligations to its customers and steward obligations to the users of its community edition.

• If you fail to comply with the CRA, you will likely receive a letter or email from Market Surveillance Authorities asking you to address the issue.
• If you continue to fail to address the issue as a manufacturer, you could receive a fine. The fine will be proportional to the size of your organisation and how severely you broke the law.
• Microenterprises or small enterprises are exempted from fines relating to the obligation to notify authorities about vulnerabilities and severe incidents within 24 hours.

Small and medium manufacturers should expect proportionate, step-by-step enforcement focused on bringing products into compliance rather than imposing immediate penalties. Market surveillance authorities typically scale expectations to risk and capacity, not to formal legal obligations alone.

Authorities are required to carry out their activities "taking due account of the size of undertakings, in particular as regards microenterprises and small and medium-sized enterprises" (Article 47). When determining fines, authorities must consider "whether the manufacturer is a microenterprise or a small or medium-sized enterprise, including a start-up" (Recital 120).

Based on patterns seen under GDPR enforcement, authorities will usually begin with guidance, warnings, or requests for corrective action before considering penalties. Common corrective actions include patching vulnerabilities, improving update mechanisms, or fixing insecure default configurations. Penalties or market restrictions are more likely only if a manufacturer fails to act, repeats issues, or puts users at significant risk.

Smaller entities also benefit from explicit legal safeguards: all penalties must be "effective, proportionate and dissuasive" (Recital 120), and penalties imposed on natural persons must account for "the economic situation" and "size" of the entity (Recital 121). Microenterprises and small enterprises are explicitly exempted from fines for failing to meet the 24-hour early warning deadline for vulnerability and incident notifications (Recital 120).

For more details on penalties, see As a manufacturer , if I make a mistake or a security flaw is found in my project, will I get in trouble?.

Larger manufacturers should expect earlier, more structured, and more demanding enforcement from market surveillance authorities, including the possibility of penalties and public corrective measures.

Authorities prioritize large manufacturers because fixes at scale have market-wide impact, and because these actors are presumed to have the resources to comply fully with the CRA's requirements.

Mirroring later-stage GDPR enforcement, authorities are more likely to use proactive audits, coordinated inspections, and sector-wide actions (Article 52; Recital 114). Corrective actions may require systemic remediation across product lines, not just fixes for individual issues. Persistent non-compliance, misleading security claims, or repeated vulnerabilities increase the likelihood of formal orders, withdrawals, recalls, or fines (Article 57).

When setting administrative fines, authorities must consider "all relevant circumstances of the specific situation" including whether the manufacturer is a microenterprise or SME, and whether similar fines have already been applied by other authorities for the same infringement (Recital 120). Penalties must always be proportionate, but large manufacturers with greater resources can expect less leniency than smaller entities.

For more on non-compliance consequences, see What will happen to non-compliant products?.

No. How a product is developed or financed does not determine manufacturer status under the CRA.

A company becomes a manufacturer only when it places a product on the market; meaning it supplies the product for distribution or use in the course of a commercial activity under its own name or trademark, whether for payment or free of charge (Article 3(13)).

A key factor is whether the company markets the product under their own name or trademark. Simply funding development or maintenance of an open source project does not make the funder a manufacturer (Recital 18).

No. Companies that get paid for open source development work are service providers, not manufacturers under the CRA.

The CRA applies to products being placed on the EU market, not to development services. A manufacturer is defined as a person who develops or manufactures products with digital elements and "markets them under its name or trademark" (Article 3(14)). A company providing contracted development services for open source software it is not responsible for is not marketing a product under its own name.

This distinction holds regardless of the client's status. Whether the client is an open-source software steward, a manufacturer, or another type of organization, the service provider relationship does not make the contractor a manufacturer. The determining factor is who places the product on the market under their name or trademark, not who performs the development work.