CRANIS2
Beta programme Become a CRANIS2 beta tester. Sign up with code BETAUSER for a 90-day free trial (30 days plus 60 more) and help shape CRANIS2 before the CRA deadlines. Join the beta

Non-Compliance Reporting Guide

What to do when you discover your product does not conform to the essential cybersecurity requirements of the Cyber Resilience Act. This guide covers the steps required of manufacturers, importers, and distributors.

Important:

Discovering non-compliance is not a failure — it is a normal part of product lifecycle management. The CRA requires prompt, structured action. The key obligations are to stop making the product available, take corrective measures, and inform the relevant authorities.

Confirm the non-compliance

CRA Art. 13(2)

Assess whether your product genuinely fails to meet one or more essential cybersecurity requirements set out in Annex I. Consider:

Stop making the product available

CRA Art. 13(2), Art. 18(5), Art. 19(3)

If the non-compliance presents a risk, you must not place the product on the market (or withdraw it if already available) until it has been brought into conformity. For software products, this may mean:

Take corrective measures

CRA Art. 13(9), Art. 13(6)

Develop and deploy a fix, then verify it resolves the non-compliance:

Notify market surveillance authorities

CRA Art. 13(2), Art. 18(5), Art. 19(3)

Inform the market surveillance authorities of the member states where the product has been made available. Your notification should include:

If actively exploited — report to ENISA

CRA Art. 14

If the non-compliance involves an actively exploited vulnerability or a severe incident, the ENISA reporting obligations under Art. 14 apply in addition to the corrective measures above:

Check your incident response readiness →

Document everything

CRA Art. 13(10)

Retain full documentation of the non-compliance event, corrective measures, and authority communications for at least 10 years. This forms part of your technical documentation and compliance audit trail.

Role-specific obligations

Manufacturer
Art. 13(2) — Take all necessary corrective measures to bring the product into conformity, withdraw it, or recall it.
Art. 13(9) — Provide corrective security updates free of charge and separately from feature updates.
Art. 14 — Report to ENISA if the non-compliance involves an actively exploited vulnerability.
Importer
Art. 18(5) — Do not place or continue to make available a product you believe is non-compliant. Inform the manufacturer and market surveillance authorities.
Art. 18(7) — Report actively exploited vulnerabilities to ENISA within the same timelines as Art. 14.
Distributor
Art. 19(3) — Do not make available a product you believe is non-compliant. Inform the manufacturer or importer and market surveillance authorities.
Art. 19(4) — Report actively exploited vulnerabilities to ENISA within the same timelines as Art. 14.

Track non-compliance resolution

CRANIS2 tracks corrective actions, generates ENISA reports with AI-assisted drafting, and maintains the full audit trail — so you can demonstrate compliance to market surveillance authorities.

Manage compliance in CRANIS2