Quick answer
What should buyers check before connected products leave China?
Check connected-product scope, exact device and software identity, CE and technical-file handoff, support-period evidence, labels, manuals, importer role, and vulnerability-reporting ownership before final payment or pickup.
China-side evidence module
EU Cyber Resilience Act evidence checklist
The check connects the real device, labels, manuals, firmware, app, packaging, CE file, and responsible-party handoff to the goods that are actually being released.
Connected-product scope
- Device type, connected function, app, firmware, software, cloud service, remote data processing, network interface, and EU market exposure recorded by SKU
- Product category, ordinary or important-product status, exclusions, and conformity path confirmed by the responsible EU-side owner or specialist
Product identity and labels
- Model, SKU, hardware revision, firmware version, app version, serial or batch identifier, carton count, packaging revision, and user manual tied to the same lot
- CE mark, manufacturer details, importer details, support-period statement, contact details, product identifier, warnings, and instructions checked against physical goods
Technical-file handoff
- Cybersecurity risk-assessment status, EU declaration of conformity, technical documentation, conformity assessment plan, and applicable standards or notified-body notes gathered
- Security-update policy, vulnerability-handling process, component or software bill notes, default-password controls, and user-instruction files listed for specialist review
Reporting and release control
- Manufacturer, EU importer, distributor, open-source steward, CSIRT, ENISA Single Reporting Platform owner, and incident-response contact named where relevant
- Written hold-release rule used when connected-product facts, version evidence, CE files, support-period statements, or reporting ownership remain unclear
Why the CRA is a current 2026 China sourcing issue
The European Commission says the CRA entered into force on December 10, 2024, with the main obligations applying from December 11, 2027. Two earlier dates make the topic current in 2026: provisions on the notification of conformity assessment bodies apply from June 11, 2026, and reporting obligations for actively exploited vulnerabilities and severe incidents apply from September 11, 2026.
For China sourcing, the operational risk starts before those dates. Connected devices often move through a factory, trading company, app developer, firmware provider, cloud account, EU importer, and brand owner. If the buyer waits until goods are packed or already listed, it can be hard to confirm model identity, firmware version, CE evidence, support-period wording, user instructions, and the owner of vulnerability reporting.
- The September 11, 2026 reporting date is close enough to affect products already on or headed to the EU market
- The June 11, 2026 conformity-assessment milestone means notified-body readiness is no longer abstract for higher-risk products
- EU-bound connected products need evidence tied to the exact shipment, not only a generic product brochure
- A China-side check can catch version and label mismatches before payment or pickup, while specialists decide CRA compliance
Start with product scope and connected functionality
The CRA applies to hardware and software products with digital elements made available on the EU market when their intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. That can include final products and separately marketed components.
For sourcing teams, the practical question is whether the product is merely an ordinary physical good or a connected product. A smart watch, baby monitor, camera, sensor, router, smart appliance, Bluetooth accessory, industrial controller, mobile app-connected device, or product with cloud-dependent functions needs a different evidence file than a passive product.
- Record the connected feature in plain language so the EU-side owner can decide scope
- Separate product-safety, radio, battery, GPSR, and CRA questions instead of treating CE as one generic file
- Identify app, firmware, SDK, gateway, cloud, data-processing, or software-component dependencies before mass production
- Escalate scope questions to the manufacturer, EU importer, cybersecurity adviser, notified body, or counsel
Product identity needs to include software and support evidence
A connected-product evidence check should not stop at carton count and visible defects. The same hardware shell can ship with a different chipset, firmware build, app pairing method, cloud endpoint, default credential behavior, or support-period statement. Those differences can change the file the EU-side owner needs to review.
Before pickup, compare the buyer-approved record with the physical product and supplier files. The check should tie model number, hardware revision, firmware version, app version, product identifier, serial or batch details, labels, manual, insert, QR code, and packaging revision to the actual cartons being released.
- Photograph device labels, retail packaging, QR codes, manual pages, and version screens where access is available
- Ask the supplier to identify firmware, app, and cloud dependencies in the order file
- Keep correction evidence when the supplier relabels, repacks, updates firmware, changes app instructions, or swaps components
- Treat unknown firmware or mixed product versions as a release decision, not a small paperwork issue
CE, technical documentation, and conformity path should be named early
The Commission summary explains that manufacturers need cybersecurity risk assessment, technical documentation, conformity assessment, EU declaration of conformity, CE marking, user information, and a support period. Importers and distributors also have verification and cooperation obligations before products are made available on the EU market.
A sourcing agent cannot validate a cybersecurity risk assessment, but it can check whether the files named by the EU owner match the goods. The visible evidence should not contradict the conformity story: manufacturer name, importer name, product identifier, CE label, manual, support-period statement, software version, and packaging should describe the same product.
- Request the EU-side conformity plan before printing labels or locking packaging
- Compare EU declaration, technical-file index, label artwork, user instructions, and product photos against production goods
- Flag products that may need third-party conformity assessment because they fall into important or critical categories
- Keep CRA evidence separate from ordinary electrical safety, EMC, radio, battery, and GPSR files even when they share labels
Name the vulnerability-reporting owner before shipment
From September 11, 2026, manufacturers must report actively exploited vulnerabilities and severe incidents affecting products with digital elements. The Commission describes an early warning within 24 hours, a full notification within 72 hours, and later final reports. ENISA says the Single Reporting Platform will be used for mandatory reports from that date.
The reporting workflow is not a warehouse task, but the China-side file can make it easier to know who owns it. The buyer should know which manufacturer, brand owner, EU importer, distributor, open-source steward, cybersecurity team, or adviser will handle vulnerability intake, supplier escalation, update records, and authority communication.
- List the vulnerability or incident contact before EU shipment release
- Confirm whether products already on the EU market need reporting workflow preparation before September 11, 2026
- Keep supplier contacts for firmware, app, cloud, and component questions in the shipment file
- Do not let the factory ship if nobody can identify who owns CRA reporting, updates, or user communication

