EU CRA - connected products - cybersecurity evidence

EU Cyber Resilience Act: What China-Sourced Connected Products Should Check in 2026

Written by Agent HuangPublished on July 8, 2026

China-side sourcing partner helping overseas buyers verify suppliers, inspect goods, and reduce payment or shipment risk before money or goods move.

The EU Cyber Resilience Act is now a live planning issue for buyers sourcing connected products from China. The CRA entered into force on December 10, 2024, notification rules for conformity assessment bodies started applying on June 11, 2026, and manufacturer reporting obligations for actively exploited vulnerabilities and severe incidents start on September 11, 2026. The main product obligations apply from December 11, 2027.

Before deposit, mass production, final payment, or pickup, EU-facing buyers should connect the exact device, software or firmware version, app or cloud dependency, model label, CE file, support-period statement, vulnerability-reporting owner, importer role, and user instructions to the shipment lot. Huang Sourcing can check China-side product, label, packaging, document, and visible version evidence, but CRA classification, cybersecurity engineering, conformity assessment, incident reporting, legal compliance, and market-surveillance responses remain with the manufacturer, EU importer, distributor, authorised representative, notified body, cybersecurity adviser, or counsel.

Quick answer

What should buyers check before connected products leave China?

Check connected-product scope, exact device and software identity, CE and technical-file handoff, support-period evidence, labels, manuals, importer role, and vulnerability-reporting ownership before final payment or pickup.

1Confirm whether the product has a direct or indirect data connection to a device or network, including app, Wi-Fi, Bluetooth, cloud, gateway, or remote-data-processing functions
2Name the manufacturer, EU importer, distributor, authorised representative, brand owner, and party responsible for CRA conformity and vulnerability reporting
3Tie model, SKU, hardware revision, firmware version, app version, cloud dependency, batch, serial, and packaging revision to the same shipment lot
4Check whether the product label, CE marking, importer details, manufacturer details, user instructions, and support-period statement match the buyer-approved file
5Ask whether the product is ordinary, important class I, important class II, or critical under the CRA and related implementing descriptions
6Confirm whether the supplier can provide cybersecurity risk-assessment, technical-documentation, vulnerability-handling, update, and support-period evidence
7Prepare for September 11, 2026 reporting workflows when a product already on the EU market has actively exploited vulnerabilities or severe incidents
8Hold payment or pickup when the supplier cannot reconcile device identity, software version, CE file, support period, or importer handoff before goods leave China

China-side evidence module

EU Cyber Resilience Act evidence checklist

The check connects the real device, labels, manuals, firmware, app, packaging, CE file, and responsible-party handoff to the goods that are actually being released.

Connected-product scope

  • Device type, connected function, app, firmware, software, cloud service, remote data processing, network interface, and EU market exposure recorded by SKU
  • Product category, ordinary or important-product status, exclusions, and conformity path confirmed by the responsible EU-side owner or specialist

Product identity and labels

  • Model, SKU, hardware revision, firmware version, app version, serial or batch identifier, carton count, packaging revision, and user manual tied to the same lot
  • CE mark, manufacturer details, importer details, support-period statement, contact details, product identifier, warnings, and instructions checked against physical goods

Technical-file handoff

  • Cybersecurity risk-assessment status, EU declaration of conformity, technical documentation, conformity assessment plan, and applicable standards or notified-body notes gathered
  • Security-update policy, vulnerability-handling process, component or software bill notes, default-password controls, and user-instruction files listed for specialist review

Reporting and release control

  • Manufacturer, EU importer, distributor, open-source steward, CSIRT, ENISA Single Reporting Platform owner, and incident-response contact named where relevant
  • Written hold-release rule used when connected-product facts, version evidence, CE files, support-period statements, or reporting ownership remain unclear

Why the CRA is a current 2026 China sourcing issue

The European Commission says the CRA entered into force on December 10, 2024, with the main obligations applying from December 11, 2027. Two earlier dates make the topic current in 2026: provisions on the notification of conformity assessment bodies apply from June 11, 2026, and reporting obligations for actively exploited vulnerabilities and severe incidents apply from September 11, 2026.

For China sourcing, the operational risk starts before those dates. Connected devices often move through a factory, trading company, app developer, firmware provider, cloud account, EU importer, and brand owner. If the buyer waits until goods are packed or already listed, it can be hard to confirm model identity, firmware version, CE evidence, support-period wording, user instructions, and the owner of vulnerability reporting.

  • The September 11, 2026 reporting date is close enough to affect products already on or headed to the EU market
  • The June 11, 2026 conformity-assessment milestone means notified-body readiness is no longer abstract for higher-risk products
  • EU-bound connected products need evidence tied to the exact shipment, not only a generic product brochure
  • A China-side check can catch version and label mismatches before payment or pickup, while specialists decide CRA compliance

Start with product scope and connected functionality

The CRA applies to hardware and software products with digital elements made available on the EU market when their intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. That can include final products and separately marketed components.

For sourcing teams, the practical question is whether the product is merely an ordinary physical good or a connected product. A smart watch, baby monitor, camera, sensor, router, smart appliance, Bluetooth accessory, industrial controller, mobile app-connected device, or product with cloud-dependent functions needs a different evidence file than a passive product.

  • Record the connected feature in plain language so the EU-side owner can decide scope
  • Separate product-safety, radio, battery, GPSR, and CRA questions instead of treating CE as one generic file
  • Identify app, firmware, SDK, gateway, cloud, data-processing, or software-component dependencies before mass production
  • Escalate scope questions to the manufacturer, EU importer, cybersecurity adviser, notified body, or counsel

Product identity needs to include software and support evidence

A connected-product evidence check should not stop at carton count and visible defects. The same hardware shell can ship with a different chipset, firmware build, app pairing method, cloud endpoint, default credential behavior, or support-period statement. Those differences can change the file the EU-side owner needs to review.

Before pickup, compare the buyer-approved record with the physical product and supplier files. The check should tie model number, hardware revision, firmware version, app version, product identifier, serial or batch details, labels, manual, insert, QR code, and packaging revision to the actual cartons being released.

  • Photograph device labels, retail packaging, QR codes, manual pages, and version screens where access is available
  • Ask the supplier to identify firmware, app, and cloud dependencies in the order file
  • Keep correction evidence when the supplier relabels, repacks, updates firmware, changes app instructions, or swaps components
  • Treat unknown firmware or mixed product versions as a release decision, not a small paperwork issue

CE, technical documentation, and conformity path should be named early

The Commission summary explains that manufacturers need cybersecurity risk assessment, technical documentation, conformity assessment, EU declaration of conformity, CE marking, user information, and a support period. Importers and distributors also have verification and cooperation obligations before products are made available on the EU market.

A sourcing agent cannot validate a cybersecurity risk assessment, but it can check whether the files named by the EU owner match the goods. The visible evidence should not contradict the conformity story: manufacturer name, importer name, product identifier, CE label, manual, support-period statement, software version, and packaging should describe the same product.

  • Request the EU-side conformity plan before printing labels or locking packaging
  • Compare EU declaration, technical-file index, label artwork, user instructions, and product photos against production goods
  • Flag products that may need third-party conformity assessment because they fall into important or critical categories
  • Keep CRA evidence separate from ordinary electrical safety, EMC, radio, battery, and GPSR files even when they share labels

Name the vulnerability-reporting owner before shipment

From September 11, 2026, manufacturers must report actively exploited vulnerabilities and severe incidents affecting products with digital elements. The Commission describes an early warning within 24 hours, a full notification within 72 hours, and later final reports. ENISA says the Single Reporting Platform will be used for mandatory reports from that date.

The reporting workflow is not a warehouse task, but the China-side file can make it easier to know who owns it. The buyer should know which manufacturer, brand owner, EU importer, distributor, open-source steward, cybersecurity team, or adviser will handle vulnerability intake, supplier escalation, update records, and authority communication.

  • List the vulnerability or incident contact before EU shipment release
  • Confirm whether products already on the EU market need reporting workflow preparation before September 11, 2026
  • Keep supplier contacts for firmware, app, cloud, and component questions in the shipment file
  • Do not let the factory ship if nobody can identify who owns CRA reporting, updates, or user communication

Evidence to decision matrix

Turn CRA evidence gaps into a release decision.

Use this table to decide whether connected-product evidence is ready enough for deposit, final payment, specialist review, or a hold before pickup.

Risk node
Evidence basis
Buyer decision
Connected scope is clear
Product function, network or device connection, app or cloud dependency, EU destination, and responsible EU-side owner are documented.
Proceed with the CRA evidence file, or ask specialists to decide scope before deposit, labels, or pickup.
Device identity matches
SKU, model, hardware revision, firmware version, app version, serial or batch details, labels, packaging, and cartons describe the same shipment lot.
Approve release after mismatches are corrected, or hold when version evidence is missing or mixed.
CE and technical-file handoff is ready
CE label, manufacturer and importer details, EU declaration, technical-file index, support-period statement, and user instructions are available for EU review.
Release only after the responsible party accepts the file and any notified-body or specialist questions are assigned.
Reporting owner is named
Manufacturer, EU importer, distributor, cybersecurity contact, supplier technical contact, and incident-reporting workflow owner are recorded.
Prepare shipment release, delay for workflow clarification, or escalate before products are placed on the EU market.

Evidence basis for this advice.

This guide is based on official EU and ENISA source context, then narrowed to device identity, software version, label, CE, support-period, and importer-handoff evidence that can be checked before goods leave China.

  • Official European Commission Cyber Resilience Act pages, summary, implementation timeline, reporting guidance, and legal text current to July 8, 2026.
  • Official ENISA Single Reporting Platform context for the September 11, 2026 vulnerability and incident reporting start date.
  • Buyer-provided product list, supplier files, model and firmware notes, app or cloud details, label artwork, CE files, manuals, packaging records, and EU-side instructions.
  • Physical device, label, packaging, version-screen, carton, instruction, QR-code, correction, and shipment evidence observed or collected in China.
  • Specialist guidance from the manufacturer, EU importer, distributor, authorised representative, notified body, cybersecurity adviser, testing lab, marketplace, or counsel when conclusions exceed visible and document evidence.

Official source context

Verify the CRA rule, then check the shipment evidence.

These sources explain the EU CRA timeline, product scope, economic operator obligations, conformity assessment, vulnerability reporting, and Single Reporting Platform. They do not replace product-specific legal, cybersecurity, notified-body, or market-surveillance advice.

European Commission - Cyber Resilience Act

Official overview explaining CRA purpose, manufacturer obligations, CE marking, enforcement, and the December 2024, September 2026, and December 2027 dates.

Open official source

European Commission - CRA legal text summary

Official summary of product scope, products with digital elements, manufacturer, importer, distributor, conformity, technical-documentation, and support-period obligations.

Open official source

European Commission - CRA implementation timeline

Official implementation page listing June 11, 2026 conformity-assessment-body notification provisions, September 11, 2026 reporting obligations, and December 11, 2027 full application.

Open official source

European Commission - CRA reporting obligations

Official reporting guidance for actively exploited vulnerabilities, severe incidents, 24-hour and 72-hour reports, final reports, and the Single Reporting Platform.

Open official source

ENISA - Single Reporting Platform

Official ENISA context for the Single Reporting Platform used for mandatory CRA vulnerability and incident reporting from September 11, 2026.

Open official source

EUR-Lex - Regulation (EU) 2024/2847

Official Cyber Resilience Act legal text for product scope, economic-operator obligations, CE marking, conformity assessment, reporting, and enforcement.

Open official source

EUR-Lex - Implementing Regulation (EU) 2025/2392

Official implementing act describing categories of important and critical products with digital elements for CRA conformity assessment planning.

Open official source

What to send before the connected-product check.

Send product identity, software version, label, manual, CE, technical file, supplier, and EU-side responsibility records so the report can compare China-side facts against the file the responsible party expects to use.

  • Product list by SKU, model, connected function, EU destination, importer or distributor, brand owner, order quantity, carton count, and shipment timeline
  • Hardware revision, firmware version, app version, cloud or remote-processing dependency, gateway details, default credential notes, and update-policy notes
  • Supplier English name, Chinese name, factory address, developer or firmware provider contact, app or cloud provider contact, exporter, invoice issuer, and pickup address
  • Approved label artwork, CE mark file, product identifier, manufacturer details, importer details, support-period wording, warnings, manuals, inserts, and packaging files
  • EU declaration of conformity, technical-file index, conformity assessment plan, standards or notified-body notes, cybersecurity risk-assessment status, and test or lab files if available
  • Buyer, manufacturer, importer, distributor, authorised representative, notified body, cybersecurity adviser, or counsel instructions for what should block deposit, payment, pickup, or EU release

CRA red flags before payment or pickup.

Pause when model, firmware, app, cloud, CE, manual, support-period, or reporting ownership evidence cannot be tied to the same shipment lot.

  • Supplier cannot identify the firmware, app, hardware revision, cloud dependency, or support period for the exact goods being shipped
  • The same SKU appears with mixed firmware, different labels, old manuals, different QR codes, or different app-pairing instructions
  • CE files, technical-file references, EU declaration, packaging, and product labels use inconsistent manufacturer or importer details
  • The supplier treats CRA as the same thing as ordinary electrical safety, EMC, radio, battery, or GPSR compliance without a separate cybersecurity owner
  • A smart device depends on a third-party app, cloud account, SDK, gateway, or firmware provider but no responsible party is named
  • The product may be an important or critical product with digital elements, but no one has checked the conformity assessment path
  • No owner is named for actively exploited vulnerability reporting, severe incident reporting, firmware updates, user notification, or EU authority response
  • Factory changes device components, firmware, labels, manuals, cloud endpoint, or packaging after the buyer approved the compliance file

Scope limits

A China-side check is not a CRA conformity decision.

The report can show what was visible, provided, missing, and inconsistent before shipment. It cannot certify cybersecurity compliance or decide whether EU authorities, notified bodies, marketplaces, or buyers will accept the file.

  • Huang Sourcing can compare visible product, label, packaging, carton, version, manual, supplier, and shipment evidence against buyer-provided references in China
  • Huang Sourcing does not determine CRA legal scope, cybersecurity conformity, important or critical product status, notified-body requirements, or CE compliance
  • A China-side evidence check cannot validate cybersecurity risk assessment, penetration testing, software bills, vulnerability handling, support-period sufficiency, or incident-reporting compliance
  • The manufacturer, EU importer, distributor, authorised representative, notified body, cybersecurity adviser, testing lab, marketplace, or legal counsel remains responsible for regulated decisions
  • Sealed cartons, inaccessible firmware screens, locked apps, unavailable cloud credentials, supplier refusals, translated files, mixed lots, or late product changes can limit report confidence
  • CRA guidance, standards, implementing acts, notified-body availability, Single Reporting Platform procedures, market-surveillance practice, and product-specific obligations can change before full application

Frequently asked questions

When does the EU Cyber Resilience Act apply?

The CRA entered into force on December 10, 2024. Notification provisions for conformity assessment bodies apply from June 11, 2026, reporting obligations apply from September 11, 2026, and the main product obligations apply from December 11, 2027.

Does the CRA apply to China-sourced products?

It can. The CRA applies to products with digital elements made available on the EU market, regardless of where they are manufactured. The responsible EU-side party should decide scope with qualified support.

What is a product with digital elements?

The Commission describes it as a software or hardware product, including remote data processing solutions, that has a direct or indirect logical or physical data connection to a device or network.

What should buyers check before paying a China supplier?

Check connected function, model, hardware revision, firmware version, app version, cloud dependency, labels, CE file, manuals, support-period wording, technical-file handoff, and who owns EU reporting and updates.

Can Huang Sourcing certify CRA compliance?

No. Huang Sourcing can document China-side product, label, packaging, version, carton, and supplier evidence. CRA conformity, cybersecurity testing, reporting obligations, and legal compliance require responsible economic operators and qualified specialists.

Why check CRA evidence in 2026 if full application is in 2027?

The September 11, 2026 reporting obligation is near-term, and connected-product evidence is easier to fix before mass production, final payment, pickup, and EU market release. Waiting until 2027 can leave version, label, and technical-file gaps harder to correct.

Before EU-bound connected goods leave China

Check model, firmware, labels, CE files, manuals, and reporting ownership while correction is still practical.

Send the supplier files, product versions, label artwork, manuals, CE documents, EU handoff notes, and shipment deadline before final release.

Check Connected Product Evidence