Article 22 is the hidden membership gate of the manufacturer club. 第 22 條是進入「製造商」這個身份的後門。

A systems integrator somewhere in the APAC manufacturing belt builds an industrial control product line by buying APAC-made gateway hardware, layering its own SCADA integration software on top, and selling the combined product into European factories under its own brand. Internally, the company describes itself as a service provider. The hardware comes from a partner. The software is its own. The legal team has read Article 3(13) of the CRA — the manufacturer definition — and has confirmed, plausibly, that the manufacturer for CRA purposes is the APAC hardware vendor that built the gateway. The integrator’s legal exposure has been scoped as that of a distributor.

Then the integrator’s lead engineer, reading further, reaches Article 22. The article is one paragraph long and changes everything that the legal team had concluded. Under Art 22, the integrator is a manufacturer. Not a distributor, not a service provider, not an integration partner. A manufacturer, with the full Article 13 stack of obligations attached. Nobody at the company filed any paperwork to become one. The membership was acquired the moment the SCADA layer was bolted on top of someone else’s hardware and the resulting product was placed on the EU market under the integrator’s own name.

That moment — the moment a company discovers it has already joined the manufacturer club without ever applying — is what Article 22 is for. It is the article that turns “manufacturer” from a self-declared identity into a behavioural consequence.

§ 01Article 3(13) is the front door. Article 22 is the side door you walk through without seeing.

Article 3(13) of the CRA defines a manufacturer in the conventional way. A natural or legal person who develops or manufactures products with digital elements (or has them developed) and markets them under its own name or trademark, whether for payment or free of charge. The mode of entry into the manufacturer category is volitional: you decided to be a manufacturer, you put your name on the product, you placed it on the market. The act of becoming a manufacturer is something you did on purpose.

Article 22 specifies a second mode of entry, and the second mode is structurally different. It is not volitional. It is consequential. The membership is conferred by a behaviour — a substantial modification, a re-branding, a re-importation — not by a decision to be a manufacturer. The legal entity does not file paperwork, does not change its commercial self-description, does not necessarily even realise that its actions have crossed a threshold. The CRA simply treats the entity as a manufacturer from the moment the qualifying behaviour completes.

The structural choice the legislator made here matters. The CRA could have allowed the manufacturer category to be defined entirely by self-declaration — whoever puts their name on the product owns the obligations. That would have left an obvious arbitrage path: place the product into the EU under your name, then later modify it, transfer it, re-brand it through other entities, and rely on contractual allocations to keep the obligations in their original location. Article 22 closes that arbitrage. Manufacturer status follows the product as it changes hands and changes form. The obligation is attached to the behaviour, not to the corporate label or the contract.

For an APAC operator, the practical implication is that any internal record — an engineering changelog, a product release note, a shipping manifest, a customs declaration — that documents a substantial modification or a re-brand can later become the evidence that triggered Art 22. The membership card is written by the company’s own actions, and the company is the last to know it exists.

§ 02The three triggers, and three APAC scenarios

Article 22 lists three conditions under which a natural or legal person other than the original manufacturer is treated as a manufacturer for the purposes of the Regulation. Each one is straightforward as text and consequential as practice.

Trigger 1 — substantial modification not covered by the original assessment. The integrator scenario at the start of this essay sits here. The integrator buys an APAC-made industrial gateway that the original manufacturer placed on the market with a Module A self-assessment scoped to a specific intended use — passive monitoring on a factory network. The integrator adds a SCADA software layer that gives the gateway active-control capability over connected machinery and resells the combined unit. Under Art 3(39), the change to intended use is a substantial modification. Under Art 22, the integrator is now a manufacturer for the modified product, carrying every Article 13 obligation including the design-time risk assessment, the SBOM for the combined product, the support period commitment, the Article 14 reporting infrastructure. The original manufacturer’s assessment does not transfer; the integrator must produce its own.

Trigger 2 — an integrator placing the modified product under its own name or trademark. A European systems integrator purchases stock of a connected industrial controller from an APAC OEM, ports its own management software stack onto the device, applies its own branding to the housing and the configuration UI, and supplies the result to factory customers under its own brand. Two acts have occurred together: a substantial modification (software stack replacement affecting Annex I requirements) and a placing under a different name. The integrator has stepped through Art 22 by both of the conditions in this trigger. From the buyer’s side the product is the integrator’s product. From the regulator’s side, the integrator is the manufacturer for the re-branded variant. (Note: if the same fact pattern were performed by an EU importer or distributor rather than an integrator, the pathway would be Article 21, not Article 22 — the legal effect on the manufacturer category is identical, but the article number differs.)

Trigger 3 — re-importation or re-making available with material change. A parallel-import operator sources APAC-built networking equipment from a non-EU jurisdiction, repackages it with new EU-language documentation and a new technical datasheet, applies its own labelling, and supplies it to small business customers across several Member States. If the parallel importer is acting as an EU importer (and is registered as one), the pathway is Article 21. If the parallel importer is acting as a third party that is neither manufacturer, importer, nor distributor — for example, a consultancy or SI buying the products on behalf of clients and bundling them with its own services — the pathway is Article 22. Either way: the original manufacturer’s technical file does not match the documentation now circulating with the product. The parallel-import operator has effectively placed a different product on the market — same hardware, different identity, different documentation, different conformity claims — and is now the manufacturer of that variant for CRA purposes.

The pattern across all three triggers is the same: the membership in the manufacturer category transfers along with the modification or the re-identification, regardless of whether the entity intended to acquire it. The corporate self-description — “we’re an integrator,” “we’re a distributor,” “we’re a parallel importer” — has no defensive value here. The CRA looks past the self-description at the behaviour.

§ 03The contract–law mismatch APAC operators most often miss

Most APAC OEM, ODM, and integrator relationships are governed by detailed commercial contracts that allocate responsibility between the parties. Who owns the SBOM. Who handles vulnerability response. Who signs the EU declaration of conformity. Who takes the liability for warranty claims and for regulatory non-compliance. These contracts assume that the parties can decide, between themselves, how the obligations are distributed. For private-law disputes between the contracting parties, that assumption is correct.

For public-law obligations under the CRA, that assumption is partially wrong, and the gap between “mostly correct” and “partially wrong” is where Article 22 does damage.

The CRA imposes obligations on whoever is the manufacturer under Articles 12 and 21. When Article 22 transfers manufacturer status from one party to another — an APAC OEM’s European integration partner becoming the manufacturer of the integrated product, for example — the public-law obligations move with the manufacturer status. The private contract between the OEM and the integrator does not move them. The contract may continue to allocate SBOM responsibility to the OEM, may continue to allocate Article 14 reporting to the OEM, may continue to indemnify the integrator against regulatory risk. None of this changes what the regulator can require of the integrator. The regulator can demand from the integrator everything Article 13 demands of a manufacturer, regardless of who the contract says is on the hook.

The result is a structural mismatch. The integrator’s commercial position assumes the APAC OEM remains responsible for the modified product’s compliance. The legal position is that the integrator is the manufacturer of the modified product and is on the hook for Article 13 in full. If the integrator cannot deliver Article 13 obligations operationally — cannot produce the SBOM, cannot run the vulnerability handling process, cannot meet the support period commitment — the regulator does not accept “the contract says it’s the OEM’s job” as a defence. The regulator looks at the integrator and asks why the integrator, as the manufacturer, has not done its job.

The cost of this mismatch is rarely visible in the contract. It is visible later, in two places. First, in the integrator’s operating budget, when the integrator discovers it needs to build vulnerability handling, SBOM, and reporting capabilities it had not budgeted for. Second, in the OEM’s invoice, when the integrator turns around and tries to renegotiate the supply contract to make the OEM perform those functions on the integrator’s behalf, with the OEM holding most of the negotiating leverage because the integrator now has a regulatory deadline to meet.

The cleaner solution is to anticipate Art 22 in the contract from the start. The clause set is small. Forbid the counterparty from carrying out a substantial modification on the EU market without prior notice. Require advance written notice of any planned re-branding or repackaging that would re-identify the product. Specify that, if the counterparty does perform a qualifying behaviour, the conformity assessment responsibility for the modified product is reallocated — including the practical work of producing technical documentation, SBOM, and vulnerability handling for the modified variant. None of this prevents Article 22 from operating — the public-law obligations transfer regardless — but it puts the parties in a position where the operational work is allocated in advance to whoever can actually do it.

§ 04“Substantial” is a legal judgement — and the judging body is rarely you

The Article 3 commentary on this site has covered the structural definition of substantial modification — the two triggers under Art 3(39), the “or” relationship between Annex I compliance and intended use. Reading from Article 22 specifically, one further point deserves separate treatment: the question of who decides whether a modification was substantial.

The engineering team is not the judging body. Engineering judgement classifies modifications by complexity, by risk, by code-volume changed, by hours of work. None of those metrics map onto the Art 3(39) test. A two-line change to a cryptographic configuration can be substantial. A three-month integration project that touches no Annex I requirement and no intended use may not be. The colloquial “this was a small update” is the wrong language to bring to this judgement, and yet it is the language most engineering organisations naturally use.

The legal team is also not, by itself, the final judging body. The legal team can read Art 3(39) and the Commission Guidance circulated in February 2026 and can form a view. The view is a hypothesis. The actual judgement is rendered in two places. First, by the manufacturer itself when it decides whether to perform a fresh conformity assessment after the modification — a decision that becomes a documented record of the manufacturer’s position. Second, by a market surveillance authority, after the fact, when something else triggers an inspection and the authority reviews what happened. The authority is not bound by the manufacturer’s prior judgement. If the authority concludes the modification was substantial and no fresh conformity assessment was performed, the manufacturer is in breach of Art 22 read together with Article 32, regardless of how confidently the legal team had reached the opposite conclusion at the time.

This asymmetry — the manufacturer must decide in advance, the authority decides after the fact — is what makes Art 22 dangerous in practice. The protective move is not to be confident in the legal classification. The protective move is to document the reasoning behind the classification, fully and contemporaneously. A manufacturer that classified a modification as non-substantial and recorded the reasoning — specifying which Annex I requirements were considered, why no impact was found, why intended use was unchanged — is in a much stronger position when an authority later reaches a different view. The classification might still be wrong, but the documented reasoning shifts the conversation from “you ignored the rule” to “your good-faith judgement was wrong,” which is a different penalty conversation under Article 64(5).

The Commission Guidance circulated in February 2026 began providing concrete examples of which kinds of software updates and modifications count as substantial. Those examples will continue to be refined through Commission FAQs, market-surveillance enforcement decisions, and implementing acts through 2026 and 2027. Substantial modification, like several other Art 3 definitions, is in motion — and Article 22 is the article through which the motion most directly affects the membership of the manufacturer category.

§ 05Four moves an APAC operator can make today

Article 22 is operationally addressable, but only by treating it as a continuing supervisory function rather than a one-time legal review. Four moves are worth doing.

Move 1 — map every counterparty in the supply chain that could trigger Art 22. The list is wider than “our distributors.” It includes systems integrators who layer their own software on top of the product. It includes value-added resellers who reflash firmware. It includes parallel importers who repackage and re-document. It includes customers who modify the product before resale into a different market segment. For each entity on the list, record what kind of modification or re-identification they are operationally capable of. Half of the work in handling Art 22 is having an accurate list of who can trigger it.

Move 2 — add Art 22 clauses to commercial contracts. The minimum clause set: prior notification of any planned modification to the product as placed on the EU market; prior notification of any re-branding or repackaging that would re-identify the product; allocation of conformity assessment responsibility for any modified variant; access rights to technical information needed for the modified variant’s assessment. None of this overrides Article 22 — the public-law transfer happens regardless — but it gives the parties a working framework for who actually does the operational work.

Move 3 — document the conformity assessment scope clearly enough to be reasoned against. Article 22 hinges on whether a modification is “not covered by” the original conformity assessment. If the original assessment’s scope is documented vaguely — “assessed against Annex I,” full stop — then almost any modification could later be argued to fall outside it. If the original scope is documented precisely — intended use, hardware configuration, software baseline including SBOM, set of Annex I requirements assessed, evidence base — then it becomes possible to determine whether a specific modification falls inside or outside. Precise scope documentation is the artefact that makes the Art 22 question answerable at all.

Move 4 — treat Art 22 as a monitoring function, not a one-time analysis. The trigger conditions for Art 22 do not all happen at the moment of contract signing. They happen continuously, every time a counterparty performs an action that could constitute a substantial modification or a re-identification. Someone in the manufacturer’s organisation has to be watching. The watching cannot be done by the legal team alone — the legal team only sees what gets escalated. It has to be done by whoever has visibility into actual product flows: engineering in the case of integrators, supply chain in the case of distributors, regulatory affairs in the case of parallel-import jurisdictions. The monitoring function has to live where the visibility is.

§ 06The integrator finds out

Back to the systems integrator at the start. By the time the lead engineer finishes reading Article 22, the company has been a manufacturer under the CRA for eighteen months without knowing it. The first three years of EU sales of the integrated product have been placed on the market by an entity that did not perform the manufacturer’s design-time risk assessment, did not maintain an SBOM for the integrated product, did not declare a support period, did not establish a vulnerability disclosure process, did not put an authorised representative or EU contact point in place for itself.

The next conversation in the company is not a comfortable one. The integrator has to decide whether to disclose the situation proactively to the relevant market surveillance authority, whether to retroactively perform the assessment work and document it as best it can, whether to renegotiate the supply contract with the APAC OEM to backfill the operational obligations, whether and how to communicate the situation to its existing EU customer base. None of these decisions is cheap, and all of them are cheaper than not having them.

What Article 22 made happen here is something the front-door manufacturer definition in Article 3(13) could not have made happen on its own. Article 3(13), on its own, lets a company opt out of being a manufacturer by self-describing as something else — an integrator, a distributor, a service provider. Article 22 closes that opt-out. Whoever performs the qualifying behaviour acquires the membership, regardless of self-description, regardless of contract, regardless of intent.

There is no application form for the manufacturer club. There is only an application form for finding out you have already joined. The only useful response is to read Article 22 carefully enough, and supervise the supply chain closely enough, that the discovery happens early rather than during a market surveillance information request three years too late.