← CRA Glossary
Technical Security

Software Supply Chain Security

Software supply chain security encompasses the practices and controls that ensure the integrity, authenticity, and security of all software components — open-source libraries, commercial off-the-shelf modules, and development toolchains — that are integrated into a product. The CRA places explicit obligations on manufacturers to manage supply chain security throughout the product lifecycle.

Software supply chain security encompasses the practices and controls that ensure the integrity, authenticity, and security of all software components — open-source libraries, commercial off-the-shelf modules, and development toolchains — that are integrated into a product. The CRA places explicit obligations on manufacturers to manage supply chain security throughout the product lifecycle.

Technical Security
Free CVD portal →

What Is Software Supply Chain Security?

Software supply chain security addresses the risks introduced when a product incorporates code or components that the manufacturer did not write: open-source packages, commercial SDKs, licensed firmware, cloud service integrations, and build toolchain components. A supply chain attack occurs when an attacker compromises a trusted upstream component — for example, injecting malicious code into a popular open-source library — and the malicious code is then automatically incorporated into downstream products. High-profile supply chain incidents have demonstrated that a single compromised dependency can affect thousands of products simultaneously. Software Bill of Materials (SBOM) is the foundational tool for supply chain visibility.

CRA reference:Annex I Part I(2), Article 13(5)

Why Supply Chain Security Is a CRA Obligation

Annex I Part I(2)(f) of the CRA requires manufacturers to address and remediate vulnerabilities, explicitly including vulnerabilities in components integrated into the product. Recital 21 acknowledges the risk posed by open-source software in supply chains and encourages manufacturers to perform due diligence on components they integrate. Article 13(5) requires manufacturers to identify and document the components their products contain — the legal basis for the SBOM obligation. Manufacturers cannot disclaim responsibility for a vulnerability in a third-party library simply because they did not write the library: the product is their product and the vulnerability is their obligation.

CRA reference:Annex I Part I(2)(f), Article 13(5), Recital 21

How Manufacturers Implement Supply Chain Security

A robust supply chain security programme includes: (1) maintaining a complete, machine-readable SBOM in CycloneDX or SPDX format for every product release; (2) conducting Software Composition Analysis (SCA) during CI/CD pipelines to detect known vulnerabilities in dependencies at build time; (3) pinning dependency versions and verifying integrity via cryptographic hashes or signed packages; (4) establishing a policy for evaluating the security posture of new open-source dependencies before integration; (5) subscribing to vulnerability advisories for all integrated components and having a defined process for expedited patching when a critical supply chain vulnerability is disclosed. SBOM data should be updated with every product release.

CRA reference:Article 13(5), Annex I Part I

Common Mistakes

The most pervasive supply chain security error is not knowing what dependencies a product contains. Manufacturers who cannot produce an SBOM cannot assess their exposure when a major open-source vulnerability is disclosed, resulting in reactive fire-fighting rather than planned remediation. A second error is treating SBOM as a one-time deliverable generated at product launch, rather than a living artefact updated with every build. Manufacturers also often neglect indirect (transitive) dependencies: a directly integrated library that itself depends on a vulnerable component is equally a risk, but transitive dependencies are frequently missing from manually maintained SBOMs.

CRA reference:Article 13(5)

CVD Portal makes Software Supply Chain Security compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Is a manufacturer liable for vulnerabilities in open-source components under the CRA?+

Yes. The CRA holds manufacturers responsible for the security of their entire product, including all third-party and open-source components integrated into it. The open-source software steward provisions of the CRA create separate obligations for maintainers of open-source components, but this does not relieve the commercial manufacturer of its duty to identify, assess, and remediate vulnerabilities in components it chooses to integrate. Manufacturers must perform due diligence on the components they adopt.

What is an SBOM and why does the CRA require it?+

A Software Bill of Materials (SBOM) is a machine-readable inventory of all software components in a product, including their versions and known licences. The CRA requires manufacturers to identify and document their product's components (Article 13(5)) so that when a new vulnerability is disclosed in a component, they can quickly determine which of their products are affected and initiate remediation. Without an accurate SBOM, supply chain vulnerability response is guesswork.

What format should a CRA-compliant SBOM use?+

The CRA does not mandate a specific format, but the two dominant industry-standard formats are CycloneDX (maintained by OWASP) and SPDX (an ISO standard, ISO 5962:2021). Both are machine-readable and supported by major SCA tooling. ENISA and the European Commission's guidance documents reference these formats. Manufacturers should choose one and ensure their toolchain generates it automatically as part of each build and release.

Related terms

Software Bill of Materials (SBOM)An SBOM is a formal, machine-readable inventory of all software components — including open-source libraries, third-party dependencies, and firmware packages — that make up a product. The EU Cyber Resilience Act requires manufacturers to maintain an SBOM as part of their technical documentation.Software Composition Analysis (SCA)Software Composition Analysis (SCA) is the automated process of identifying open-source and third-party components in a codebase and checking them against known vulnerability databases to detect security risks. SCA is the primary technical mechanism for meeting the CRA's requirement that manufacturers identify and manage vulnerabilities in their products' components.Vulnerability ScanningVulnerability scanning is the automated process of probing systems, networks, or applications to identify known security weaknesses by comparing observed configurations and software versions against databases of known vulnerabilities. It provides continuous visibility into a product's security posture and supports the CRA's requirement that manufacturers monitor and address vulnerabilities throughout a product's lifecycle.Secure by DesignSecure by design means that security is built into a product's architecture and development process from the earliest design stage, rather than added as an afterthought after development is complete. The EU Cyber Resilience Act's essential requirements in Annex I mandate a secure-by-design approach for all products with digital elements.

CRA articles using this term

Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersAnnex IEssential Cybersecurity Requirements for Products with Digital ElementsArticle 10Obligations of Manufacturers — Product Security by Design

Browse the full CRA Compliance Checklist

See how Software Supply Chain Security fits into your complete CRA compliance programme.

View checklists →