EU Cyber Resilience Act — Guide for Procurement & Supply Chain Manager

Article 13(5) requires manufacturers to exercise due diligence when integrating components from third parties, including by identifying vulnerabilities in those components. This is not a passive obligation — manufacturers cannot rely solely on supplier assurances. Procurement teams must establish processes to verify that integrated components meet the security properties listed in Annex I. For software components, this means requiring SBOMs. For hardware components, it means requiring security documentation covering the component's intended security functions. If a procured component is found to be non-conformant after integration, the manufacturer remains liable for the non-conformity of the finished product. Contractual protections that allow the manufacturer to seek remedy from the supplier are therefore commercially essential.

A CRA-aligned vendor security questionnaire should address: whether the supplier has a published CVD policy and active security contact; whether the supplier generates and provides SBOMs for their components; how the supplier handles vulnerability disclosures affecting components they supply; what the supplier's support period and end-of-life policy is; and whether the supplier is subject to the CRA directly and how they demonstrate conformity. Contractually, procurement should secure: an obligation to provide SBOM updates when new versions ship; the right to receive vulnerability notifications within 48 hours of the supplier becoming aware; the right to audit security practices; and indemnity provisions for losses arising from non-conformant components. Class I and Class II Important Product supply chains warrant heightened scrutiny given the regulatory exposure.

Many products integrate open-source components that are not procured through a commercial supplier relationship. The CRA does not exempt manufacturers from their obligations regarding open-source components — the Annex I requirement to identify and document all components applies regardless of whether the component has a commercial licence. Procurement and engineering teams must jointly maintain visibility over which open-source projects are integrated, at what version, and under what licence. Where open-source projects are in active development and publish regular security advisories, the manufacturer must monitor those advisories and apply relevant patches. Where a project is abandoned or has no active security maintainer, continued use carries elevated risk that must be assessed and documented in the product's technical file.

The manufacturer's product-level SBOM must accurately represent not just the components they write themselves but also every third-party component incorporated into the product. This requires procurement to establish SBOM delivery as a standard contractual deliverable. Suppliers should be required to provide SBOMs in CycloneDX or SPDX format, aligned to a defined minimum data quality standard: component name, version, supplier, licence identifier, and any known vulnerabilities at the time of delivery. When supplier SBOMs are received, the procurement or product security team must merge them into the top-level product SBOM and run the combined inventory against vulnerability databases. Contractual provisions should require suppliers to issue updated SBOMs when new versions are released or when new vulnerabilities affecting current versions are publicly disclosed.

Begin by identifying all current suppliers who provide software, firmware, or integrated electronic components and categorise them by the risk they introduce if non-conformant. Draft a standard CRA rider to add to new and renewing supplier contracts covering SBOM delivery, vulnerability notification, and audit rights. Deploy a vendor security questionnaire to the highest-risk suppliers first and review responses against Annex I requirements. Establish a process for ingesting supplier SBOMs into the product-level SBOM toolchain. Create a monitoring process to track CVEs published against components on the approved supplier list. Review the CRA readiness score on CVD Portal to identify supply chain gaps in the overall compliance posture.