EU Cyber Resilience Act — Guide for Supply Chain & Vendor Risk Manager

Annex I Part I §10 of the CRA requires manufacturers to ensure the security of products throughout the supply chain, including the integrity of components obtained from third parties. This is a manufacturer obligation — you cannot delegate legal responsibility for supply chain security to your suppliers, but you must have contractual and operational controls that make compliance achievable.

The supply chain obligation operates at multiple levels:

• Hardware components: ICs, modules, and sub-assemblies that bear firmware or perform security functions must be sourced from suppliers who can provide security specifications, CVE disclosure commitments, and SBOM data
• Software libraries and SDKs: commercial software components integrated into the product must come with SBOM data, security advisory channels, and patch delivery commitments
• Contract manufacturers: organisations that manufacture the product under the brand's name are part of the supply chain — the Authorised Representative and Importer roles under Article 13(15) must be clearly contractually defined
• Cloud and SaaS dependencies: third-party APIs and services integral to product function are supply chain components — their security posture and incident notification obligations must be governed by contract

The supply chain risk assessment should be included in the technical file as evidence that Annex I §10 obligations are being met.

A CRA-aligned vendor security assessment programme operates in two phases: pre-engagement assessment before a supplier is approved, and periodic re-assessment during the relationship.

Pre-engagement assessment criteria:

• Does the supplier have a vulnerability disclosure policy and a public security advisory channel?
• Can the supplier provide SBOM data for the components they supply in CycloneDX or SPDX format?
• What is the supplier's track record on CVE disclosure and patch delivery timelines?
• Is the supplier ISO 27001 or IEC 62443 certified, or equivalent?

Minimum contractual requirements for material suppliers:

• CVE disclosure obligation: supplier must notify within a defined SLA (recommend 48 hours) of any CVE in components supplied that could affect the manufacturer's products
• SBOM provision: supplier must provide and maintain an SBOM in a machine-readable format, updated with each new component version
• Patch delivery commitment: supplier must deliver security patches within a defined timeline consistent with the manufacturer's Article 14 notification obligations
• Audit rights: the manufacturer must retain the right to audit supplier security controls or request third-party assessment evidence
• Incident notification: supplier must notify the manufacturer of any security incident affecting the supplied component within 24 hours

Article 13(6) requires manufacturers to identify and document the components of their products with digital elements. Building a complete product SBOM requires collecting SBOM data from suppliers — a process that must be operational and continuous, not a one-time request.

Supplier SBOM collection process:

• Formalise SBOM as a procurement requirement: add SBOM provision (format: CycloneDX 1.5+ or SPDX 2.3+) as a contractual deliverable for all new supplier relationships involving software or firmware components
• Establish a supplier SBOM repository: maintain a centralised store of supplier-provided SBOMs, versioned and linked to the component versions in your product SBOM
• Automate SBOM currency: track supplier component versions against your product's current SBOM — when a supplier releases a new version, trigger an automated request for the updated SBOM
• SBOM gap register: maintain a register of components for which SBOM data has not yet been obtained — treat gaps as supply chain risk items with target closure dates
• Merge supplier SBOMs into product SBOM: the product SBOM held in the technical file must include transitive dependencies from suppliers — software tooling can merge supplier-provided SBOMs into the top-level product SBOM automatically

SBOM completeness is increasingly a focus of notified body assessments — gaps in supplier SBOM coverage are a common finding.

Open-source software components represent a significant proportion of most connected products' codebases and are a primary vector for supply chain vulnerabilities. Annex I §10 applies to open-source components as much as to commercial suppliers — and in many ways the governance challenge is greater because there is no contractual relationship to enforce.

CRA-aligned open-source governance programme:

• Component inventory: maintain a complete inventory of all open-source components used in each product, including version, licence, and the upstream security advisory channel (NVD, OSV, GitHub Advisories)
• Lifecycle monitoring: subscribe to vulnerability advisories for all material open-source components — use a structured feed rather than manual checking
• Maintenance status assessment: before adopting a new open-source dependency, assess the project's maintenance status — abandoned or dormant projects create unresolvable CVE risk
• Licence governance: track licence obligations for all open-source components; copyleft licences (GPL, AGPL) may restrict the ability to deliver security patches in proprietary-licensed products without triggering licence obligations
• Commercial support as risk mitigation: for critical open-source components with no active community maintenance, consider commercial support arrangements that include security patch backport commitments

The open-source governance policy and component register should be maintained by the Supply Chain Manager and shared with Engineering for compliance.

Practical first steps for Supply Chain Managers building CRA compliance into their programme:

• Classify the supplier base: identify all suppliers whose components, software, or services are integral to regulated products — segment by criticality (firmware, security components, communication modules as highest priority)
• Audit existing contracts for CRA-relevant obligations — identify contracts with material suppliers that lack CVE disclosure, SBOM provision, and patch delivery terms and prioritise renegotiation
• Launch SBOM collection campaign: contact all Tier 1 suppliers with a formal request for SBOM data in CycloneDX or SPDX format; establish the gap register for non-responders
• Establish a supplier security advisory monitoring process: register for security advisory feeds from all material suppliers and route alerts to the PSIRT triage queue
• Review open-source component inventory: work with Engineering to produce a complete list of open-source dependencies across all in-scope products — identify components that are abandoned, unlicensed, or have critical unpatched CVEs
• Draft CRA-aligned supplier contract addendum: work with Legal to produce a standard contract addendum for existing and new suppliers covering the minimum security obligations
• Run the CVD Portal CRA Readiness Score to benchmark supply chain coverage against Annex I §10 expectations