The European Union has significantly elevated its cybersecurity posture with the adoption of Regulation (EU) 2024/2847, also known as the CRA (Cyber Resilience Act). As the first horizontal cybersecurity regulation for PDEs (products with digital elements), the CRA establishes legally binding security requirements for both hardware and software placed on the EU market.
In 2024, the regulation formally introduced mandatory cybersecurity obligations across the entire product lifecycle, from secure development and third-party component due diligence to vulnerability handling and incident reporting.
Beginning in September 2026, manufacturers will be required to report actively exploited vulnerabilities and severe security incidents. By December 2027, full compliance becomes mandatory, including documentation, lifecycle security controls, and Software Bill of Materials (SBOM) requirements.
For CIOs, CISOs, product security leaders, and compliance teams, the CRA carries operational, financial, and regulatory consequences. Organizations must be prepared to demonstrate secure-by-design practices, implement continuous vulnerability monitoring, maintainaudit-ready SBOM documentation, and ensure supply chain transparency across proprietary and open-source components.
This article provides a practical roadmap to CRA compliance, covering software supply chain obligations, SBOM requirements, lifecycle responsibilities, and strategic steps organizations should take now to prepare for enforcement.
Cyber Resilience Act Requirements Overview
What Is the Cyber Resilience Act and Why Was It Introduced?
The CRA establishes the first EU-wide horizontal cybersecurity framework for products with digital elements.
The regulation aims to:
- Reduce systemic vulnerabilities in connected products
- Improve transparency in software supply chains
- Ensure lifecycle vulnerability management
- Shift accountability to manufacturers
Who Must Comply?
- Software manufacturers
- Hardware vendors embedding software
- Importers and distributors
- Developers integrating third-party or open-source components
- Suppliers of critical or important digital products
Software Supply Chain Obligations Under the CRA
Due Diligence on Components
Manufacturers must perform due diligence on third-party components, including assessing known vulnerabilities and monitoring security updates.
End-to-End Vulnerability Responsibility
Manufacturers remain responsible for vulnerabilities across all integrated components, regardless of origin.
Secure-by-Design and Secure-by-Default
Products must be delivered with secure default configurations and designed with cybersecurity embedded from inception.
Vulnerability Monitoring and Reporting
Actively exploited vulnerabilities and severe incidents must be reported beginning September 2026.
Technical Documentation and Retention
Security documentation, including SBOMs (Software Bills of Materials), must be retained for 10 years after placing the product on the market.
SBOM Requirements Under the CRA
The CRA requires manufacturers to document the software components used in products with digital elements, typically through SBOMs maintained as part of the product’s technical documentation. While the regulation does not prescribe specific SBOM fields, industry-standard SBOMs generally include component identifiers, version information, supplier or origin details, dependency relationships, and integrity data such as cryptographic hashes.
The SBOM must be:
- Machine-readable
- Maintained as part of technical documentation
- Provided to EU authorities upon reasoned request
How OPSWAT Supports CRA Software Supply Chain Compliance
1. Software Component Transparency
- Component name, version, and supplier identification
- Direct and transitive dependency mapping
- Unique identifiers and cryptographic validation
- Centralized SBOM management
2. Transparency and Risk Detection
- Vulnerability detection tied to public databases
- Malware scanning within software packages
- Identification of embedded risks before release
- Continuous monitoring for new CVEs
3. Documentation and Audit Readiness
- Machine-readable SBOM generation (CycloneDX, SPDX)
- Exportable reports
- Secure storage and controlled sharing
Aligning Software Components with CRA Obligations
| Component Type | Beispiel | Required Visibility | Responsibility |
|---|---|---|---|
| Hauptanwendung | Enterprise SaaS platform | Full product-level SBOM | Manufacturer |
| Core Dependency | OpenSSL | Top-level and vulnerability tracking | Manufacturer |
| Middleware/Runtime | Web server or container runtime | Dependency validation | Manufacturer + Vendor |
| Third-party Libraries | SDKs, APIs | Transitive SBOM inclusion | Manufacturer |
A Practical CRA Compliance Roadmap
1. Conduct a Readiness Assessment
Evaluate:
- Current software inventory practices
- Existing SBOM generation
- Vulnerability monitoring maturity
- Documentation retention processes
2. Establish Internal Governance
Define clear roles for:
- Developers
- DevOps teams
- Security teams
- Legal/compliance
- Procurement
3. Automate SBOM Generation
Tools should:
- Generate SBOMs for each release and update
- Integrate with CI/CD pipelines
- Output CycloneDX and SPDX formats
- Validate required minimum data fields
4. Embed SBOM Across the SDLC
SBOM maturity evolves across stages:
- Design SBOM (planned components)
- Build SBOM (compiled artifacts)
- Analyzed SBOM (post-build inspection)
- Deployed SBOM (production environment)
- Runtime SBOM (active monitoring)
5. Maintain Ongoing Compliance and Monitoring
- Continuously monitor vulnerability databases
- Update SBOMs when components change
- Establish vulnerability disclosure workflows
- Prepare documentation for authority requests
Accepted SBOM Formats Under the CRA
CycloneDX
Security-centric, optimized for vulnerability management.
SPDX
License-focused, widely adopted for compliance documentation.
How to Evaluate CRA-Ready Compliance Solutions
When selecting vendors or tools, consider:
- SBOM generation in accepted formats
- Integration with DevOps and container registries
- Continuous vulnerability monitoring
- Malware scanning capabilities
- Audit-ready reporting
- Secure data storage and sharing
Ask vendors:
- How often are SBOMs updated?
- How do you handle transitive dependencies?
- How is vulnerability intelligence integrated?
- How do you support regulatory reporting workflows?
Best Practices for Seamless CRA Implementation
- Integrate SBOM generation early (“shift left”)
- Automate dependency mapping
- Mandate SBOM data from suppliers
- Train teams on CRA responsibilities
Common Mistakes to Avoid
| Mistake | Risk | Milderung |
|---|---|---|
| Treating SBOM as static | Outdated vulnerability exposure | Automate continuous updates |
| Ignoring transitive dependencies | Hidden supply chain risk | Use recursive dependency mapping |
| Manual SBOM processes | Inconsistency and audit failure | Implement automated tooling |
Sector-Specific Considerations
- Integrate SBOM generation early (“shift left”)
- Automate dependency mapping
- Mandate SBOM data from suppliers
- Train teams on CRA responsibilities
Critical and Important Products
Operating systems, hypervisors, firewalls, and foundational infrastructure components face heightened scrutiny.
Finanzdienstleistungen
Organizations must align CRA compliance with broader EU cybersecurity frameworks (e.g., DORA).
Industrial and IoT
Embedded software must maintain long-term documentation retention and vulnerability monitoring.
OPSWAT SBOM
OPSWAT SBOM empowers teams with:
- Accurate software component inventories
- SBOM generation for source code and containers
- Vulnerability correlation
- Licensing visibility
SBOM for Software Packages and Artifacts
Identify, prioritize, and remediate open-source risks without slowing development.
SBOM für Container
Generate SBOMs at every container layer and detect vulnerabilities before deployment.
MetaDefender Software Supply Chain™
Go beyond documentation and address advanced supply chain threats.
MetaDefender Software Supply Chain™ embeds zero-trust inspection into the SDLC by combining multiscanning with 30+ antivirus engines, hard-coded secret detection, deep container layer analysis, vulnerability identification, and native integrations with repositories and CI/CD pipelines to prevent malware, exposed credentials, and dependency risks while supporting compliance with frameworks such as the EU Cyber Resilience Act.
FAQs
When does the CRA apply?
Reporting obligations begin September 2026. Full application begins December 2027.
Are SBOMs required to be public?
No. They must be provided to authorities upon reasoned request.
Do open-source components count?
Yes. All integrated components fall under manufacturer responsibility.
What are the penalties for non-compliance?
Up to €15 million or 2.5% of global annual turnover.
Is automation required?
While not explicitly mandated, automation is essential to meet lifecycle monitoring requirements.
What’s Next? Preparing for CRA Enforcement
The CRA makes software supply chain security a condition for operating in the EU market, requiring lifecycle accountability, continuous vulnerability monitoring, and structured SBOM documentation. Organizations that begin aligning their development and security processes now can reduce regulatory exposure while strengthening overall resilience.
OPSWAT helps operationalize CRA requirements by embedding SBOM automation, vulnerability intelligence, multiscanning, and zero-trust inspection directly into development workflows, helping manufacturers strengthen their software supply chains while maintainingaudit readiness.
Learn how OPSWAT can help your organization operationalize CRA requirements and strengthen your software supply chain security.
