Software Supply Chain Management for Device Makers

This white paper outlines the requirements and implications of the European Union's Cyber Resilience Act (CRA) for connected device manufacturers. It details the timeline for compliance, which begins with the act's enforcement in December 2024, allowing a three-year transition period for manufacturers to prepare. The CRA establishes higher cybersecurity standards for products with digital elements sold in the EU, mandating that security be integrated from the start and maintained throughout the product lifecycle. The paper explains the classification of products under the CRA, identifying categories such as Default, Important, and Critical products, each with specific compliance requirements. It also addresses the obligations for manufacturers to report vulnerabilities and incidents, emphasizing the importance of proactive measures before the full enforcement deadline in December 2027. Additionally, the document clarifies which products are excluded from the CRA and the responsibilities of manufacturers regarding open source software. Overall, the paper serves as a comprehensive guide for manufacturers navigating the new regulatory landscape.