Module 10: Governance, Contracts, and Supply Chain Responsibilities

1. Where Governance Meets the CRA Supply Chain

In this module we connect the EU Cyber Resilience Act (CRA) to how organisations are governed and how they manage suppliers.

As of late 2024, the CRA has been politically agreed and is in the final stages of formal adoption (Regulation, not a Directive). That means:

• It will be directly applicable EU law (no national transposition needed).
• Duties apply along the economic operator chain:
• Manufacturer (including many software publishers and brand owners)
• Authorised representative
• Importer
• Distributor

This module focuses on:

• How to assign internal responsibilities for CRA compliance.
• How to write contracts with suppliers and OEMs to cover CRA obligations.
• When an importer, distributor, or brander is treated as a manufacturer under the CRA.
• How to monitor supplier compliance (audits, documentation, SBOMs).

Keep in mind links to previous modules:

• From Module 8: technical documentation and SBOM must often be supported by your suppliers.
• From Module 9: conformity assessment and CE marking depend on having a compliant supply chain.

> Visualize a chain: upstream developers → component suppliers → OEM integrator → importer → distributor → end‑user. CRA pushes security and documentation duties all the way up and down that chain.

2. Mapping CRA Roles Inside the Organisation

To comply with the CRA, companies need clear internal governance. Think of it as a RACI chart (Responsible, Accountable, Consulted, Informed) mapped to CRA articles.

Typical internal roles:

• Board / Senior Management
• Approves security and CRA compliance strategy.
• Ensures adequate resources for secure development, vulnerability handling, and documentation.

• Product Owner / Product Manager
• Owns the product’s CRA lifecycle: from design to updates and end-of-life.
• Ensures products are correctly classified (critical, high-risk, etc. under CRA categories) and the right conformity assessment route is used.

• Security / Product Security Team (PSIRT)
• Runs secure development lifecycle (SDL) practices.
• Manages vulnerability handling, incident response, and security updates as required by CRA.
• Interfaces with EU cybersecurity authorities if serious vulnerabilities or incidents must be reported (CRA aligns with NIS2-style obligations).

• Legal / Compliance
• Interprets CRA requirements and translates them into policies and contract clauses.
• Checks when the company is acting as manufacturer, importer, or distributor.

• Procurement / Supplier Management
• Ensures contracts with suppliers include CRA-related obligations (SBOM, security support, vulnerability disclosure, etc.).
• Monitors ongoing compliance (e.g., certifications, audit reports).

• Engineering / DevOps
• Implements secure coding, logging, update mechanisms, and configuration requirements mandated by CRA.
• Integrates third‑party components in a way that respects security and documentation duties.

> Governance tip: Many organisations create a CRA Steering Group (security + legal + product + procurement) to coordinate responsibilities.

3. Quick Governance Mapping Exercise

Imagine you are in a mid‑size SaaS company that will place a CRA‑covered product on the EU market.

Task: For each CRA activity below, decide which internal role should be primarily Responsible (R) and which should be Accountable (A). You can write your answers on paper or in a text editor.

Activities:

1. Approving the vulnerability handling policy and response timelines.
2. Deciding whether the product is in a higher‑risk CRA class and needs third‑party assessment.
3. Making sure supplier contracts include SBOM delivery and security update obligations.
4. Maintaining the technical documentation file and ensuring it is complete for conformity assessment.
5. Deciding when to end security support for a product and how to notify users.

Roles to choose from:

• Board / Senior Management
• Product Manager
• Security / PSIRT Lead
• Legal / Compliance Lead
• Procurement Lead
• Engineering Lead

> After you assign R and A, compare to a typical setup:

> 1. R: PSIRT Lead, A: Board / Senior Management

> 2. R: Product Manager, A: Legal / Compliance Lead (with input from Security)

> 3. R: Procurement Lead, A: Legal / Compliance Lead

> 4. R: Product Manager or Engineering Lead, A: Legal / Compliance Lead

> 5. R: Product Manager, A: Board / Senior Management

4. When Are You a Manufacturer, Importer, or Distributor?

Under the CRA, responsibilities depend on your role. A single company can wear multiple hats.

Manufacturer (core CRA duties)

You are a manufacturer if you:

• Develop software or a product with digital elements and
• Place it on the EU market under your own name or trademark, or
• Substantially modify a product already on the market (e.g., major software changes that affect security properties).

Key duties (simplified):

• Perform risk assessment and implement security by design/by default.
• Maintain technical documentation and SBOM (Module 8).
• Undergo conformity assessment and affix CE marking (Module 9).
• Provide instructions and security updates, handle vulnerabilities.

Importer

You are an importer if you:

• Place on the EU market a CRA‑covered product from a non‑EU manufacturer, under the manufacturer’s name.

Duties include:

• Check that the non‑EU manufacturer has carried out conformity assessment, has CE marking, and documentation.
• Ensure name and contact details of manufacturer and importer are on the product or documentation.
• Not place the product on the market if you know it is non‑compliant.

Distributor

You are a distributor if you:

• Make a product available in the EU supply chain (e.g., reseller, marketplace) without being manufacturer or importer.

Duties include:

• Verify product bears CE marking and required information.
• Ensure storage and transport conditions do not compromise security.
• Cooperate with authorities and pass on user information and updates as needed.

When importers/distributors become manufacturers

You are treated as a manufacturer (and get full manufacturer duties) if you:

• Place a product on the market under your own brand or modify the product name/identity; or
• Modify the product in a way that affects its compliance (e.g., replace the main firmware, major software changes, disable security features); or
• Change the intended purpose of the product.

> Practical rule: If you change the brand, core software, or intended use, assume CRA will treat you as a manufacturer, with all associated obligations.

5. Role Identification Quiz

Test your understanding of when a company is treated as a manufacturer, importer, or distributor under the CRA.

6. Core CRA Clauses for Supplier and OEM Contracts

To manage CRA risk, you need to flow down obligations into contracts with:

• Software component suppliers (libraries, SDKs, APIs)
• OEMs and white‑label partners
• Cloud and platform providers (where relevant to the product’s security)

Below are key clause topics (simplified for learning). In real life, legal experts must adapt them to actual CRA text and final numbering.

1. Compliance with CRA and related EU law

• Supplier warrants that its products and services support your CRA compliance, including security by design and by default.

1. Security by design / secure development

• Supplier follows a documented secure development lifecycle (SDL).
• Uses up‑to‑date encryption, secure coding practices, and security testing.

1. SBOM and component transparency

• Supplier provides an SBOM in a standard format (e.g., SPDX or CycloneDX).
• SBOM must be updated with each release and on request by authorities.

1. Vulnerability handling and disclosure

• Supplier maintains a vulnerability management process.
• Notifies you of discovered vulnerabilities within an agreed time (e.g., 24–72 hours after confirmation).
• Cooperates on coordinated vulnerability disclosure and security advisories.

1. Security updates and support period

• Supplier commits to providing security patches for at least the expected product lifetime or a defined minimum period.
• Includes maximum time to patch for critical vulnerabilities.

1. Technical documentation support

• Supplier provides necessary technical documentation for your CRA technical file (architecture, security features, test reports, configuration guidance).

1. Audit and assessment rights

• You may perform security and CRA compliance audits (on‑site or remote) or receive independent certifications (e.g., ISO/IEC 27001, 62443 where relevant).
• Supplier must remediate non‑conformities within an agreed timeframe.

1. Incident and breach cooperation

• Supplier must assist you in investigating and mitigating security incidents.
• Provides data and logs needed for reporting to EU authorities when required by CRA or NIS2.

1. End‑of‑life (EoL) and data export

• Supplier informs you in advance of end‑of‑support dates.
• Provides tools or documentation for secure decommissioning and data export.

> Contract design tip: Many organisations create a CRA Appendix or Cybersecurity Schedule that is attached to all relevant supplier contracts, so requirements are consistent.

7. Sample CRA Supplier Clause (Plain‑Language Pseudo‑Legal)

Below is a simplified example of how a CRA‑related clause could look. This is for learning only, not legal advice.

8. Contract Drafting Exercise

You are negotiating with a supplier of a critical authentication library used in your CRA‑covered product.

Task: Write 3–4 short bullet points you would insist on including in the contract, based on what you learned.

Use this structure in your notes:

• SBOM requirement: …
• Vulnerability notification: …
• Security updates: …
• Audit / evidence: …

Example answer (compare after you write your own):

• SBOM requirement: Supplier must provide an updated SBOM with each release in CycloneDX format.
• Vulnerability notification: Supplier must notify us within 48 hours of confirming any vulnerability that could affect authentication or encryption.
• Security updates: Supplier must provide patches for critical vulnerabilities within 7 days and for high‑severity vulnerabilities within 30 days.
• Audit / evidence: Supplier must give us an annual summary of their security testing and allow a remote audit of their SDL process on request.

9. Monitoring Supplier Compliance and Audit Strategies

Having contract clauses is not enough. Under the CRA, regulators will expect evidence that you actually monitor compliance, especially for higher‑risk products.

Common monitoring practices:

1. Onboarding due diligence

• Security questionnaires (asking about SDL, certifications, incident history).
• Review of third‑party certifications (ISO/IEC 27001, SOC 2, IEC 62443, etc.).

1. Regular reporting

• Annual or quarterly security status reports from suppliers.
• Updated SBOMs and vulnerability lists.
• Evidence of security testing (e.g., summary of penetration test findings and fixes).

1. Audit and review meetings

• Periodic security review calls to discuss incidents, vulnerabilities, and roadmap.
• Right to perform remote or on‑site audits for critical suppliers.

1. Technical monitoring

• Use of vulnerability scanners and SBOM analysis tools to detect known vulnerabilities in supplier components.
• Continuous monitoring of security advisories from suppliers and open‑source communities.

1. Escalation and remediation

• Clear escalation paths if a supplier fails to patch or refuses audits.
• Contractual right to withhold payment, stop using the component, or terminate the contract for serious non‑compliance.

> Exam‑style insight: If a CRA‑covered product is found non‑compliant due to a vulnerable third‑party library, regulators will still hold the manufacturer responsible. Being able to show supplier control and monitoring can reduce penalties and demonstrate due care.

10. Supplier Monitoring Scenario

Apply your knowledge to a realistic situation.

11. Key Term Review

Use these flashcards to reinforce the main concepts from this module.