EU Cyber Resilience Act: Manufacturer Duties & How to Ensure Compliance using SBOM

Key manufacturer obligations under the EU Cyber Resilience Act (CRA)

The CRA outlines a comprehensive set of cybersecurity obligations for manufacturers that extend across the entire lifecycle of digital products.

Let’s review the key requirements.

Secure product design and development

Manufacturers are required to ensure that products are designed and developed with cybersecurity in mind. This involves:

• incorporating security features during product design,
• addressing known vulnerabilities proactively,
• ensuring the security of both software and hardware components.

Compliance tip : manufacturers must adopt secure development practices and integrate security-by-design principles early in the development process.

Vulnerability management and reporting

Manufacturers must establish procedures for managing and mitigating product vulnerabilities, both pre- and post-market. This includes:

• identifying vulnerabilities in real-time,
• implementing patches or updates to mitigate risks,
• reporting major vulnerabilities to relevant authorities and users.

Compliance tip : a robust vulnerability management framework is essential, along with mechanisms for continuous monitoring and swift action when a security flaw is discovered.

Post-market surveillance and incident response

Once the product is on the market, manufacturers are expected to:

• continuously monitor the product’s cybersecurity performance,
• have a plan for responding to incidents and mitigating their impact,
• provide security updates throughout the product’s expected lifecycle.

Compliance tip : an efficient incident response mechanism must be in place to manage potential breaches or cyber-attacks and reduce response times.

Transparency and documentation

Manufacturers are required to ensure transparency regarding the security posture of their products by:

• supplying detailed security documentation, including how to configure the product securely,
• providing users with clear guidance on product use and potential risks.

Compliance tip : transparency goes beyond just technical specifications; it includes user-friendly explanations of security features, risks, and guidance for safe usage.

Conformity assessment and CE marking

Before being placed on the market, products must undergo conformity assessments to demonstrate compliance with cybersecurity requirements. Products that pass these assessments will receive the CE marking, indicating compliance with EU standards.

Compliance tip : manufacturers need to maintain thorough documentation proving their product’s adherence to security standards for regulatory audits.

How SBOM and Dependency Track SaaS help manufacturers comply with the CRA

The CRA introduces a complex set of cybersecurity requirements. Managing this effectively, especially for products with multiple software components, can be challenging. A Software Bill of Materials (SBOM), tools like Dependency Track SaaS and VEX (Vulnerability Exploitability eXchange) information can significantly aid manufacturers in meeting their obligations.

What is an SBOM?

An SBOM (Software Bill of Materials) is a detailed list of all components, libraries, and dependencies used in a software product. It provides transparency regarding the building blocks of a product, allowing manufacturers to:

• track open-source and third-party components,
• identify vulnerabilities in these components,
• ensure that all components are up-to-date with security patches.

Why is an SBOM crucial for CRA compliance?

An SBOM allows manufacturers to track every component in their software. By knowing which third-party libraries and dependencies are used, manufacturers can quickly identify vulnerabilities (e.g., if a component has a known CVE) and apply fixes promptly.

An SBOM also enables manufacturers to provide detailed information about the software’s components to regulators, users, and stakeholders. This transparency is essential for meeting the CRA’s requirements for documentation and conformity assessments.

In case of a security incident, an SBOM allows manufacturers to swiftly determine which components are affected and take action. This helps meet the CRA’s obligation for post-market surveillance and rapid incident response.

What is Dependency Track SaaS?

Dependency Track is a cloud solution built on the award-winning, open-source Dependency-Track platform developed by the OWASP community. It is designed to help organizations monitor and manage the security of their software components by automating vulnerability tracking across all dependencies and integrating seamlessly with SBOMs to provide real-time insights into potential risks.

How Dependency Track SaaS supports CRA compliance?

Continuous software vulnerability monitoring

Dependency Track SaaS constantly monitors vulnerabilities in real-time and alerts manufacturers when one of their product’s dependencies is affected by a new vulnerability. This helps fulfill the CRA’s requirement for proactive vulnerability management and immediate patching.

Component risk analysis

Dependency Track SaaS provides detailed insights into the risk profile of each software component, allowing manufacturers to assess the security posture of their product at any given moment. It also aids in the decision-making process for whether to update or replace a particular component.

Incorporating VEX Information

By integrating VEX (Vulnerability Exploitability eXchange) information, Dependency Track SaaS provides a deeper analysis of identified vulnerabilities. VEX data offers details on how a vulnerability can be exploited, allowing manufacturers to better prioritize fixes based on the level of exploitability risk, thus enhancing security and ensuring compliance with the CRA.

Automation and efficiency

Managing vulnerabilities manually in large, complex software products can be time-consuming and prone to errors. Dependency Track SaaS automates the vulnerability scanning process, helping manufacturers streamline compliance efforts and maintain up-to-date cybersecurity practices with minimal overhead.

Conclusion

The EU Cyber Resilience Act is a pivotal regulation that places significant cybersecurity responsibilities on manufacturers of digital products. To comply, manufacturers must embrace security-by-design, implement robust vulnerability management processes, and provide transparency regarding product components.

An SBOM, combined with tools like Dependency Track SaaS, and the integration of VEX information, can help manufacturers maintain a clear view of the components used in their products, track and resolve vulnerabilities more efficiently, and provide the transparency and security guarantees required by the CRA. By integrating these tools, manufacturers can not only comply with the CRA, but also strengthen their overall security posture, thereby protecting both users and the broader digital ecosystem.