Which obligations regarding vulnerability handling and SBOM apply to manufacturers, importers and distributors under the CRA? Explained with a machine building example and an illustration.
If you build a machine and install a controller in it, you are responsible to your operator for the vulnerabilities and updates of the entire machine. The controller manufacturer supplies you with its component, its evidence and its updates. However, they do not go to your customer to fix a software flaw in the installed controller. That is your job as the machine manufacturer.
This article assigns the CRA roles along the supply chain and focuses on what causes the most friction in practice: the relationship between supplier and manufacturer.
A full overview of all manufacturer obligations can be found on the CRA main page.
The CRA distinguishes economic operators by their position in the supply chain. The largest set of obligations falls on the manufacturer. Importers and distributors mainly have checking and reporting duties.
| Task | Manufacturer | Importer | Distributor |
|---|---|---|---|
| Create software bill of materials (SBOM) | yes | no | no |
| Fix vulnerabilities and provide updates | yes | no | no |
| Check conformity (CE, documentation) | creates it | checks before placing on the market | checks when making available |
| When aware of a vulnerability | treats and reports it | informs the manufacturer | informs the manufacturer |
| Report to authorities when vulnerability is actively exploited | yes | no (informs manufacturer) | no (informs manufacturer) |
The manufacturer carries the substantive obligations for vulnerability handling and for the SBOM. The importer checks, before placing on the market, among other things the CE marking, the technical documentation and the conformity assessment and informs the manufacturer immediately if it becomes aware of a vulnerability. The distributor checks the CE mark and the manufacturer obligations and likewise reports any known vulnerability to the manufacturer.
Important for the supply chain: Anyone who places a product on the market under their own name or own brand or substantially modifies it is considered a manufacturer and is subject to the full manufacturer obligations. This equalisation frequently affects machine builders; more on that below.
What an SBOM is under the CRA
A software bill of materials (SBOM) is an inventory of the software components of a product. The CRA requires the manufacturer to identify and document vulnerabilities and components, among other things through an SBOM in a common machine-readable format. The legal minimum depth is limited: the SBOM must show “at least the top-level dependencies.” The law does not require a comprehensive deep analysis down to the last transitive dependency at this point.
The SBOM is not a public document. The manufacturer is not required to publish it, but only to present it to the market surveillance authority on justified request. There is also no obligation to hand the SBOM over to the user. The information duties only require indicating where the SBOM is available, should the manufacturer provide it.
Thus, the SBOM is primarily an internal tool. This is where the supply chain question begins: if you integrate third-party components, how do you know what they contain?
When does an internal component itself fall under the CRA?
The CRA defines a product with digital elements as a hardware or software product including components that are placed on the market separately. The decisive feature in the text of the regulation is therefore separate placement on the market.
That implies: a controller that is freely available on the market is itself a CRA product of its manufacturer. It is marketed separately, so the controller manufacturer bears the manufacturer obligations for it. A component that is designed exclusively for a specific machine and not offered separately on the market may be assessed differently. The Commission’s guidance classifies such cases based on separate placement. This guidance is explicitly not legally binding and so far exists only as a draft.
In practice this means: if you buy a controller available on the market, it is an independent CRA product with its own manufacturer. As soon as you integrate it into your machine, it becomes an integrated third-party component for which special due diligence obligations apply.
Which evidence and which SBOM you need from your suppliers
This is the core of the supplier relationship. Whoever integrates components from third parties must exercise due diligence so that these components do not impair the cybersecurity of the overall product. This explicitly applies also to free and open-source software.
What “due diligence” concretely means is specified in recital 34 of the CRA. Suitable measures listed include: checking the conformity of the component (including CE marking, insofar as the CRA applies), ensuring the component receives regular security updates, consulting relevant vulnerability databases or carrying out additional security tests.
The Commission’s guidance describes two complementary duties: the risk assessment for the overall product and the due diligence check for integrated third-party components. For conformity, integrated third-party components are treated like external inputs whose properties the manufacturer must verify by due diligence upon integration. The manufacturer cannot redevelop third-party components, so they must check whether those components deliver what their product needs from them. As evidence, the draft mentions, for example, technical specifications, security documentation or conformity and assurance documents of the component manufacturer, supplemented where appropriate by the manufacturer’s own functional tests.
If the manufacturer finds a vulnerability in an integrated component, they report it to the person or entity that manufactures or maintains that component and remediate it according to the CRA requirements. If they themselves have developed a fix, they share the code or documentation with the component maintainer, preferably in a machine-readable format.
Should you request an SBOM from your suppliers?
The CRA obliges every manufacturer to create an SBOM for its own product. There is no explicit requirement that says “request an SBOM from your supplier.” However, it is a well-founded recommended practice to do exactly that. The reasoning is straightforward: recital 34 requires knowing and verifying the properties of integrated components, and the Commission draft explicitly names the documentation of the component manufacturer as suitable evidence. A supplier’s SBOM is exactly such documentation. It makes visible which constituents are in the purchased component and makes it easier for you to check vulnerability databases.
The VDMA document series on supply-chain security goes in the same direction: supplier self-declarations, clear minimum requirements in the specification and contractual assurance of these points are recommended. If a supplier provides conformity assessments for its component, the machine builder can assume documented conformity for that component. This does not relieve them of the due diligence check for the overall product, but it reduces the effort for the single component.
Where do you stand with SBOM and supplier management?
The CRA readiness check shows you in a few minutes which processes you already cover and where the largest gaps are.
Machine engineering example the machine is the product not the controller
Take a machine builder who integrates a purchased controller into their plant. In terms of the CRA, the machine is a product with digital elements that in turn consists of subproducts that are also affected by the CRA. Whoever places the overall product on the market under their own name or own brand is considered the manufacturer and bears the full manufacturer obligations for the machine. The CRA requires the manufacturer to ensure that vulnerabilities are treated during the support period for the product including its components.
For the operator this means: the machine builder is responsible for vulnerabilities and updates of the entire machine, regardless of which controller is installed. The operator should not need to see the internals. For them it is the machine of a single manufacturer, and that manufacturer is their contact.
The hardware analogy illustrates this clearly: a manufacturer like Siemens or ABB does not swap a defective controller directly in the delivered machine either. The machine builder does that within their responsibility for the machine. The exact same logic applies to software updates and vulnerability handling. The component manufacturer supplies the updates for their component to you. What reaches the operator is your responsibility as the machine manufacturer.
For machines, the Machinery Regulation (MVR, Regulation (EU) 2023/1230) also comes into play. It requires, among other things, that a machine is protected against tampering and that the software installed for safe operation remains identifiable. Machines can thus fall under both the CRA and the MVR. How the two legal acts interlock is treated separately under CRA and Machinery Regulation.
What you should do now as a machine builder
Supplier management is central. The following steps are an action-oriented practical recommendation derived from the obligations mentioned:
- Clarify your own role under the CRA. Whoever integrates and places on the market under their own name or brand is generally a manufacturer within the meaning of the CRA.
- Request conformity evidence (including CE, insofar as the CRA applies) and the SBOM of the components from your suppliers. Secure these requirements contractually.
- Build your own SBOM of your machine, which at least maps the top-level dependencies.
- Establish a process for vulnerability handling and providing updates, including a reporting channel to the component maintainers.
- Prepare the reporting paths for actively exploited vulnerabilities so that you can meet the statutory deadlines.
Anyone who sets these five points up properly will have covered the bulk of the CRA supply-chain requirements and can demonstrate to operators and market surveillance authorities that responsibility for the entire machine lies with one entity: you.
Targeted CRA implementation in machine building
Secuvise supports machine builders from role clarification through SBOM creation to CE conformity. Contact us with specifics about your products.
