The CRA makes it clear: if you’re building products with digital elements, you’re also responsible for the components you integrate, even open-source ones.
Here’s what manufacturers are on the hook for:
- Risk assess components (including FOSS) and ensure they don’t compromise the product’s security.
- Report vulnerabilities in those components to whoever maintains them.
- Share fixes upstream if you patch a third-party component.
- Maintain an SBOM (Software Bill of Materials) to track what’s inside your product.
- Document everything in the technical file.
Gone are the days of “not my code, not my problem.” Whether you bundle a library, flash a chipset, or ship a container image — the CRA says: you own the risk.
So how are folks here dealing with this? Have you started generating SBOMs? What’s your plan for vetting or monitoring dependencies?