The Cyber Resilience Act (CRA) is a legislation covering almost all products with software – from embedded systems and IoT to server software, PC software to mobile applications for phones and tablets.
The CRA will likely come into act for all products sold in the EU, regardless of where the manufacturer, importer or distributor is located. If you sell to customers in the EU, you will be affected by the CRA.
The CRA will shift responsibility for cyber security on to the vendor. The vendor gets responsibility for security during a product’s lifetime. CRA mandates free security updates, public disclosure of vulnerabilities and reporting to authorities if a vulnerability is exploited.
The SBOM is part of the CRA. In short:
- Vendors are expected to have an SBOM for their product, at least covering the top level dependencies
- Vendors are not obligated to share SBOMs with customers
- The format of the SBOM is not yet specified
References:
- The EU Cyber Resilience Act