"Our supplier handles CRA compliance. It's contractually regulated." I hear this sentence mainly from companies that don't develop their own products but have them manufactured. My counter-question: What exactly is contractually regulated?
That's usually when it gets quiet.
Who is a manufacturer under the CRA?
The EU Cyber Resilience Act defines "manufacturer" in Article 3 unambiguously: Anyone who places a product with digital elements on the market under their own name or brand is the manufacturer, even if the product was developed or manufactured by a third party.
This is not a matter of interpretation. It is the central anchor of the entire regulation. Whoever puts the label on takes on the obligations. Risk assessment, SBOM, vulnerability management, reporting obligations, technical documentation, everything sits with the entity placing the product on the market.
The CRA knows no liability delegation to suppliers. This rule is not negotiable and not contractually escapable.
Why contractual delegation isn't enough
Contracts between manufacturer and supplier are an internal relationship. They govern who pays or operates in a damage scenario. But they don't change the public-law obligation toward market surveillance and ENISA.
Concretely:
- If an actively exploited vulnerability isn't reported within 24 hours, ENISA doesn't ask your supplier. It asks you.
- If the conformity assessment is incomplete, it's your compliance problem.
- If a product with insecure components is placed on the market, you're the addressee of supervisory measures, including recalls.
You can pursue recourse against the supplier. But you can't give the obligation away.
What's missing in most supplier contracts
When I review supplier contracts in detail, almost always the same things are missing:
- No SBOM delivery obligation, let alone an obligation to update it when components change
- No vulnerability response times, the supplier can take two weeks; you have a 24-hour reporting duty
- No update obligations across the product lifecycle, what happens if a patch is needed five years from now?
- No access to design data or technical documentation, once the contract ends, you sit on a product you can't maintain
- No audit rights, you can't verify whether your supplier is delivering on their promises
The CRA simply hasn't reached the supply chain yet. Anyone waiting for the supplier to act independently waits, in case of doubt, until the first ENISA inquiry.
Myth vs. fact
Myth: The supplier handles compliance.
Fact: Liability stays with whoever places the product on the market. Contracts govern the internal relationship, not the public-law obligation toward ENISA and market surveillance.
What you should contractually anchor now
Don't wait for the supplier. Review your supplier contracts now and anchor concretely:
1. SBOM delivery obligation. Format, update frequency, and delivery point. No SBOM, no audit, no conformity assessment, no vulnerability management.
2. Vulnerability response times. Matching the 24-hour reporting obligation. If your supplier needs 72 hours for an initial response, you're already two days into a compliance violation.
3. Update obligations across the product lifecycle. The CRA requires security updates for at least five years or the expected useful life. Your supplier must support this horizon.
4. Access to design data and technical documentation. Even at contract end or supplier insolvency, otherwise your product is unmaintainable after the next switch.
5. Audit rights and proof obligations. Trust is good; a documented process is compliance.
Frequently asked questions
Can I delegate CRA compliance to my supplier? No. The CRA knows no liability delegation. Whoever places a product with digital elements on the market under their own name or brand is the manufacturer under the regulation.
Who is liable if the supplier makes a mistake? The manufacturer under the CRA, meaning the entity placing the product on the market. Contractual arrangements between manufacturer and supplier govern the internal relationship but do not change the public-law obligation.
What must be contractually agreed with suppliers? At minimum: SBOM delivery obligation including updates, access to technical documentation and design data, response times for vulnerabilities, update obligations across the product lifecycle, and audit rights.
Who reports an actively exploited vulnerability to ENISA? The manufacturer under the CRA, not the supplier. The ENISA notification is submitted under the name of the entity placing the product on the market, who must file an initial report within 24 hours.
Conclusion
The CRA turns the entity placing a product on the market into the manufacturer, and the manufacturer is liable. Contracts can govern the internal relationship with suppliers, but they cannot negotiate away your public-law obligations.
Those who start today aligning supplier contracts on SBOM, response times, update obligations, and data access will have a functioning compliance stack in 2027. Those who wait for suppliers to wake up risk fines and recalls.
A structured CRA roadmap helps close gaps in the supply chain systematically, before market surveillance does it for you.
Every Friday I debunk a CRA myth here.