Supply Chain Security Under the CRA
The CRA doesn’t just regulate your products – it regulates your supply chain. Article 13(6) requires manufacturers to exercise due diligence when integrating components from third parties.
What the CRA Says About Your Supply Chain
Article 13(6) explicitly requires manufacturers to exercise due diligence when integrating components sourced from third parties. This is a legal obligation tied to your CE marking.
Manufacturer Due Diligence (Article 13(6))
Know what third-party components are in your products. Assess whether they meet CRA essential requirements. Collect and verify supplier SBOMs. Monitor vulnerabilities throughout the product lifecycle.
Importer & Distributor Obligations
Importers (Article 19) must ensure compliance before market placement. Distributors (Article 20) must verify CE marking. Any economic operator making substantial modifications becomes a manufacturer.
Your Responsibility for Supplier Vulnerabilities
If a supplier’s component introduces a vulnerability into your product, you are responsible for remediation and ENISA reporting – within the same strict timelines.
How Kunnus Manages Supply Chain Compliance
Kunnus provides tools for both upstream supplier management and downstream customer transparency.
Supplier Assessment Portal
Invite suppliers to the Vendor Portal. They upload SBOMs, respond to CRA-aligned questionnaires, and share vulnerability information. You get a centralized dashboard of supplier compliance status.
Third-Party Component Inventory
Every component from every supplier, mapped to every product. Instant identification of all affected products when a supplier vulnerability is disclosed.
Supplier Compliance Scoring
Structured evaluation: SBOM capability, vulnerability management maturity, patch response timelines, security update commitments, and contractual CRA readiness.
Customer Kundenportal
Publish your own SBOMs and security advisories through a branded portal. Enable your B2B customers to fulfill their own CRA obligations. Turn compliance into competitive advantage.
Why Supply Chain Compliance Is the Hardest Part of CRA
Visibility gap
Most manufacturers don’t have a complete inventory of third-party components. Embedded software, firmware libraries, and commercial SDKs create layers of undocumented dependencies.
Supplier maturity varies wildly
Not all suppliers are CRA-ready. Many component vendors – especially smaller ones or those outside the EU – may lack SBOM generation, vulnerability disclosure, or update commitment processes.
Scale compounds the challenge
50–200 components from 20–40 suppliers per product. Multiply by your portfolio size. Thousands of relationships to manage, each requiring SBOM collection, vulnerability tracking, and contractual assurance.
Your Supply Chain Is Part of Your Compliance
CRA compliance can’t be achieved in isolation. Kunnus gives you the tools to manage supplier relationships and demonstrate due diligence.