Industrial Components & Tier 1 Suppliers
As a component manufacturer, you stand at the center of the CRA supply chain. Your drives, sensors, and controllers are integrated into the end products of numerous OEMs. The Cyber Resilience Act requires every component with digital elements to meet security requirements, and your OEM customers increasingly demand proof.
CRA Relevance for Industrial Components
Components with digital elements are independently subject to CRA requirements. Additionally, OEM customers expect complete documentation to demonstrate their own overall product compliance.
- Drives, sensors, and controllers with embedded software are independent products with digital elements and directly subject to the CRA
- OEM customers increasingly demand SBOMs and vulnerability information from their component suppliers
- Shared responsibility between component manufacturer and OEM must be clearly documented and contractually defined
- Component updates must be backward-compatible and must not jeopardize integration at the OEM
- Component CRA documentation must enable the OEM to integrate it into their overall product documentation
Compliance Challenges for Component Manufacturers
Shared Responsibility with OEMs
The boundary between component responsibility and OEM responsibility is fluid. Component manufacturers must clearly define which security aspects they cover and which the OEM integrator is responsible for.
Diverse OEM Requirements
Different OEM customers have varying requirements for SBOM formats, documentation, and update processes. Serving many customers with individual requirements does not scale without automation.
Component SBOM Provision
Each component needs its own SBOM that serves as a building block for the OEM's overall SBOM. Creating and maintaining these SBOMs across all component variants and firmware versions is resource-intensive.
Backward-Compatible Security Updates
Updates for components must not break integration at the OEM. Interfaces, protocols, and behavior must remain stable while security vulnerabilities are patched.
How Kunnus Supports Component Manufacturers
OEM Portal for Compliance Data
Provide your OEM customers with SBOMs, vulnerability information, and compliance documentation through a dedicated portal. Kunnus automates delivery with every component update.
Standardized SBOM Generation
Kunnus generates SBOMs in all common formats (CycloneDX, SPDX) and ensures your component data can be seamlessly integrated into your OEM customers' overall SBOMs.
Shared Responsibility Documentation
Define and document the responsibility boundaries between your component and the OEM end product. Kunnus creates clear responsibility matrices for CRA compliance.
Proactive Vulnerability Notification
When new CVEs affect your components, Kunnus automatically notifies affected OEM customers and provides remediation information before they even ask.
Frequently Asked Questions
Common questions about CRA compliance in this industry.
Check Your Components' CRA Readiness
Determine how well your industrial components are prepared for CRA requirements and how you can best serve your OEM customers.