What the CRA Draft Guidance Clarifies About Responsibility Across the Supply Chain
In March 2026, the European Commission published a draft guidance document to help companies interpret and apply the Cyber Resilience Act (CRA) in practice. While the CRA establishes the legal requirements, the Draft Guidance provides additional clarification on how those requirements may be understood and enforced. For many IoT OEMs, one of the most important topics is the definition of the manufacturer and how responsibility is allocated across complex supply chains involving OEMs, ODMs, EMS providers, software suppliers, and service partners. This clarification matters because compliance responsibilities often extend beyond the organizations that directly develop or manufacture a product.
One of the most common questions raised by the EU Cyber Resilience Act (CRA) is straightforward: Who is actually responsible for compliance? For many connected products, development, manufacturing, and operations are distributed across multiple organizations. Hardware may be designed by an ODM, produced by an EMS partner, built on third-party software components, and supported by external cloud services. When vulnerabilities or compliance issues arise, it is natural to ask whether responsibility belongs to the supplier that built the affected component. The CRA provides a clearer answer.
Under the CRA, responsibility generally falls on the entity that places the product on the EU market under its own name or trademark. In most cases, this means the OEM or brand owner. Manufacturers are expected to ensure that:
Even when development, manufacturing, or operations are outsourced, these obligations typically remain with the manufacturer.
While the CRA identifies the manufacturer as the accountable party, compliance is rarely achieved by the manufacturer alone. A typical connected product may involve:
Each participant contributes to the overall security posture of the final product. As a result, CRA compliance depends on information, processes, and operational coordination across the entire supply chain. The manufacturer may remain accountable, but compliance cannot be achieved without supplier participation.
Many discussions around CRA focus on technical requirements such as:
These requirements are important, but implementing them is only part of the challenge. Manufacturers must also answer questions such as:
These questions require information and actions from multiple organizations across the product lifecycle. No single team has all the answers. For many IoT OEMs, the challenge is no longer implementing security controls. The challenge is ensuring that suppliers, manufacturers, and service providers can all contribute to a shared compliance process.
The CRA represents a broader shift in how product security is evaluated. Historically, security was often measured by the presence of specific features.
Today, regulators increasingly expect manufacturers to demonstrate how security is managed throughout the product lifecycle. This includes:
Compliance is no longer just about securing products. It is about governing security across an ecosystem.
The CRA Draft Guidance reinforces an important principle: Responsibility can be distributed operationally, but accountability remains with the manufacturer.
At the same time, successful compliance depends on cooperation across OEMs, ODMs, EMS providers, software suppliers, and service partners. For many organizations, the challenge is not determining who is responsible. It is building the visibility, coordination, and governance required to manage security across the entire product lifecycle.
