Third-Party Components, First-Party Liability: How CRA Reshapes OEM-Vendor Relationships

Modern IoT hardware is rarely built by a single company. Cellular modules, radio modems, and connectivity stacks are typically developed by specialized vendors and integrated by OEMs into a finished product. CRA was written with this industry structure in mind. It does not require OEMs to take over a supplier’s internal security operations. But it does treat every integrated component as part of a single product — and that product has only one ultimately accountable manufacturer. For most IoT OEMs, that is where the real tension begins.

Product Line

IoT Security

Published

2026-04-28

Read Time

min read

Key Takeaways

Both the OEM and the module vendor may qualify as manufacturers under CRA, but accountability for the final product does not transfer.
CRA creates three non-negotiable responsibilities for OEMs: SBOM, vulnerability handling, and a minimum five-year security support commitment.
An OEM’s ability to comply often depends on whether suppliers can provide SBOM visibility, vulnerability coordination, and long-term support.
Support-window mismatch between OEM products and module vendor roadmaps is one of the hardest operational problems under CRA.
The earlier OEMs build supply-chain visibility, module replaceability, and supplier governance into their products, the lower the long-term operational cost becomes.

What CRA actually requires from OEMs

For IoT OEMs, CRA supply-chain responsibility ultimately centers around six areas. Five are defined relatively clearly in the regulation itself. One — supplier due diligence — remains intentionally broad and will likely become more defined through future implementation guidance and supervisory practice. That distinction matters. Because:

explicitly defined requirements are already enforceable obligations today
less-defined areas are where OEMs should prepare for the strictest reasonable interpretation

The six core CRA requirements

CRA REQUIREMENT	WHAT IT MEANS OPERATIONALLY
Due diligence over third-party components	OEMs must demonstrate they evaluated the security of integrated components rather than simply trusting vendor claims
Product-level SBOM	OEMs must maintain a machine-readable SBOM for the finished product; listing only the module name is often insufficient
Vulnerability reporting and remediation	Vulnerabilities discovered in integrated components must be reported upstream and addressed in the product
CRA Article 14 reporting obligations	Once the OEM becomes aware — or reasonably should have become aware — the reporting clock begins
Continuous vulnerability handling and secure update capability	Vulnerability discovery, intake, processing, and remediation must operate continuously throughout the support period
Minimum five-year security support obligation	For most IoT products, CRA effectively creates a five-year support requirement regardless of vendor lifecycle alignment

CRA text defines the legal floor. On top of that, ENISA guidance, European Commission recommendations, and EN 18031 standards are gradually shaping supervisory expectations around:

SBOM depth
coordinated vulnerability disclosure
supplier risk evaluation
lifecycle governance

The OEM reality under CRA

When an OEM integrates a third-party connectivity module into a product, CRA sees:

one product, one ultimately accountable manufacturer.

If the module vendor also sells directly into the EU market, the vendor may itself qualify as a CRA manufacturer. But responsibility for the finished product still remains with the OEM.

OEM	MODULE VENDOR
Responsible for the finished product	Responsible for the module itself
Must maintain a product-level SBOM	Maintains the internal module SBOM
Owns product-level vulnerability reporting and remediation	Owns module-level vulnerability remediation
Controls updates deployed to field devices	Can only deliver patches to the OEM
Must continuously evaluate supplier risk	Must manage its own supply chain

This creates a difficult operational reality: OEM compliance often depends heavily on supplier cooperation.

But CRA does not reduce OEM accountability because of that dependency.

Why supplier contracts become critical

OEMs cannot:

generate the module’s internal SBOM themselves
independently patch module firmware
control supplier disclosure timelines

As a result, the supplier contract becomes:

the operational bridge between CRA responsibility and what the OEM can actually execute.

Supplier agreements increasingly need to define:

SBOM delivery format and depth
vulnerability notification SLA
disclosure timelines
secure update responsibilities
support lifecycle commitments
coordinated disclosure procedures

These expectations cannot remain implicit. They need to be contractually defined.

The hardest problem: support-window mismatch

CRA Article 13(8) introduces a minimum five-year support obligation. But module vendor roadmaps are usually independent from OEM product lifecycles. That means the module vendor may stop supporting the component while the OEM product still remains within its CRA support period. This is one of the hardest operational problems CRA creates.

What happens when supplier support ends first

At that point, OEMs usually face three expensive options.

1. Reduce product support commitments

Potentially defensible legally, but increasingly risky from a regulatory perspective over time.

2. Maintain module firmware internally

Usually impractical. OEMs often lack source access and cannot realistically assume long-term ownership of the module attack surface.

3. Replace hardware in the field

Architecturally cleanest. Operationally most expensive. Because it may require:

recertification
field logistics
hardware replacement programs
customer coordination at scale

Why OEMs are increasingly designing for module replaceability

To reduce long-term CRA exposure, many OEMs are now building:

replaceable module interfaces
hardware abstraction layers
modular certification boundaries
upgradeable hardware architectures

into products from day one. Because:

designing for replaceability early is dramatically cheaper than retrofitting around lifecycle constraints later.

Three red lines CRA draws for OEMs

Regardless of supplier agreements, there are three responsibilities OEMs cannot transfer.

1. OEMs cannot claim ignorance

Under CRA Article 14, “becoming aware” includes what the OEM reasonably should have known. If a CVE affecting software inside a module is already publicly listed in NVD, regulators may not accept:

“the vendor had not informed us yet”

as a valid justification for delayed action.

2. OEMs cannot contract away regulatory responsibility

A supplier agreement assigning “CRA compliance” to the module vendor may transfer commercial liability. It does not transfer regulatory accountability. Regulators will still hold the OEM accountable for the finished product.

3. OEMs cannot wait for the vendor patch before acting

The OEM’s Article 14 reporting clock follows the OEM’s own timeline. If the vendor requires six weeks to ship a fix, and the OEM waits six weeks before reporting, the compliance problem started on day one — not week six.

What OEMs should prioritize now

The practical question is no longer:

“What should eventually be implemented?”

The question is:

“What capabilities must be built before 2026?”

Layer one: capabilities CRA already makes mandatory

Three areas already form the minimum operational baseline.

1. Product-level SBOM

Preferably in:

SPDX
CycloneDX

Minimum “top-level dependency” visibility will likely become insufficient quickly.

2. Vulnerability handling and CVD capability

At minimum:

a public vulnerability reporting channel
an internal handling workflow
a secure update mechanism maintained throughout the support lifecycle

All three are necessary.

3. Five-year support capability

The hard part is not promising five years. The hard part is whether suppliers can actually support five years operationally.

Layer two: where guidance and industry practice are heading

These areas are not yet explicitly mandated by CRA, but they are becoming clear supervisory expectations.

1. Device-level field visibility

OEMs increasingly need to answer:

“Which deployed devices run which module firmware versions, and which known CVEs affect them?”

Without that visibility, Article 14 timelines may begin before impact scope can even be determined.

2. Independent vulnerability monitoring

OEMs cannot depend entirely on supplier notifications. Minimum monitoring typically includes:

NVD
vendor advisories
CERT alerts

3. Supplier risk evaluation

Before integration, OEMs increasingly need documented assessment of:

CRA readiness
patch cadence
SBOM capability
lifecycle support posture

4. Coordinated disclosure procedures

OEMs and suppliers should define the following before incidents occur:

disclosure timing
embargo handling
coordinated release processes

If time is limited, what comes first?

For most OEMs:

First priority: SBOM and CVD policy
Second priority: device-level visibility and independent vulnerability monitoring
Third priority: supplier agreements and SLAs

Because the infrastructure-heavy capabilities usually require the longest lead time.

One question determines whether the program is actually ready

Can the organization answer the following question within 48 hours?

“Which module firmware version is running on this deployed device, and which known vulnerabilities affect it?”

If not, the operational compliance system is probably still incomplete.

CRA does not change how IoT products are built

CRA does not fundamentally change how IoT products are engineered. What it changes is:

who becomes accountable for the security outcome of the final product.

The OEMs that establish real supply-chain visibility before September 2026 will likely become the organizations regulators, customers, and procurement teams trust first.

Bob Jiang

Co-Founder & President

Co-founded Snowball Technology to give IoT OEMs something the industry has been missing: a single platform to govern the digital assets a connected device depends on — keys, certificates, firmware, secure configs, SBOMs — across its entire lifecycle.