The Cyber Resilience Act (Article 13(5)) requires manufacturers to exercise due diligence when integrating components from third parties, and to identify and document all components and their dependencies, including by drawing up a software bill of materials (SBOM). Third party components inherit trust from the product they are embedded in; a vulnerability in a single library or remote service can undermine the security posture of the entire product and expose users to risks the manufacturer is ultimately accountable for.
Maintain a current Bill of Materials for every product, covering all third party components, libraries, and remote data processing solutions integrated into the product. Establish and enforce a list of approved dependencies that meet predefined security and usage criteria, and automatically evaluate dependencies against newly disclosed vulnerabilities (e.g., CVEs), alerting responsible staff when a dependency falls below the required security threshold.
Implement a documented process for approving dependencies before they are introduced into the product, ideally maintaining a "known good" list and disallowing the addition of any dependency that has not been formally approved. Complement this with a process for replacing or mitigating dependencies that no longer meet your security criteria, whether due to newly disclosed vulnerabilities, lack of maintainer support, or changed licensing conditions. All dependencies should be scanned continuously for new vulnerabilities, not just at integration time. Ensure the SBOM is kept up to date as dependencies evolve and is available as part of the product's technical documentation (Annex VII). Dependency management should be treated as a continuous activity throughout the product's support period, not a one time exercise at release.