Who is responsible for CRA compliance of third-party or Open Source components that are incorporated into a product?

Answer:

Article 13 (5) CRA stipulates that third-party components that are incorporated into the product by the manufacturer or sold as components are also covered by the CRA, even if they are open source software. The term “component” is not defined by the CRA, but it can be assumed that it refers to both software (including Open Source software) and hardware (cf. use of the term in Recital 10,18 and 61 and Art. 13 (25) CRA). This is to prevent the security of a product from being compromised due to the usual modular approach to software and hardware development.

Please note that the European Commission has the power to create optional security certification programs designed specifically for Open Source software components. With this a key challenge of the manufacturer’s due diligence process will be addressed: when integrating Open Source software components into their digital products, manufacturers will have a means of verifying security, even though these components may not be subject to mandatory cybersecurity regulations. (cf. Recital 21)

However, in general, a due diligence obligation for manufacturers applies for all integrations of components of third parties:

“When integrating components sources from third parties in products with digital elements during the design and development phase, manufacturers should, in order to ensure that the products are designed, developed and produced in accordance with the essential cybersecurity requirements set out in this Regulation, exercise due diligence with regard to those components, including free and open-source software components that have not been made available on the market.“(cf. Recital 34)

Most recent content update of this FAQ: September 2025

Next FAQ: What obligations does a manufacturer have under the CRA?