May 2026. The EU Cyber Resilience Act (CRA) moves the conversation from “security as an RFP promise” to demonstrable product duties. Dutch buyers, SaaS vendors and integrators see it in tenders and due diligence.
Who is in scope?
- Manufacturers of connectable products (including embedded software).
- Vendors responsible for updates, patches and vulnerability disclosure.
- Customers who must explain which products are in scope and how updates roll out.
What large customers ask now
SBOMs, patch policy, vulnerability handling, end-of-support dates and evidence of security-by-design in development. That overlaps with vendor management under ISO 27001 — but CRA is product-centric.
Three practical actions
- Inventory connectable products in your service.
- Tie contracts to patch SLAs and serious vulnerability notification.
- Document exceptions — “unknown” fails audits and procurement.