May 2026. The EU Cyber Resilience Act (CRA) shifts debate from security promises in RFPs to demonstrable product requirements. Dutch buyers, SaaS vendors and integrators see this in tenders and due diligence.
Who is CRA relevant for?
- Manufacturers of connectable products (including embedded software).
- Vendors organising updates, patches and vulnerability disclosure.
- Customers explaining which products are in scope and how updates roll out.
What large customers ask now
SBOMs, patch policy, vulnerability handling, end-of-support dates and security-by-design evidence. That overlaps with vendor management under ISO 27001 — but CRA is product-centric.
Three practical actions
- Inventory connectable products in your service delivery.
- Tie contracts to patch SLAs and disclosure duties for serious vulnerabilities.
- Document exceptions — auditors and customers reject unknown.
Compare approaches: ISO, NIS2 and tooling with clear criteria.
CRA strengthens the 2026 expectation that patch cycles and vulnerability processes are traceable in change and release management. Tie SBOM updates to your risk register and record which product versions run in production for critical customers.
Buyers increasingly ask for concrete patch SLAs: maximum days to fix critical CVEs, customer communication and exit at end-of-support. Put those in contract templates and monitor via tickets and management review — not annual questionnaires alone.
For customers: maintain a product register of connectable components, owner, patch status and last security review. Link it to ISMS scope so auditors see product security as part of risk management.
Product security in procurement and development
CRA affects both manufacturers and buyers of connectable products. Procurement must know which firmware, IoT components or embedded software sits in delivered services — not only which SaaS you license.
Development teams increasingly face SBOM and patch demands in RFPs. Record vulnerability disclosure and update channels in release processes, not only on marketing security pages.
For buyers: require patch SLAs and end-of-support dates in contracts and monitor via tickets. Annual questionnaires without follow-up do not convince CRA-aware customers.
Link product register to risk assessment: which connectable components have highest impact if compromised? That helps prioritise without treating every product the same.
Communicate patch and end-of-support dates proactively to customers — silence until a CVE explodes erodes trust faster than a missed SLA. Link CRA expectations to your existing vulnerability management process.
Product register and chain communication
CRA requires visibility on connectable products across the lifecycle — from design to end-of-support. Maintain a product register with version, patch status, known vulnerabilities and customer communication. That register feeds both CRA compliance and ISO 27001 vendor and change processes.
Communicate proactively when support ends or when a critical patch is available. Silence until a CVE explodes erodes trust faster than a missed SLA. Link notifications to your vulnerability management workflow and log who informed which customer when.
In due diligence buyers increasingly ask for SBOM and patch history for the last twelve months. Prepare an export template so sales and security do not build ad hoc PDFs.
Next steps in your ISMS
Turn this article into one concrete action in your risk register or improvement plan: owner, deadline, expected evidence. Discuss progress in the next management review — auditors and chain partners want decisions, not policy intent alone. Link where possible to existing ISO 27001, NIS2 or GDPR documentation so you do not maintain parallel folders.
Questions on scope, certification or chain requirements? Use our readiness overview and knowledge base for deeper guidance. This article does not replace legal or audit advice for your situation.
Share relevant findings briefly with line management and procurement — compliance becomes workable when the whole organisation recognises the same priorities. Repeat the chosen action quarterly in team meetings and update evidence locations in your SoA or control plan so surveillance samples are easy to answer.
What to do this week
Pick one concrete action from this article, assign an owner and add it to your risk or improvement register with a deadline. Share briefly in team meetings so compliance is something the line recognises. Repeat quarterly in management review so leadership sees progress, not only intent.
Note: this article is educational and does not replace legal, privacy or audit advice for your specific situation.
