Under the Cyber Resilience Act, due diligence refers to the obligation of manufacturers to ensure that any third-party components integrated into their products, including Free and Open Source Software, adhere to the essential cybersecurity requirements of Annex I. Manufacturers remain responsible for the security of the final product as a whole, and failure to comply may result in administrative fines.
The appropriate level of due diligence depends on the nature and cybersecurity risk of the component. As outlined in Recital 34, due diligence typically involves one or more of the following actions:
- Verifying conformity: Checking if the component already bears the CE marking or has demonstrated conformity with the CRA, for example through a security attestation.
- Checking maintenance: Verifying that the component receives regular security updates (e.g., checking its update history).
- Vulnerability scanning: Ensuring the component is free from known vulnerabilities listed in public databases (e.g., the ENISA database).
- Security testing: Carrying out additional security tests relative to the risk.
If a vulnerability is identified during this process, the manufacturer must remediate it and share the applied fix with the upstream maintainer (i.e., open a merge/pull request upstream).
Disclaimer
Disclaimer: The information contained in this FAQ is of a general nature only and is not intended to address the specific circumstances of any particular individual or entity. It is not necessarily comprehensive, complete, accurate, or up to date. It does not constitute professional or legal advice. If you need specific advice, you should consult a suitably qualified professional.