CRA Supplier Due Diligence: Questionnaire Template and Verification Process

Your CRA compliance depends on your suppliers. If you import products, you must verify manufacturer compliance. If you manufacture, your components affect your product's security posture.

This guide provides a complete supplier due diligence framework, including a questionnaire you can send today.

Why Supplier Due Diligence Matters

For Importers

Article 19 makes importers responsible for verifying manufacturer compliance:

• Manufacturer has conducted conformity assessment
• Technical documentation is available
• Product bears required markings and information
• Manufacturer has vulnerability handling processes

If the manufacturer isn't compliant, you can't legally import.

For Manufacturers

Even as a manufacturer, your product includes components from suppliers:

• Third-party software libraries
• Hardware components
• Firmware modules
• Cloud services

Vulnerabilities in these components become your vulnerabilities. Your conformity assessment must consider supply chain risks.

Due Diligence Framework

Tiered Approach

Not all suppliers require the same level of scrutiny:

SUPPLIER TIER ASSESSMENT

TIER 1 (Critical):
- Components with security functions (crypto, auth, firewalls)
- Core software dependencies
- Hardware with firmware
Assessment: Full questionnaire + documentation review + ongoing monitoring

TIER 2 (Significant):
- Major functionality components
- Network-connected elements
- Data-processing components
Assessment: Standard questionnaire + documentation review

TIER 3 (Standard):
- Non-security components
- Utility libraries
- Peripheral hardware
Assessment: Basic questionnaire + spot checks

TIER 4 (Minimal):
- Commodity components
- Well-established OSS
- Non-connected hardware
Assessment: Basic verification + SBOM inclusion

Assessment Areas

Your due diligence should cover:

The Questionnaire

Use this questionnaire as a starting point. Adapt based on supplier tier and your specific needs.

Section 1: Company Information

SUPPLIER DUE DILIGENCE QUESTIONNAIRE
Section 1: Company Information

1.1 Company Details
    Company Name: _________________________________
    Legal Address: ________________________________
    Country of Incorporation: _____________________
    Primary Contact: _____________________________
    Security Contact: ____________________________

1.2 Business Information
    Years in Business: ___________________________
    Number of Employees: _________________________
    Annual Revenue (range): ______________________

1.3 EU Presence
    [ ] Established in EU
    [ ] Authorized Representative in EU (if non-EU)
        Name/Address: ____________________________
    [ ] No EU presence (explain arrangement): _____

1.4 Certifications (attach copies)
    [ ] ISO 9001 (Quality Management)
    [ ] ISO 27001 (Information Security)
    [ ] ISO 27701 (Privacy)
    [ ] SOC 2
    [ ] Other: _________________________________

Section 2: Product Compliance

Section 2: Product Compliance

2.1 Product Identification
    Product Name/Model: __________________________
    Version/Revision: ___________________________
    Product Category: ___________________________

2.2 CRA Classification
    What is this product's CRA classification?
    [ ] Default
    [ ] Important Class I (Annex III, Part I)
    [ ] Important Class II (Annex III, Part II)
    [ ] Critical (Annex IV)
    [ ] Not yet classified

2.3 Conformity Assessment
    What conformity assessment route was used?
    [ ] Module A (Self-Assessment)
    [ ] Module B+C (EU-Type Examination)
    [ ] Module H (Full Quality Assurance)
    [ ] Not yet completed

    If Module B, C, or H:
    Notified Body Name: __________________________
    Certificate Number: __________________________
    Certificate Date: ____________________________

2.4 EU Declaration of Conformity
    [ ] DoC available (attach copy)
    [ ] DoC not yet issued
    Date of DoC: ________________________________

2.5 CE Marking
    [ ] CE marking applied
    [ ] CE marking not yet applied
    If applied, where on product: _________________

2.6 Technical Documentation
    [ ] Technical file available upon request
    [ ] SBOM available (format: ________________)
    [ ] Risk assessment documentation available
    [ ] User/security instructions available

Section 3: Security Practices

Section 3: Security Practices

3.1 Secure Development
    Do you follow a secure development lifecycle?
    [ ] Yes - Describe: __________________________
    [ ] No

    Do you conduct security testing?
    [ ] Static analysis (SAST)
    [ ] Dynamic analysis (DAST)
    [ ] Penetration testing
    [ ] Fuzz testing
    [ ] Other: _________________________________

    Do you have a secure coding standard?
    [ ] Yes - Which: ____________________________
    [ ] No

3.2 Component Management
    How do you track third-party components?
    [ ] SBOM maintained
    [ ] Dependency tracking tool (name: _________)
    [ ] Manual tracking
    [ ] Not systematically tracked

    How do you monitor for vulnerabilities in dependencies?
    [ ] Automated scanning (tool: _______________)
    [ ] Manual CVE monitoring
    [ ] Rely on vendor notifications
    [ ] No systematic monitoring

3.3 Security Architecture
    Describe key security features of the product:
    _____________________________________________

    What cryptographic standards are used?
    _____________________________________________

    How is authentication implemented?
    _____________________________________________

    How is data protected at rest and in transit?
    _____________________________________________

Section 4: Vulnerability Management

Section 4: Vulnerability Management

4.1 Vulnerability Disclosure
    Do you have a coordinated vulnerability disclosure policy?
    [ ] Yes - URL: ______________________________
    [ ] No

    Do you have a security.txt file?
    [ ] Yes - URL: ______________________________
    [ ] No

    What is the security contact method?
    [ ] Email: __________________________________
    [ ] Web form: _______________________________
    [ ] Bug bounty platform: ____________________
    [ ] Other: _________________________________

4.2 Response Commitments
    What is your acknowledgment timeline?
    [ ] Within 24 hours
    [ ] Within 72 hours
    [ ] Within 7 days
    [ ] No commitment

    What is your typical patch timeline for:
    Critical vulnerabilities: ___________________
    High vulnerabilities: _______________________
    Medium vulnerabilities: _____________________

4.3 ENISA Reporting
    Are you prepared for ENISA reporting (Sept 2026)?
    [ ] Yes, process established
    [ ] In progress
    [ ] No
    [ ] Not applicable (not manufacturer)

4.4 Historical Vulnerabilities
    How many security vulnerabilities were reported
    in this product in the past 24 months? ______

    How were they resolved?
    [ ] All patched within stated timelines
    [ ] Some delays (explain): __________________
    [ ] Some remain unpatched (explain): ________

Section 5: Update and Support

Section 5: Update and Support

5.1 Support Period
    What is the committed support period from market
    placement?
    [ ] 5 years (CRA minimum)
    [ ] 7 years
    [ ] 10 years
    [ ] Other: _________________________________
    [ ] Not defined

    When was this product first placed on EU market?
    Date: ______________________________________

    When does the support period end?
    Date: ______________________________________

5.2 Update Mechanism
    How are security updates delivered?
    [ ] Automatic updates (OTA)
    [ ] Manual download from portal
    [ ] Physical media
    [ ] Other: _________________________________

    Are security updates separate from feature updates?
    [ ] Yes
    [ ] No - bundled together

    Can users defer or skip updates?
    [ ] Yes
    [ ] No - mandatory
    [ ] Configurable

5.3 Update Verification
    Are updates signed?
    [ ] Yes - Method: __________________________
    [ ] No

    Can users verify update authenticity?
    [ ] Yes - How: _____________________________
    [ ] No

5.4 End-of-Support Planning
    Do you have a documented EOL process?
    [ ] Yes
    [ ] No

    How will customers be notified of EOL?
    _____________________________________________

    What happens after support period ends?
    [ ] Product continues to function
    [ ] Product loses functionality
    [ ] Product requires migration

Section 6: Documentation Requirements

Section 6: Documentation Requirements

6.1 Available Documentation
    Mark all documentation you can provide:

    [ ] EU Declaration of Conformity
    [ ] Technical file (or relevant excerpts)
    [ ] Software Bill of Materials (SBOM)
        Format: [ ] CycloneDX [ ] SPDX [ ] Other
    [ ] Risk assessment summary
    [ ] Security architecture document
    [ ] User instructions (security-relevant)
    [ ] Vulnerability disclosure policy
    [ ] Support/maintenance terms

6.2 Documentation Delivery
    How will documentation be provided?
    [ ] On request (response time: ____________)
    [ ] Via secure portal
    [ ] Bundled with product
    [ ] Other: _________________________________

6.3 SBOM Details (if available)
    SBOM covers:
    [ ] Direct dependencies only
    [ ] Transitive dependencies included
    [ ] Hardware components (if applicable)

    SBOM update frequency:
    [ ] Per release
    [ ] On request
    [ ] Not systematically updated

Section 7: Contractual Commitments

Section 7: Contractual Commitments

7.1 Compliance Warranty
    Will you warrant CRA compliance in the contract?
    [ ] Yes
    [ ] No
    [ ] Negotiable

7.2 Documentation Retention
    Will you retain technical documentation for 10 years?
    [ ] Yes
    [ ] No
    [ ] Shorter period: ________________________

7.3 Notification Obligations
    Will you notify us of:
    [ ] Security vulnerabilities in the product
    [ ] Changes to conformity status
    [ ] End-of-support decisions
    [ ] Material changes to security architecture

7.4 Audit Rights
    Will you allow compliance audits?
    [ ] Yes - unrestricted
    [ ] Yes - with notice
    [ ] No

7.5 Indemnification
    Will you indemnify for CRA non-compliance?
    [ ] Yes
    [ ] No
    [ ] Negotiable

Section 8: Attestation

Section 8: Attestation

I attest that the information provided in this questionnaire
is accurate and complete to the best of my knowledge.

I understand that [Your Company] is relying on this information
for CRA compliance purposes and that material misrepresentations
may result in contract termination.

Completed by: _____________________________________
Title: ___________________________________________
Date: ____________________________________________
Signature: _______________________________________

Red Flags

Watch for these warning signs during due diligence:

Critical Red Flags (Stop the relationship)

Serious Red Flags (Require mitigation)

Yellow Flags (Monitor closely)

Verification Process

Initial Verification

1. Document Collection

   • Request DoC copy
   • Request SBOM (or confirmation of availability)
   • Request security contact information
   • Request support period commitment

2. Document Review

   • Verify DoC is signed and complete
   • Check product identification matches
   • Verify CE marking claims
   • Review SBOM format and completeness

3. Compliance Spot-Checks

   • Verify security.txt exists (if web-accessible)
   • Check CVD policy is published
   • Test security contact responds
   • Verify support period claims in documentation

Ongoing Monitoring

SUPPLIER MONITORING SCHEDULE

Monthly:
[ ] Check for published security advisories
[ ] Verify security contact still functional
[ ] Review any vulnerability disclosures

Quarterly:
[ ] Request updated SBOM (if significant releases)
[ ] Verify CVD policy still accessible
[ ] Check for new certifications or lapses

Annually:
[ ] Full questionnaire refresh
[ ] Review support period status
[ ] Verify documentation still available
[ ] Business stability review

Trigger-Based:
[ ] Major security incident → Immediate review
[ ] Ownership change → Full re-assessment
[ ] Product discontinuation → EOL planning
[ ] Contract renewal → Compliance re-verification

Supplier Agreement Clauses

Essential Clauses for CRA

Include these provisions in supplier contracts:

Compliance Representation:

Supplier represents and warrants that the Product(s)
comply with Regulation (EU) 2024/2847 (Cyber Resilience
Act) and that Supplier has completed the required
conformity assessment.

Documentation Provision:

Supplier shall provide upon request:
(a) Copy of EU Declaration of Conformity
(b) Software Bill of Materials in [CycloneDX/SPDX] format
(c) Technical documentation relevant to Buyer's
    compliance obligations
Response time: [5 business days]

Vulnerability Notification:

Supplier shall notify Buyer within [24/48] hours of
becoming aware of any security vulnerability in the
Product(s) that:
(a) Is actively exploited, or
(b) Has a CVSS score of 7.0 or higher, or
(c) Is subject to public disclosure

Support Period Commitment:

Supplier commits to providing security updates for
the Product(s) for a minimum period of [5/7/10] years
from the date of first market placement in the EU.

SBOM Updates:

Supplier shall provide an updated SBOM within [10]
business days of each product release that includes
changes to third-party components.

Audit Rights:

Buyer may audit Supplier's compliance with this
Agreement and applicable CRA requirements upon
[30 days] written notice, no more than once per year
unless triggered by a compliance concern.

Common Mistakes

Relying on Self-Attestation

Problem: Accepting supplier's verbal assurances without documentation.

Fix: Always obtain written evidence. No DoC copy = no purchase.

One-Time Assessment

Problem: Due diligence at contract signing only.

Fix: Implement ongoing monitoring schedule. Compliance can change.

Ignoring Tier 3-4 Suppliers

Problem: Only assessing "major" suppliers while ignoring smaller ones.

Fix: Even minor components can introduce vulnerabilities. Scale assessment, don't skip.

No Contractual Backing

Problem: Relying on supplier goodwill without contract terms.

Fix: Put compliance obligations in writing. Include remedies for non-compliance.

Waiting Until December 2027

Problem: Starting supplier assessments right before CRA enforcement.

Fix: Start now. Assessment takes time. Non-compliant suppliers need time to remediate or be replaced.

Supplier Due Diligence Checklist

SUPPLIER DUE DILIGENCE CHECKLIST

PRE-ENGAGEMENT:
[ ] Supplier tier determined
[ ] Appropriate questionnaire selected
[ ] Internal reviewer assigned

INITIAL ASSESSMENT:
[ ] Questionnaire sent
[ ] Questionnaire received and reviewed
[ ] Red flags identified and addressed
[ ] Documentation collected:
    [ ] EU Declaration of Conformity
    [ ] SBOM (or availability confirmed)
    [ ] CVD policy
    [ ] Support period commitment
[ ] Spot-checks completed:
    [ ] security.txt verified
    [ ] Security contact tested
    [ ] CE marking verified

CONTRACT NEGOTIATION:
[ ] Compliance clauses included
[ ] Documentation provisions agreed
[ ] Vulnerability notification terms set
[ ] Support period commitment secured
[ ] Audit rights included
[ ] SBOM update schedule agreed

POST-CONTRACT:
[ ] Monitoring schedule established
[ ] First documentation delivery confirmed
[ ] Contacts registered in supplier management system
[ ] Review dates calendared

ONGOING:
[ ] Monthly checks completed
[ ] Quarterly reviews completed
[ ] Annual reassessment completed
[ ] Trigger events handled

How CRA Evidence Helps

CRA Evidence includes supplier management capabilities:

• Supplier registry: Track all suppliers with CRA roles
• Questionnaire tracking: Send, receive, review assessments
• Documentation storage: DoCs, SBOMs, certifications
• Monitoring alerts: Track support periods, review dates
• SBOM aggregation: Combine supplier SBOMs into your product SBOM

Manage your supply chain compliance at app.craevidence.com.

Related Guides

• How to Generate a CRA-Compliant SBOM: Tools, Formats, and CI/CD Integration
• The CRA Technical File: What Goes in Each Section (Annex VII Breakdown)
• CRA Compliance Cost: How to Budget for Conformity Assessment and Documentation

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel.