Skip to main content

Building Blocks: Info for Developers Integrating Your Software Component

If your software is a component designed to be built into other products (like a library, an SDK, or an uncritical paid game engine module), you have a responsibility to the developers who use it. The Cyber Resilience Act requires you to provide them with the necessary information to maintain cybersecurity (Annex II, point 8f).

Equipping Integrators

When your software is a component, you must provide information that helps the integrating manufacturer (the developer using your component) to comply with their CRA obligations. This includes details to help them meet:

  • The Essential Cybersecurity Requirements (Annex I):
    • How does your component contribute to or impact the security of the final product?
    • Are there specific configurations or usage patterns of your component that are critical for security?
    • What are its known limitations or dependencies from a security perspective?
  • Documentation Requirements (Annex VII):
    • What information about your component should they include in their own technical documentation (like their Software Bill of Materials if your component is a significant dependency)?
    • Details about the component's design, development, and any security testing you've performed that they might need to reference.
    • Information on how you handle vulnerabilities in your component and how you provide updates.

Think Downstream

Your goal is to make it easier for developers using your software component to build secure products themselves and to fulfill their own CRA duties. Clear documentation for integrators is essential.

Key Takeaway

If your software is a component for others to integrate, provide them with all necessary security information so they can comply with Annex I and Annex VII of the CRA. This is your duty under Annex II, point 8f.