Skip to main content

Managing 3rd Party Components

One of the CRA requirements addresses any 3rd party components that you may have integrated into your product. CRA stretches your obligations on vulnerability handling to the entirety of your product. That is to say, you are responsible also for the 3rd party components you use.

Qt exercises due diligence with regard to its 3rd party components, including any used free and open-source software components. 

EU CRA Reference

Recital 34

Manufacturers integrating third-party components in products with digital elements must ensure compliance with cybersecurity requirements by exercising due diligence. This includes verifying conformity, regular security updates, and vulnerability-free status. If a vulnerability is found, it must be addressed and the responsible entity informed. Due diligence varies based on the component's cybersecurity risk.

Go to the legislation

Considerations for 3rd Party Software

Their SBOM availability?

Their ability to take the CRA Steward or Manufacturer role?​

Their security update process & practices?

Public CVE state?

Their module licensing?

How deep is the integration? Inline code, separate module, or something in between?

Do you keep the 3rd party component, drop it or change the integration model?​
Do you need to take a bigger role on the maintenance and CRA compliance?​
How do you communicate this to your users?​

More on 3rd Parties

The information contained on this page and this website does not constitute legal advice. It is provided for informational purposes and discussion of the subject matter only. Content is subject to change and The Qt Group does not guarantee the accuracy or currentness of the contents of this page nor is The Qt Group responsible for the content or operation of any external website that these pages link to—or that may link to—these pages. The information contained here is not, and should not be used as, a substitute for legal advice.

OSZAR »