Score
0 / 60 pts
CRA-03 — EU Cyber Resilience Act

Upstream

312 dependencies. 23 maintained by one person. A new supplier with no SBOM. Do you know what’s inside your product?

THREAT LEVEL: GREEN

You are the Head of Supply Chain Compliance at Kastos IoT — a role that didn’t exist 6 months ago. Your mandate: build a component provenance process that satisfies the CRA’s requirement for due diligence when integrating third-party components. The SBOM rebuild from Module 1 revealed 7 discrepancies. Tomasz’s deeper audit found 312 transitive dependencies in the K400 firmware. Today you’re starting the full supply chain risk assessment — and you’re also evaluating a new hardware supplier in Shenzhen whose component has firmware you’ve never seen.

  • Kastos IoT — 340 employees, €62M revenue, HQ Rotterdam
  • K400 firmware: 312 transitive dependencies (47 top-level, 265 transitive)
  • 23 dependencies maintained by a single developer in Belarus
  • Critical BLE stack library: 3-person open-source project, no commits in 14 months
  • New hardware supplier evaluation: Shenzhen MicroCore — embedded processor module for K400 next-gen
  • CRA support period: 7 years (committed in Module 3)
Mission Briefing

How This Works

This is a decision-driven scenario. You’ll make real decisions that a Head of Supply Chain Compliance faces when assessing dependencies, evaluating suppliers, and managing open-source obligations — and your choices determine your final ops rating.

Dependency Tree Mapping

Classify components in the K400’s dependency tree by risk category.

Three Decisions

Each decision is scored. Your choices determine a percentage-based ops rating. Wrong calls create cascading consequences.

Supplier Investigation

Choose which supplier documents to investigate. You have 4 slots — choose wisely.

Risk Matrix

Place supply chain scenarios on a likelihood × impact grid to build the risk register.

--:--:-- GREEN CRA-03: Upstream
Personnel Briefing

Your Team

You’ll work with these three throughout the scenario. They see the supply chain from different angles — your job is to find the decision that balances risk, cost, and legal obligation.

Tomasz Kowalski
Tomasz Kowalski
Lead Firmware Engineer
Tracking every dependency in a 312-library firmware tree. Not thrilled about the paperwork.
Sophie Laurent
Sophie Laurent
Head of Legal & Regulatory Affairs
Keeps Kastos legal. Will tell you exactly which Article you just violated.
Chen Wei
Chen Wei
Technical Director, Shenzhen MicroCore
Your most complex supplier. Technically excellent. Navigating EU compliance for the first time.
--:--:-- AMBER CRA-03: Upstream
Situation Feed
Situation Update

The Dependency Audit

Monday, 09:00 CET

Tomasz walks you through the K400 dependency tree. Top level: 47, all in the SBOM. The transitive layer tells a different story.

Of 312 total, 289 are actively maintained. 23 are run by a single developer — the same person across all of them. One library stands out: the BLE stack handling all Bluetooth provisioning is a 3-person volunteer project, 14 months since last commit. Release note: ‘Maintenance mode. Security patches only.’

K400 FIRMWARE v4.0  (312 dependencies)
│
├─ TOP-LEVEL                                      47
│  │
│  ├─ ● BLE communication stack                 [CRITICAL]
│  │    3-person project · 14 months silent · “maintenance mode”
│  │
│  ├─ ● 23 utility libraries                   [CONCENTRATION]
│  │    single maintainer (Belarus) · non-critical path
│  │
│  ├─ ✓ OpenSSL 3.1.4                          healthy
│  ├─ ✓ mbedTLS 3.5.0                          healthy
│  └─ ✓ 21 other top-level libraries            healthy
│
└─ TRANSITIVE                                    265
   │
   ├─ ✓ Actively maintained                     264
   └─ ● Known single-maintainer (via 23 libs)   23 nested

One critical vulnerability waiting to happen. A 23-library concentration risk. The CRA calls this due diligence exposure.

Tomasz Kowalski
TOMASZ KOWALSKI — Lead Firmware Engineer
I picked the BLE stack in 2023. Good docs, clean API, active community. Since then, two of the three maintainers left. The last one pushed a security patch 8 months ago. Nothing since.
OF
OPS FEED — Situation Feed
[09:12] SUPPLY CHAIN — Audit: 312 total. 289 active. 23 single-maintainer. 1 critical in maintenance mode (BLE stack, 14 months silent).
--:--:-- AMBER CRA-03: Upstream
Situation Feed
Activity

Dependency Tree Mapping

Practice round — not scored. Your score comes from the three decisions.

Monday, 10:30 CET

Before you can build a remediation plan, you need to visualise the K400’s dependency landscape. Classify each component by its risk category. Identify: which components are single-maintainer risks, which create concentration risk, and which have unknown provenance.

--:--:-- RED CRA-03: Upstream
Situation Feed
Decision Required

The Abandoned Library

The BLE stack is critical and effectively unmaintained. A vulnerability would leave 2,800 deployed panels without an upstream patch. How do you handle this?

--:--:-- GREEN CRA-03: Upstream
Situation Feed
Situation Update
Outcome: Positive

Fork and Maintain

Kastos forks the BLE stack and engages a BLE specialist for a 4-week audit. The code is well-structured but has 3 weak input-validation areas — not currently exploitable, but vulnerable to crafted BLE packets. Your team patches them proactively.

Kastos now maintains its own branch. €120K/year, but full control over a critical component for the 7-year support period. The SBOM lists Kastos as the current maintainer.

Sophie Laurent
SOPHIE LAURENT — Head of Legal & Regulatory Affairs
This is exactly what Article 13(5) means by due diligence. We identified a supply chain risk and took proportionate action. The notified body will see a manufacturer that controls its critical dependencies.
Regulatory Reference
CRA Article 13(5) — Due Diligence on Components
When integrating third-party components, manufacturers must verify the component is maintained, that vulnerabilities will be addressed, and that its security posture is known. If the upstream goes inactive, the manufacturer must find an alternative or take over maintenance. ‘It was open source’ is not a defence.
Sophie Laurent
Sophie Laurent — Head of Legal & Regulatory Affairs
“This is what Article 13(5) means by due diligence. The notified body will see a manufacturer that controls its critical dependencies.”
--:--:-- AMBER CRA-03: Upstream
Situation Feed
Situation Update
Outcome: Neutral

Migration Planned

You identify two commercial BLE alternatives: one from a Swedish firm (€45K/year licence, 10-year support guarantee) and one from a US company (€30K/year, 5-year rolling). Tomasz estimates 12–18 months for migration — the BLE stack is deeply integrated into the provisioning workflow.

In the interim, you document the risk in the supply chain risk register and establish monitoring: automated alerts for any CVE affecting the current BLE library, weekly checks on the upstream repository for activity, and a response plan if a critical vulnerability is disclosed before migration completes.

Sophie Laurent
SOPHIE LAURENT — Head of Legal & Regulatory Affairs
The plan is defensible. But document the risk acceptance clearly — if a vulnerability appears during the migration window, we need to show we had a contingency, not just a timeline.
Sophie Laurent
Sophie Laurent — Head of Legal & Regulatory Affairs
“The plan is defensible. But document the risk acceptance clearly — if a vulnerability appears during the migration window, we need to show we had a contingency, not just a timeline.”
--:--:-- RED CRA-03: Upstream
Situation Feed
Situation Update
Outcome: Negative

Wait and See

Four months later, a researcher publishes a critical BLE-stack vulnerability — a buffer overflow in the pairing protocol allowing remote code execution within Bluetooth range. Upstream maintainer: ‘Aware. No time to fix. PRs welcome.’

Kastos has no internal BLE expertise. All 2,800 deployed panels affected. The CRA requires updates ‘without delay’ but Kastos can’t patch a codebase it doesn’t understand. Emergency contractor: €80K, 6–8 weeks.

Jan: ‘We knew 4 months ago. We waited. That’s not a supply chain failure — that’s a decision failure.’

Regulatory Reference
Due Diligence Is Proactive, Not Reactive
Due diligence under the CRA is forward-looking. Manufacturers must assess the security and maintenance viability of components at integration and on an ongoing basis. Knowing a critical component is unmaintained and waiting for a vulnerability is not due diligence — it is risk acceptance without mitigation. Surveillance authorities will ask: ‘You knew. What did you do about it?’
--:--:-- AMBER CRA-03: Upstream
Situation Feed
Situation Update

The Shenzhen Supplier

Wednesday, 10:00 CET

You join a video call with Chen Wei, Technical Director at Shenzhen MicroCore. The MC-7200 embedded processor is technically excellent — lower power, faster, 30% cheaper than the EU alternative. Hardware wants it for the K400 next-gen.

You ask for the component’s software bill of materials. Pause.

The MC-7200 carries its own RTOS firmware — networking, Bluetooth, security libraries. MicroCore has never been asked for an SBOM. ‘Our team can list the major libraries,’ Chen Wei offers. ‘The full tree... this is not something we have prepared.’

Chen Wei
CHEN WEI — Technical Director, Shenzhen MicroCore Electronics
I understand the requirement. No other customer has asked for this. Our firmware uses standard libraries — FreeRTOS, lwIP, mbedTLS. I can provide version numbers. The full tree will take time.
Sophie Laurent
SOPHIE LAURENT — Head of Legal & Regulatory Affairs
If the MC-7200 goes into the K400, its firmware becomes part of our product. Our SBOM must include its dependencies. If MicroCore can’t tell us what’s in the firmware, we can’t exercise due diligence under Article 13(5).
--:--:-- AMBER CRA-03: Upstream
Situation Feed
Activity

Supplier Due Diligence — Document Review

Practice round — not scored. Your score comes from the three decisions.

Wednesday, 14:00 CET

Chen Wei has sent the documentation package for the MC-7200. Information is hidden under cards — choose what to investigate. Each investigation costs time. You have 4 investigation slots before the supplier evaluation deadline. What you don’t open, you don’t know — and what you don’t know, you can’t assess.

Investigations remaining: 4 of 4
--:--:-- AMBER CRA-03: Upstream
Situation Feed
Decision Required

Supplier Due Diligence

The MC-7200 is technically superior and 30% cheaper. But MicroCore cannot currently provide a software bill of materials for the component’s firmware. How do you proceed?

--:--:-- GREEN CRA-03: Upstream
Situation Feed
Situation Update
Outcome: Positive

Supplier Development

You draft a supplier cybersecurity requirements addendum: full SBOM in CycloneDX format, published vulnerability disclosure policy, commitment to security updates for the component’s lifecycle, and annual security review. You give MicroCore 90 days and offer a joint working session on SBOM generation tools.

Chen Wei is receptive: ‘We sell to automotive companies in Germany. They ask for hardware traceability. This is the software equivalent — I understand.’ His team uses an open-source SBOM tool and produces a draft within 6 weeks. It reveals 87 dependencies in the MC-7200 firmware, including 2 libraries with known CVEs that MicroCore wasn’t aware of.

The partnership strengthens. MicroCore patches the CVEs before the component ships. Kastos’s contract is the first to include CRA-aligned cybersecurity requirements — but MicroCore expects more EU customers to follow. You’ve helped build a more secure supply chain, not just assessed one.

Chen Wei
Chen Wei — Technical Director, Shenzhen MicroCore
“We sell to automotive companies in Germany. They ask for hardware traceability. This is the software equivalent — I understand.”
--:--:-- AMBER CRA-03: Upstream
Situation Feed
Situation Update
Outcome: Neutral

Independent Assessment

Kastos’s security team performs binary analysis on the MC-7200 firmware. They extract 71 of an estimated 87 dependencies — 16 are obfuscated or compiled in a way that resists analysis. The partial SBOM goes into the technical file with a note: ‘Component firmware analysed via binary decomposition. 16 dependencies could not be identified. Vendor engagement ongoing.’

Sophie Laurent
SOPHIE LAURENT — Head of Legal & Regulatory Affairs
This is better than nothing, but a market surveillance authority may ask why we integrated a component with 16 unidentified dependencies. The due diligence argument is weakened when we can’t fully characterise what we’re selling.

The notified body accepts the partial SBOM with conditions: Kastos must obtain the complete dependency list from MicroCore within 6 months or demonstrate equivalent assurance through ongoing testing.

Sophie Laurent
Sophie Laurent — Head of Legal & Regulatory Affairs
“This is better than nothing, but a market surveillance authority may ask why we integrated a component with 16 unidentified dependencies. The due diligence argument is weakened when we can’t fully characterise what we’re selling.”
--:--:-- AMBER CRA-03: Upstream
Situation Feed
Situation Update
Outcome: Neutral

EU Alternative

Kastos selects the EU supplier. The component is CRA-compliant: full SBOM provided, vulnerability disclosure policy published, 7-year security update commitment matching Kastos’s own support period. Integration is smooth.

The cost impact: €14 per unit more than the MC-7200, across an estimated 50,000 units over 3 years = €700K in additional component costs. Jan questions: ‘Is CRA compliance really worth €700K when we could have educated the cheaper supplier?’

Sophie Laurent
SOPHIE LAURENT — Head of Legal & Regulatory Affairs
It’s a valid business decision, but it’s not the only compliant path. We could have required MicroCore to meet our standards — the CRA doesn’t mandate EU sourcing, it mandates due diligence. We chose the fastest path to compliance, not the most cost-effective one.
Sophie Laurent
Sophie Laurent — Head of Legal & Regulatory Affairs
“It’s a valid business decision, but it’s not the only compliant path. We could have required MicroCore to meet our standards — the CRA doesn’t mandate EU sourcing, it mandates due diligence. We chose the fastest path to compliance, not the most cost-effective one.”
--:--:-- AMBER CRA-03: Upstream
Situation Feed
Situation Update

The Open-Source Question

Friday, 09:00 CET

Sophie calls a meeting on the open-source liability boundary. The K400 firmware integrates 189 open-source libraries — over 60% of the tree. The CRA exempts ‘open-source software stewards’ from manufacturer obligations. But Kastos is the manufacturer.

Article 18 gives stewards a light-touch duty to facilitate vulnerability handling — not to secure the product. Article 13(5) says manufacturers must exercise due diligence on the components they integrate. The obligation doesn’t vanish because the component is free.

Sophie Laurent
SOPHIE LAURENT — Head of Legal & Regulatory Affairs
Article 18 protects the volunteer maintaining the BLE library. It doesn’t protect us. The cybersecurity obligation flows to whoever places the product on the EU market. That’s Kastos.
Tomasz Kowalski
TOMASZ KOWALSKI — Lead Firmware Engineer
So if a vulnerability is found in an open-source library we use, we’re responsible for patching it — even though we didn’t write it?
Sophie Laurent
SOPHIE LAURENT — Head of Legal & Regulatory Affairs
We’re responsible for product security. How we get there — patching, replacing, mitigating — is our call. The upstream maintainer has no duty to fix it for us.
--:--:-- AMBER CRA-03: Upstream
Situation Feed
Decision Required

Open-Source Obligations

Kastos integrates 189 open-source libraries. Under the CRA, the manufacturer owns the cybersecurity of the whole product, open-source included. How should Kastos manage that going forward?

--:--:-- GREEN CRA-03: Upstream
Situation Feed
Situation Update
Outcome: Positive

Open-Source Governance

Kastos stands up the Open Source Security Programme (OSSP). All 189 libraries go into three tiers: Tier 1 (12 security-critical — crypto, networking, BLE), Tier 2 (34 important — data handling, protocols), Tier 3 (143 utilities).

Tier 1: annual audits, upstream patches, internal fork readiness. Tier 2: automated monitoring + quarterly review. Tier 3: CVE monitoring on the standard patch cycle.

Year one, the OSSP catches 4 Tier 1 vulnerabilities through the funded audits before public disclosure. Two patches go upstream and are accepted; Kastos is credited in the advisories. €60K/year, prevents an estimated €200K+ in emergency response.

Sophie Laurent
SOPHIE LAURENT — Head of Legal & Regulatory Affairs
Sophie shows the OSSP to the notified body: ‘Our due diligence framework for open-source.’ The assessor: ‘First time I’ve seen a manufacturer document this systematically. Well done.’
Sophie Laurent
Sophie Laurent — Head of Legal & Regulatory Affairs
The notified body assessor: “First time I’ve seen a manufacturer document this systematically. Well done.”
--:--:-- AMBER CRA-03: Upstream
Situation Feed
Situation Update
Outcome: Neutral

Automated Monitoring

You deploy automated vulnerability monitoring across all 189 libraries using an open-source security scanning tool integrated into the CI/CD pipeline. Every build checks for known CVEs. Alerts trigger within minutes of a new CVE publication.

The system works: in the first 6 months, it catches 7 CVEs affecting Kastos dependencies. Six are low-severity and patched in the normal release cycle. One is high-severity in a networking library — your team patches within 72 hours.

Sophie Laurent
SOPHIE LAURENT — Head of Legal & Regulatory Affairs
The monitoring is reactive. We find out about vulnerabilities when the world does — after disclosure. The companies funding upstream audits find them before disclosure. We’re faster than most, but we’re not ahead of the curve. The approach is compliant but not exemplary.
Sophie Laurent
Sophie Laurent — Head of Legal & Regulatory Affairs
“The monitoring is reactive. We find out about vulnerabilities when the world does — after disclosure. The approach is compliant but not exemplary.”
--:--:-- AMBER CRA-03: Upstream
Situation Feed
Situation Update
Outcome: Negative

Replace Everything

Tomasz scopes the migration: 12 critical libraries need commercial replacements. Three have no equivalent — the BLE stack, a custom protocol handler, and a hardware abstraction layer purpose-built for the K400 chipset. For those, the only option is internal maintenance or re-architecture.

Cost: €400K/year in licences, €250K in migration engineering, 18 months of disruption. The v5.0 roadmap freezes while the team rewrites interfaces.

Jan: ‘€650K in year one to replace working code. The CRA requires us to manage open-source, not avoid it. This kills our development velocity.’

Sophie Laurent
SOPHIE LAURENT — Head of Legal & Regulatory Affairs
The CRA explicitly acknowledges open-source as part of the ecosystem. The obligation is due diligence, not elimination. We’ve gone beyond proportionality.
Regulatory Reference
CRA Recitals 18–20 — Open-Source and Commercial Integration
The CRA recognises open-source as integral to the digital product ecosystem. It doesn’t penalise OSS use — it requires manufacturers who integrate OSS into commercial products to exercise due diligence: assess, monitor, manage, regardless of licence model. Wholesale replacement isn’t required and may not be proportionate — it swaps one risk (maintainer viability) for others (vendor lock-in, reduced flexibility, higher cost without necessarily higher security).
Sophie Laurent
Sophie Laurent — Head of Legal & Regulatory Affairs
“The obligation is due diligence, not elimination. We’ve gone beyond proportionality.”
--:--:-- GREEN CRA-03: Upstream
Situation Feed
Activity

Supply Chain Risk Register

Practice round — not scored. Your score comes from the three decisions.

End of Week 2

You’re building Kastos’s supply chain risk register. Place each of these 6 supply chain scenarios onto the likelihood × impact grid. The position determines the risk rating and drives the mitigation priority.

Module complete. Continue when you're ready. CONTINUE TO MODULE 4 →
--:--:-- GREEN CRA-03: Upstream
Situation Feed
Knowledge Check

Before seeing your results — four questions on the CRA. Select one answer per question.