Skip to content

Introduction#

Due diligence is a process for manufacturers to select third party components with the appropriate security posture. Due diligence is carried out during the development phase of the product creation before the integration of third party components and the release of the product. It is the manufacturers responsibility to define the needed due diligence to ensure the appropriate level of cybersecurity support of their products. In order to minimise and assess risks, manufacturers want to do due diligence of both commercial and open source dependencies.

CRA puts due diligence as an obligation to manufacturers, but it does not give further concrete guidance on what due diligence is. At the time of writing the harmonized standards also seem not to provide concrete enough guidelines about due diligence. This whitepaper aims to collaboratively build an industry consensus on the proper due diligence of open source components and provide guidance and inspiration for the manufacturer community to reach appropriate due diligence.