Skip to content

Suppliers & qualification

The Suppliers screen has two layers: a fleet-wide directory of your SBOM requests, and per-supplier qualification files — the structured home for your component due-diligence evidence under CRA Art. 13(5)–(6).

All SBOM requests across every product version, grouped by supplier: who owes you an SBOM, who has delivered, what you have acknowledged. Filter by status, drill through to the owning product version, and resend or revoke a pending request from here.

One file per supplier captures your due-diligence evidence: identity and contacts, the supplier’s PSIRT / security-advisory channel, declared support commitments, and their declared CE/DoC conformity status. The file carries a qualification status — Unqualified, In assessment, Qualified, Conditional, or Disqualified — plus a re-qualification due date. The qualification decision is your organisation’s own, human-signed determination — never an Resilic certification of the supplier.

Track record — signals, not questionnaire theatre

Section titled “Track record — signals, not questionnaire theatre”

Resilic auto-derives an objective track record from data it already holds: how responsively the supplier answers your SBOM requests, the vulnerability exposure history of their components in your registry (EUVD/NVD/CISA KEV), and — once notices flow — their observed remediation latency.

A structured questionnaire covers the Art. 13(5) due-diligence topics (informed by the IEC 62443-4-1/-2-4 topic areas): you record how the supplier addresses each. From your answers and the track record, AI drafts an assessment summary with citations — you review, edit, and save it. Answers are never auto-scored into a verdict.

A fixed, explainable A–D rating combines SBOM responsiveness, component vulnerability history, and questionnaire completeness — every rating shows its inputs; there is no black box. It is purely advisory: it suggests a re-qualification cadence (A = 24 months, B = 12, C/D = 6) and never sets the qualification verdict. When a re-qualification comes due, subscribed users get a reminder 30 days ahead.

Subscribe to a supplier’s security advisories (CSAF)

Section titled “Subscribe to a supplier’s security advisories (CSAF)”

Many component vendors — Siemens ProductCERT, for example — publish their security advisories as a machine-readable CSAF trusted-provider feed. In the qualification file you can record the supplier’s CSAF provider URL (the Discover button probes their domain’s well-known location for you). From then on Resilic checks the feed periodically and correlates new advisories against your fleet components — typically hours after the vendor publishes, before the CVEs are even enriched in the public databases, and with the vendor’s own affected/fixed version guidance attached.

Vendor-feed matches appear on the Vulnerabilities page with a Vendor source badge and flow into the same triage queue and notification digest as every other match. When the vendor states a clean version bound (“< V26.20”) Resilic evaluates it against your fielded version: in range is a confirmed match, out of range doesn’t match at all, and anything unparseable stays honestly at needs review. Every fetched document’s SHA-512 and OpenPGP signature are checked against the provider’s published keys — a failed check is discarded as tamper evidence, never ingested. One limit stays by design: a vendor advisory alone never marks anything as actively exploited — that verdict stays with CISA KEV.

When a vulnerability is identified in an integrated component, Art. 13(6) expects you to notify the component’s maker. Resilic drafts the notice (component, CVE, references) — you review and send it; nothing is ever sent automatically. Sent notices are tracked (sentacknowledgedremediated) and filed in the qualification file, feeding the remediation-latency signal.

The whole file exports as a due-diligence dossier (PDF) — the artifact a market-surveillance authority would ask about under Art. 13(5). Note the timing: Art. 13(5)–(6) are full-CRA duties applying from 11 Dec 2027, not part of Article 14 reporting — this module is readiness for that, started early because supplier evidence takes time to build.