EU Cyber Resilience Act — AI supply-chain evidence

CRA's AI-relevant clauses

CRA Article 13 requires manufacturers to put in place "vulnerability handling processes" and to keep records. The 2026 implementing acts clarify that AI-assisted code (e.g. AI-generated code in a security-critical product) must be tracked. CRA Annex I §3.1 requires "automatically logging and monitoring security-relevant events". When that security-relevant event was generated with AI help, the AI assistance itself is part of the audit chain.

Receipts as the AI-assistance audit log

Every commit captured by the auto-receipt-on-commit hook ties the commit to: the engineer's human_id, the AI tools used during authoring, the runtime cost, the project context. For a CRA-scope product, this is the AI-assistance audit log. The dashboard filter "show receipts touching files in product-X" gives the CRA evidence subset; the evidence pack rolls them into a structured CRA Annex I report.

Vulnerability handling — receipt as forensic anchor

When a vulnerability is discovered, CRA requires you to trace its origin. If the vulnerable code was AI-assisted, the relevant receipts tell you: which engineer wrote it, which AI model assisted, which Cursor / Cline / Claude Code session produced it. This is the forensic chain CRA Article 13(3) is looking for.

Supply-chain transparency requirements

CRA pushes SBOM (software bill of materials) requirements. The complement is the "AI bill of materials" — which AI providers were involved in producing the code. GenZAgents receipts roll up cleanly: "the v2.4 release included contributions from claude-3-5-sonnet (61%), gpt-4o (24%), gemini-2.0-flash (12%), human-only (3%)" by line count. This is rapidly becoming a standard procurement question.

Penalty exposure

CRA non-compliance penalties: up to €15M or 2.5% of annual turnover. For most software vendors that's 3-7 figures of risk per audit cycle. The compliance posture upgrade from GenZAgents (evidenced AI-assistance) shifts you from "no audit trail" to "signed audit pack" at low operational cost.

When CRA bites — timeline

CRA entered force on 10 December 2024 with delayed application: most obligations apply from 11 December 2027, vulnerability reporting from 11 September 2026. The pragmatic deadline for production-grade AI-assistance audit logs is mid-2026 — same window as EU AI Act §50.

Common questions

Does CRA apply to our company specifically?▾

CRA applies to "products with digital elements" placed on the EU market. Most software / hardware vendors selling into the EU are in scope. Pure-services-only orgs aren't. Check with your legal team for the specifics — we don't give legal advice.

Is "AI bill of materials" a recognised CRA artifact?▾

Not formally — CRA mandates SBOM, not AIBOM. But procurement organisations are starting to ask for AIBOM as part of their vendor-risk reviews, and the dashboard's per-receipt model attribution is the data source. We expect formal recognition over the next 2-3 years.

Can the receipt audit log be exposed to a third-party assessor?▾

Yes — the evidence pack is exportable, signed, and verifiable without contacting GenZAgents. Many assessors prefer the offline-verifiable format because it preserves the audit chain across their workflow.

What about the open-source library exception?▾

CRA exempts non-commercial open-source software. Commercial software using open-source libraries is still in scope for the commercial portion. The receipts capture which receipts touched which files; you can filter to commercial-product scope.