Launch of a service to support implementation and operation support of SCA/SBOM tools
required for compliance with the EU Cyber Resilience Act
Achieving the establishment and operation of a supply chain security management framework
without compromising development speed.

SHIFT Inc. (“SHIFT,” headquartered in Minato-ku, Tokyo, Japan; Masaru Tange, CEO and Representative Director), is pleased to announce the launch of new service – EU Cyber Resilience Act (CRA) Compliance Support Service. The service supports the implementation and operation of consistent security controls for software supply chain management in compliance with the EU Cyber Resilience Act (CRA).

SHIFT’s security consultants, who are well-versed in secure application developments, and SHIFT’s software development engineers, who promote high-quality agile development, collaborate to support our client’s company-wide implementation and operation of SCA/SBOM tools, which are essential requirements in the EU Cyber Resilience Act. Also we will support in building and operating Product Security Incident Response Team (PSIRT) and establishing secure product development process. This enables the implementation and operation of a consistent security controls for secure software supply chain management without compromising the speed of product development and business promotion.

– Background
With the advancement of digital transformation (DX), competition in the digital product market is intensifying year by year, and manufacture providing products are being urged to accelerate their product release cycles. In recent years, cyber-attacks exploiting vulnerabilities in open-source software (OSS) have been on the rise, leading to a diversification and complexity of cyber-attack techniques. As a result, it has become essential to understand the software components used in products and to establish mechanisms for detecting and dealing with vulnerabilities.

In light of this background, the EU Cyber Resilience Act, which established security requirements throughout the entire software development lifecycle of digital products distributed within EU, was enacted in October 2024. The Act mandates that manufacturing companies and retailers of digital products comply with a various cyber security requirements. Major requirements include the creation of Software Bills Of Materials (SBOM) for identifying software components and reporting any exploitation of vulnerabilities or incidents to designated authorities within 24 hours of discovery. Companies affected by the Act will be obligated to report incidents exploited the products’ vulnerabilities since September 2026, and all requirements must be met by December 2027, when full application of the Act takes effect.

SHIFT has supported the development of security strategies and the establishment of security frameworks for companies across various industries. Additionally, SHIFT has been actively proving security solutions from the product design and development phases based on the concept of ‘Secure by Design’, which implements security measures throughout the entire development process. In the realm of agile development, SHIFT has established expertise in DevOps, achieving high-quality product development and releases while maintaining speed, utilizing its unique quality assurance framework known as the “SHIFT Quality Framework” (SQF).

Considering the enactment of the EU Cyber Resilience Act, SHIFT has decided to launch a new service called “The EU Cyber Resilience Act Compliance Support Service.” By combining our expertise in secure development and security framework establishment and operation with our knowledge of DevOps in agile development, we aim to facilitate the establishment of a swift software supply chain security framework for manufacturing companies and retailers of digital products.

– About the EU Cyber Resilience Act Compliance Support Service
EU Cyber Resilience Act Compliance Support Service is a comprehensive service that assists in the establishment and operation of a software supply chain management, including the company-wide introduction and operation of SCA/SBOM tools. Under the EU Cyber Resilience Act, companies that provide digital products distributed in Europe are required to implement SCA/SBOM tools and build and operate PSIRT, establish and operate a secure product development procedure, and other required measures by 2027. SHIFT will support those companies in a step-by-step manner without compromising development speed.

[Support for Introduction and Operation of SCA/SBOM tools]
SHIFT will support the introduction and operation of software component analysis (SCA) tools aimed at managing and generating Software Bills of Materials (SBOM). Based on SHIFT’s expertise in Agile software development and DevOps, we will support the selection of optimal SCA/SBOM tools tailored to the characteristics of our clients. Additionally, we will automate the SCA/SBOM generation process to enhance the efficiency of SBOM creation and management. Additionally, based on the insights gained from security consulting, we will identify potential issues that may arise during company-wide deployment and full-scale operation, and support the establishment of a framework that enables our clients to operate independently after implementation.

[Building a PSIRT]
– Establishing a Vulnerability Reporting Framework
SHIFT will support the establishment and operation of a framework for promptly reporting vulnerabilities to authorities in collaboration with local subsidiaries and branch offices in Europe. This includes not only the organizational structure for escalation but also the formulation of various operational rules, the preparation of the operational environment, and the acquisition of human skills necessary for vulnerability incident handling.

– Establishing Vulnerability Coordination Procedures for Products
SHIFT will support the establishment of a coordination procedure for vulnerabilities related to the products, which includes procedures for reporting to authorities, and vulnerability disclosure policies in the event that vulnerabilities are reported.

– Setting up of a User Contact Point for Products
SHIFT will support in the establishment and operation of a user contact point for receiving vulnerability reports related to the products and providing appropriate information to users.

[Establishing Secure Product Development Procedures]
– Establishing a Governance Framework for Secure Product Development
SHIFT will support in the establishment and operation of a governance framework that takes into account security from the design phase of the product development process, which is based on the practices ‘secure-by-design principles’, and governs the secure development process of products.

– Establishing Secure Product Development Processes
SHIFT will support the development of internal standards that organize the methods and procedures for developing and maintaining secure products.

– Creating Templates for “EU Declaration of Conformity” and “Technical Documentation”
SHIFT will create common internal templates for the “EU Declaration of Conformity” and “Technical Documentation” which must be created and published for each product.

For service-related inquiries: https://service.shiftinc.jp/en/contact/

Contact
PR Office of SHIFT Inc.
pr_info@shiftinc.jp