Skip to content

Compliance

Preparing for the EU CRA: SBOM Requirements

If you manufacture hardware, connected consumer electronics, IoT devices, or develop commercial software sold in the European Union, a massive regulatory wave is about to hit your engineering team.

The EU Cyber Resilience Act (CRA) represents the most sweeping cybersecurity law for physical and digital products in the world.

Under the CRA, cybersecurity is no longer treated as a post-launch software update or a marketing feature. It has become a mandatory condition for CE Marking.

If your "product with digital elements" does not meet the CRA's strict security-by-design standards, you cannot legally affix the CE Mark, and your product is banned from entering the European market. Penalties for non-compliance are severe, reaching up to €15 million or 2.5% of global turnover.

To maintain EU market access, software and hardware product teams must master the CRA's core technical requirement: the Software Bill of Materials (SBOM).

Your Company's Compliance Should Be Scannable

You probably have a "Compliance" or "Legal" page on your website. It lists a handful of PDF links — your ESG report, your modern slavery statement, your code of conduct. You built it because someone in procurement asked for it once, or because your legal team told you to, or because every competitor's website has one. And then you forgot about it.

Here's the problem: nobody finds it. Nobody reads it. And it doesn't prove anything.

Take a moment and try this yourself. Go to any company's website — your own, a competitor's, a potential supplier's — and try to find their modern slavery statement. How many clicks did it take? Was it in the footer? Under "About Us"? Inside a "Legal" dropdown that nobody expands? And when you did find it, was it a PDF? Did you download it, or did you close the tab? Now ask yourself: if an enterprise buyer needs that document to complete a supplier assessment, and it takes them more than thirty seconds to find, what do you think they'll do?

A PDF sitting in a footer link proves nothing about when it was published, whether it's current, or whether anything inside it is true. It's a file. Anyone can create a PDF. The document could be three years old, could contain claims that were never independently verified, could have been edited yesterday and backdated — and nobody would know. A PDF doesn't verify your claims. It just states them.

In a world where enterprise buyers, investors, and regulators are increasingly skeptical of self-declared compliance, a PDF link on page seven of your website isn't transparency. It's a checkbox that nobody checked — and increasingly, it's a checkbox that auditors are marking as "insufficient."

Here's the core shift: compliance is no longer about having the documents. It's about making them accessible, verifiable, and current — at the exact moment someone needs them. And the mechanism for that is a QR code on a live page.

The fix isn't a bigger compliance team or a more organized shared drive. The fix is making your compliance scannable — turning those static documents into live, QR-verifiable pages that anyone can access, verify, and trust in seconds.

CBAM Certificates: Costs, Purchasing & Deadlines

With the definitive phase of the Carbon Border Adjustment Mechanism (CBAM) now in full force, EU compliance is no longer just a regulatory reporting exercise for the sustainability department. It has become a critical liquidity and treasury management issue for the Chief Financial Officer (CFO).

Importers of covered goods must now purchase, hold, and surrender CBAM certificates that directly correspond to the greenhouse gas (GHG) emissions embedded in their imported products. These certificates introduce a fluctuating, carbon-linked cost variable into your global supply chain.

To protect your profit margins and ensure uninterrupted customs clearance, you must master the mechanics of EU CBAM Declarations and the lifecycle of the CBAM certificate.

How to Build a Compliance Trust Center

You have seen Trust Centers before. Vanta, SafeBase — they built entire businesses around SaaS security trust pages. A single page that shows your SOC 2, ISO 27001, and GDPR readiness. It works beautifully for cloud software.

But what about physical products? What about the manufacturer that ships hardware into the EU, sells on Amazon, or supplies a Tier 1 automotive client? Where is their Trust Center?

There was not one. So we built Sustalium.

This guide walks you through building a compliance Trust Center for your products — step by step, no fluff.

UFLPA Supply Chain Traceability: US Customs

Since the enactment of the Uyghur Forced Labor Prevention Act (UFLPA), US Customs and Border Protection (CBP) has detained billions of dollars worth of goods entering the United States.

The scope of enforcement is vast and expanding, heavily impacting industries such as textiles, solar panels, electronics, automotive parts, and agricultural products.

Unlike standard trade enforcement where a company is presumed innocent until proven guilty, the UFLPA operates on a strict rebuttable presumption: any goods mined, produced, or manufactured wholly or in part in China’s Xinjiang Uyghur Autonomous Region are legally presumed to be made with forced labor and are barred from US entry.

To clear a detained shipment or proactively secure your US trade lanes, the burden of proof is entirely on you. You must provide "clear and convincing evidence" that your products do not contain any inputs from Xinjiang. This requires building a comprehensive, multi-tier UFLPA compliance statement and traceability file. Here is how to map your supply chain and satisfy US Customs.

The End of the PDF: Public Pages for Compliance

If your business still sends compliance documents as PDF attachments, you are operating a workflow that was designed for 1993. The attachment model — create, export, attach, send, receive, save, forget, scramble to find when the auditor asks — is the single largest source of compliance friction in global supply chains. And it is being replaced.

The replacement isn't a better PDF reader. It isn't a document management system. It's a fundamental architectural shift: from sending files to publishing pages. From attachments to permanent URLs. From "here's the certificate we sent you" to "scan this QR code — it's always current."

Packaging & Food Compliance: FSMA 204 & EU PPWR

For SMEs in the food, beverage, and consumer goods sectors, the product inside the box is only half the battle. In 2026, the box itself—and the data attached to it—is under extreme regulatory scrutiny.

Between the US FDA's FSMA 204 Traceability Rule and the EU Packaging and Packaging Waste Regulation (PPWR), companies are facing a tsunami of data requirements. If your operation still runs on spreadsheets and email, you are a massive liability to your retail partners.

PFAS-Free Declarations for Retail Buyers

If you supply consumer goods, apparel, cosmetics, or electronics to major retailers or online marketplaces, you have likely received a sudden, urgent request for a PFAS-Free Declaration.

Per- and polyfluoroalkyl substances (PFAS)—commonly dubbed "forever chemicals" due to their extreme persistence in the human body and environment—are facing an unprecedented wave of global regulation. In the United States, several states (including California, Maine, and Vermont) have enacted strict bans on intentionally added PFAS in consumer products.

Meanwhile, the European Union is evaluating a blanket restriction under REACH.

To protect themselves from immense liability and potential class-action lawsuits, retail giants (such as Amazon, Target, and Costco) are enforcing strict "flow-down" policies. If you cannot provide a valid, verifiable chemical compliance statement proving your products contain no intentionally added PFAS, your inventory will be immediately rejected and your vendor status terminated.

Here is how to audit your supply chain and draft a legally compliant PFAS-free declaration.

Recycled Content & Packaging: Plastic Taxes

For decades, packaging compliance was purely a weight-reporting exercise. Brands calculated the total kilograms of cardboard or plastic they placed on the market, paid a nominal fee to a national recycling scheme, and filed the paperwork away.

Today, packaging has become a high-risk tax liability. Governments worldwide are introducing aggressive plastic taxes and packaging regulations designed to force a shift toward circular economies.

In the UK, the Plastic Packaging Tax (PPT) levies a charge of over £210 per tonne on plastic packaging that does not contain at least 30% recycled plastic. Spain and Italy have enacted similar taxes, and the EU's sweeping Packaging and Packaging Waste Regulation (PPWR) will soon mandate strict recycled content targets, void-space limits, and material bans across all 27 Member States.

To avoid these heavy taxes, qualify for tax exemptions, and satisfy corporate retail buyers, you must be able to produce a verifiable Recycled Content & Packaging Data Declaration. Here is how to audit your packaging and declare compliance.

California Proposition 65 Compliance

If your business ships physical products to California, list items on Amazon US, or sells through major retail distributors, you are subject to one of the most litigious consumer laws in the United States: California Proposition 65 (Prop 65).

Officially known as the Safe Drinking Water and Toxic Enforcement Act of 1986, Prop 65 requires businesses to provide a "clear and reasonable" warning to California consumers before exposing them to any of over 900 naturally occurring or synthetic chemicals known to cause cancer, birth defects, or other reproductive harm.

What makes Prop 65 uniquely dangerous is its enforcement mechanism. Unlike most laws enforced by government agencies, Prop 65 allows private citizens and advocacy groups to sue businesses on behalf of the public—creating a lucrative industry for plaintiff attorneys operating on contingency fees.

In 2024 alone, businesses paid over $30 million in settlements to resolve private Prop 65 lawsuits. To protect your business from these "bounty-hunter" lawsuits, you must understand how to audit your products and apply compliant safe harbor warnings.