#supply-chain · 8sync News

EU Cyber Resilience Act (CRA): Overview

The EU Cyber Resilience Act (CRA), in force since December 2024, establishes the first horizontal cybersecurity baseline for all hardware and software products sold in Europe. Key obligations include mandatory machine-readable SBOMs in technical documentation, vulnerability and incident reporting to CSIRTs and ENISA (24-hour early warning, 72-hour full notification), and security-by-design requirements. Vulnerability reporting obligations kick in September 11, 2026 — retroactively covering products already on the EU market — while full enforcement including SBOM mandates and CE marking takes effect December 11, 2027. Container images distributed commercially into the EU qualify as products with digital elements, making manufacturers responsible for image hardening, SBOM generation, provenance attestations, and defined support periods. Non-compliance can result in fines up to €15 million or 2.5% of global annual turnover. Open-source software used outside commercial activity is exempt, but organizations distributing OSS commercially are classified as manufacturers. Docker Hardened Images and Docker Scout are presented as tools to help meet these requirements.

Gotion sues Michigan township over killed $2.4B battery plant

Gotion, a US subsidiary of Chinese battery maker Gotion High-Tech, is suing Green Charter Township in Michigan for at least $23 million in damages after residents recalled their town board and killed a $2.36 billion EV battery plant. The township, with only 3,000 residents, has already spent nearly $400,000 in legal fees and faces potential budget collapse. The case highlights a core tension in US industrial policy: Washington wants domestic battery and semiconductor factories to reduce reliance on China, but local communities are increasingly rejecting the plants. China controls 94% of global lithium iron phosphate battery production, making technology transfer from companies like Gotion critical for US supply chain independence. The dispute has become a political flashpoint, with Republican lawmakers framing it as 'CCP lawfare' and the case drawing national attention during the 2024 presidential campaign.

Economist Columnists Say U.S. Quantum Investments Show Promise — But Need Clearer Rules

An Economist opinion piece by Joshua Zoffer and Chris Miller argues quantum computing is one of the strongest cases for U.S. industrial policy due to its national-security implications and immature supply chain. The Trump administration's $2 billion investment across nine quantum companies — spanning multiple hardware architectures — is praised as a smart diversified bet. The authors warn, however, that broader federal equity investments across tech sectors need clearer guiding principles, suggesting warrants over direct equity stakes and emphasizing that intervention should be reserved for areas with genuine national-security needs that markets won't address alone.

How JFrog and NanoClaw are Bringing Software Supply Chain Security to the Age of Autonomous AI

JFrog has integrated with NanoCo AI's open-source agent framework NanoClaw to address a growing security gap: autonomous AI agents that self-extend by downloading packages, CLI tools, and MCP servers at runtime without human approval. The integration routes every agent dependency request through JFrog's registries, where JFrog Curation evaluates it against security policies in real time. If a compromised package is detected, it is blocked and the agent is automatically guided to a clean alternative via JFrog Catalog, enabling self-correction without halting the workflow. The JFrog AI Catalog also extends coverage to MCP servers and agent skills. The enterprise integration is available now, with community support planned. JFrog positions this as a unified platform approach covering packages, containers, and MCP assets under a single auditable policy layer.

Software Bill of Materials (SBOM) Explained

A comprehensive guide to Software Bills of Materials (SBOMs) covering what they contain, why they matter for supply chain security, and how to integrate them into container workflows. SBOMs are machine-readable inventories of every component in a software artifact, including transitive dependencies, licenses, and checksums. The guide explains the two dominant formats (SPDX and CycloneDX), how to generate SBOMs at build time using Docker BuildKit, how to pair them with provenance attestations and cryptographic signatures, and how to use them for continuous vulnerability monitoring and policy enforcement. It also addresses regulatory requirements (EO 14028, CISA, EU CRA), common misconceptions, and an SBOM maturity model to help teams assess their current posture.