Should "CRA supply chain element" PDEs be submitted for compliance?

[MikeCamel]

The creation of a PDE includes a supply chain, which typically contains many elements. In the case of software-based (or "software-heavy") PDEs, many of these elements are themselves software: SBOM builders, build systems, IDEs, dependency/license-checkers, static analysis tools, fuzzers, etc.

• Is there a place to be encouraging the manufacturers of these products (with the assistance of the stewards of the projects that lie behind them, as relevant) to be submitting these for compliance?
• Should they constitute a separate class of "important" PDEs or sit within one of the classes already listed within CRA Annex III?
• If they fall under CRA (91), is self-compliance sufficient? (Note discussion Greater clarity on CRA (91) required #11)
• This group has a workstream (technology and tools) which is likely to include many PDEs of this type: where does this fit into their work? Or does it fall within the standardisation workstream?

[MikeCamel]

Note - renamed this discussion for clarity.

[oej]

That's interesting - there's an obligation to report incidents affecting the build system to ENISA. That implies that you have control over it and likely the way for that is to have an SBOM.