The Cyber Resilience Act (EU 2024/2847) enters progressively into force between 2025 and December 2027. By then, every product with digital elements (PDE) placed on the EU market must meet essential cybersecurity requirements. For a company that buys these products — especially if subject to NIS2 or DORA — the material breach clause in the supplier contract becomes a critical legal point. This article delivers a 2026 model clause and lists pitfalls to avoid.
Why this clause is central in 2026
Three forces converge:
- CRA Art. 13 holds manufacturers responsible to provide free security updates for at least 5 years, and to notify exploited vulnerabilities within 24 h to ENISA and national CSIRTs.
- NIS2 Art. 21 mandates supply chain control as a risk management measure for essential/important entities.
- DORA Art. 28-30 requires mandatory contract clauses for critical ICT providers, including termination for breach.
Without a clear material breach clause, you are stuck between your regulator (who demands supplier risk management) and your supplier (who has no explicit termination grounds). The clause is the legal lever that gives you leverage.
Defining material breach
A material breach is an infringement serious enough to allow immediate termination of the contract without notice. For a digital product, six categories are identified:
1. Critical vulnerability not patched
The supplier did not deliver a security patch within contractual deadlines (typically 30 days for CVSS ≥ 7, 7 days for CVSS ≥ 9 + public exploit).
2. Missed incident notification
The supplier did not notify within 24 h a vulnerability actively exploited concerning them (Art. 14 CRA).
3. Early termination of security support
The supplier ceases to provide updates before the 5-year minimum contracted by CRA.
4. Incomplete or undelivered SBOM
The supplier does not provide a Software Bill of Materials in CycloneDX or SPDX format, updated at every release. See our SBOM CycloneDX guide.
5. Missing or withdrawn CE marking
The CE marking certifying CRA compliance is absent at delivery or withdrawn post-sale.
6. Breach of essential security requirements
Discovery of backdoors, non-modifiable default passwords, missing or broken encryption, unencrypted personal data transmission — see CRA annex I.
Material breach clause template (English + French)
⚠️ Disclaimer: indicative model. Have it validated by counsel before signing. Adaptable depending on sector and product criticality.
Article X — Material Breach and Termination
X.1 The following constitute a "material breach" under this Agreement:
a) failure to deliver a security patch addressing a vulnerability with
public exploitation potential (published Proof of Concept, sandbox
exploit, or CISA KEV bulletin) within [7 / 14 / 30] days after an
upstream fix is available (depending on CVSS score);
b) failure to notify the Customer of an actively exploited vulnerability
affecting the delivered product, within 24 hours of discovery by the
Supplier, in accordance with Article 14 of Regulation (EU) 2024/2847
(Cyber Resilience Act);
c) unilateral cessation of security updates before the five (5) year term
referred to in Article 13 of said regulation, or the contractual term
if longer;
d) delivery of any release without a Software Bill of Materials (SBOM)
in CycloneDX 1.5+ or SPDX 2.3+ format, including SHA-256 component
hashes;
e) withdrawal, absence or suspension of the CE marking / EU declaration
of conformity to said regulation;
f) any substantial non-conformity with the essential requirements listed
in Annex I of said regulation, established by independent testing or a
notified body.
X.2 Upon material breach, the Customer may terminate this Agreement by
operation of law, without notice or compensation, after a [15]-day
calendar formal notice has remained ineffective (except for X.1.a
and X.1.b cases where termination is immediate).
X.3 The Supplier undertakes to cooperate during a transition period of
[3 / 6] months, providing data export, full SBOM, and source code
escrow access if applicable.
7 pitfalls to avoid
1. Defining "material" vaguely
"Any serious breach" is unusable. Explicitly list triggers (CVSS, deadlines, missing deliverables).
2. Forgetting NIS2/DORA alignment
If you are a NIS2 essential entity or DORA-regulated, your failure to notify the regulator may stem from your supplier's failure. The clause must include a mirror notification by the supplier within deadlines that allow you to comply.
3. Deadlines incompatible with the chain
If your regulator demands 24 h notification (NIS2) and your supplier has 72 h in the contract, mathematically you will miss.
4. No audit right
Without an audit right (Art. 30 DORA for financial entities), you cannot verify commitments made.
5. No exit strategy
A termination clause is useless without an exit plan: data recovery, transition support, source code escrow. See DORA Art. 28(7)(j).
6. No financial mechanism
Liquidated damages or liability cap must be calibrated to product criticality. A toothless clause deters no one.
7. Forgetting territorial scope
CRA applies to any product placed on the EU market, regardless of supplier country. The clause must explicitly target the EU regulation, not a local equivalent.
Place in your compliance program
The material breach clause is one brick among the 8 mandatory clauses documented in CRA: 8 contract clauses. It articulates with:
- Supplier cartography (CMDB)
- Criticality analysis (CIF DORA / NIS2 risk)
- Continuous SBOM tracking
- Exit plan
Start a free ResiPlan trial — CRA clause library ready to use.