Indeed. At least for the contractual requirement, the KEV format (BCP-07) can be used to inform customers (even if the KEV is not disclosed outside the customer-vendor relationship). I suppose some extension in the KEV assertion can be indeed added.
By the way, I did a quick mapping of CRA obligations and how GCVE can support it at the following location:
If you have any feedback or updates, feel free. Thank you!