{"id":8162,"date":"2026-05-15T09:01:00","date_gmt":"2026-05-15T09:01:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8162"},"modified":"2026-05-15T09:01:00","modified_gmt":"2026-05-15T09:01:00","slug":"eus-cyber-resiliency-act-will-put-it-leaders-to-the-test","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8162","title":{"rendered":"EU\u2019s Cyber Resiliency Act will put IT leaders to the test"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Unlike most cyber security regulations, the EU\u2019s Cyber Resilience Act <\/a>is about product safety rather than processes or certification, extending the CE mark from the physical side of products to software, firmware, backend services, and anything with a network connection. It encodes existing best practices, enforces minimum product support lifecycles, and could mean developing stronger relationships with open source projects your organization relies on. And it comes with a deadline: by September 11 this year, you need to have vulnerability and incident reporting processes in place.<\/p>\n

Even for organizations already using software bills of materials (SBOMs), following new CRA obligations to report an actively exploited vulnerability in a product within 24 hours, and having to deliver a full report within three days may prove hard to meet.<\/p>\n

Although nearly everyone in SaaS alternative Cloudsmith\u2019s recent Artifact Management Report<\/a> generates SBOMs, only a quarter do that automatically rather than manually or on demand. Over half said a comprehensive report would need significant time and effort, while fewer than a third were very confident they could pass the kind of unexpected software supply chain audit the CRA\u2019s spot checks will require.<\/p>\n

\u201cA lot of organizations weren\u2019t doing software supply chain best practices,\u201d says Alison Sickelka, VP of product at Cloudsmith. \u201cAnd that\u2019s reflected in people having to scramble to figure out how they\u2019re going to generate SBOMs, do reporting, and have all that in place in time.\u201d Sometimes seen as a burden slowing down software development, SBOMs and auditability are now necessities, she adds.<\/p>\n

For a lot of CIOs, though, the CRA isn\u2019t even on their radar. \u201cThey may think it\u2019s almost a tick box exercise,\u201d says Oli Venn, engineering manager at security vendor WatchGuard, rather than a broad regulation with aggressive reporting requirements covering the entire product lifecycle from planning and design, to support and maintenance.<\/p>\n

\u201cIf you\u2019re any kind of vendor, or you\u2019re manufacturing or supplying any digital system, whether it\u2019s smart thermostats, coffee machines or anything else that can be connected to the internet or a network, that falls into regulation,\u201d he adds. \u201cIf you\u2019ve got developers and consumers using that in any way, then you fall into scope for the CRA.\u201d<\/p>\n

Spheres of influence<\/h2>\n

The CRA applies to software and devices like mobile phones, embedded operating systems, databases, games, network equipment, IoT devices, and even tickets delivered through an app. However, it doesn\u2019t apply to non-commercial open source, but open source foundations have some obligations. And if your product includes open source elements, you\u2019re responsible for making sure they\u2019re compliant. Pure SaaS<\/a> isn\u2019t covered but client software, appliances, or devices that use SaaS as a backend are.<\/p>\n

\u201cThe CRA includes backend components, what we call remote data processing solutions, if you have a server side to your product,\u201d says Daniel Ehrenberg, a standards engineer on ETSI\u2019s Cyber EUSR committee.<\/p>\n

Products already on sale in the EU don\u2019t have to fully comply with the CRA, unless they get significantly updated, though companies still have to report incidents and vulnerabilities. Yet the act recognizes it may not be possible to address them. Otherwise, the only products exempt are those already covered by more stringent regulations<\/a> in sectors like automotive and medical.<\/p>\n

Product safety<\/h2>\n

The CRA says digital products have to be secure by design and default, and can\u2019t ship with known vulnerabilities like obvious default passwords that can be exploited. They also must be updatable if such vulnerabilities are found later, as well as minimize their impact by limiting the attack surface and protecting confidentiality and integrity with encryption and reduced data collection. That amounts to a mandate that commercial software must handle them well, explains Ehrenberg, with an effective process to take bug reports.<\/p>\n

\u201cThere\u2019s been a lot of hope that somehow this won\u2019t happen, but it\u2019ll be a wake-up call to consider all the requirements, starting with a risk assessment,\u201d he says. \u201cWhen you\u2019re putting a product on the market, you have to do an assessment of the cyber security risks, and have a continuous audit to know what your live dependencies are so you can evaluate whether you need them updated.\u201d<\/p>\n

That includes components from vendors<\/a>. \u201cBe sure they\u2019re staying compliant and reporting any security vulnerabilities,\u201d Venn says. The SBOM requirements are sensible rather than onerous, adds Nigel Douglas, head of developer relations for Cloudsmith. \u201cDo you have visibility into package names and IDs so you can tell if the version in your software supply chain and the code base that users are consuming and paying for carry potentially malicious code that\u2019s going to affect them,\u201d he says. \u201cThe main thing is being able to prove you can quickly respond to an incident.\u201d<\/p>\n

For open source, it also means assessing projects you rely on. \u201cThe CRA mandates knowing about and understanding project health and making informed, intelligent decisions about open source projects you use,\u201d notes Kubernetes steering committee member Kat Cosgrove. Organizations that discover and fix vulnerabilities in open source projects will be required to contribute that upstream, Venn points out. \u201cThey can no longer just be consumers of these technologies,\u201d he says. \u201cIf they want to use it, they have to be a part of the community.\u201d<\/p>\n

Not like the others<\/h2>\n

Unlike traditional cybersecurity regulations, the CRA focuses not on software development practices and certifications, which Ehrenberg warns may not map to the new requirements, but on the product being sold. \u201cDid you achieve a product that minimizes the amount of data<\/a> that\u2019s being processed in order to reduce risks related to data if it\u2019s not properly managed?\u201d he asks. \u201cAre you protecting data as it\u2019s at risk and in transit?\u201d<\/p>\n

CIOs need to consider the products their organization sells in a top-down way, looking at how they meet security requirements rather than whether the way they\u2019re built checks all the boxes. \u201cIt\u2019s a shift in responsibility,\u201d he adds \u201cYou\u2019re responsible for the final product, not just making sure the steps were correct.\u201d<\/p>\n

Requirements also mandate product support, updates, and lifecycles, in most cases for a minimum of five years of free security updates, all of which go in a declaration of conformity digital products will require from December 2027. The declaration and documentation will need to stay available for 10 years after the product goes on sale, but the SBOM doesn\u2019t need to be public, just available to the market surveillance authorities when they ask for it.<\/p>\n

Standards in practise<\/h2>\n

Different classes of products attract different levels of scrutiny. Most digital products get default regulation under horizontal standards for cybersecurity and vulnerability handling that\u2019s already available in draft form from European standardization organizations.<\/p>\n

But important products like including identity management systems, web browsers, password managers, VPNs, and internet access routers, as well as critical products such as hypervisors, PKI infrastructure, hardware security modules, and industrial firewalls, will require more stringent conformity assessments.<\/p>\n

These are covered by vertical standards being developed to analyze specific risks, which list potential mitigations like writing a web browser in a memory-safe language. \u201cThe CRA doesn\u2019t require you to transition to memory safe languages, nor move off COBOL or anything like that,\u201d Ehrenberg says.<\/p>\n

Timelines and fines<\/h2>\n

As a regulation rather than a directive, the CRA applies without individual European countries passing new laws, and the mechanisms for it to be administered are being set up this summer. \u201cThe market surveillance authorities are coming online with their ability to review and approve things, then the individual conformity assessment bodies come online,\u201d Ehrenberg says. The European Union Agency for Cybersecurity (ENISA) will run the single platform for reporting actively exploited vulnerabilities and incidents.<\/p>\n

Although the CRA applies fully from 11 December 2027, enforcement will come in gradually and will depend on the technical capacity of the market surveillance authorities, says Ehrenberg. They can insist products be made compliant, restrict their sale, or have them withdrawn or even recalled, as well as levy fines of up to \u20ac15 million or 2.5 % of turnover.<\/p>\n

\u201cThere are probably going to be court battles in the future to interpret this,\u201d Ehrenberg says, as aspects have already been criticized for being too vague and weak. But organizations relying on limited enforcement are missing an opportunity to improve their products and their own security.<\/p>\n

Simply better security<\/h2>\n

With the rise of supply chain attacks, CRA mandates will provide real security benefits by forcing enterprises to track their open source usage and notify end users of issues promptly, says Neil Levine, SVP of products at cybersecurity vendor Anchore. He suggests adopting SBOMs by September to help you comply with reporting requirements, rather than waiting until the 2027 deadline.<\/p>\n

Savvy CIOs can also use this as an opportunity to get the resources to deliver improvements. \u201cMost CIOs would want to do these things anyway but just don\u2019t have the bandwidth,\u201d says Venn. \u201cSo this is probably a tool for them to go to the board and say they need the budget and the time.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Unlike most cyber security regulations, the EU\u2019s Cyber Resilience Act is about product safety rather than processes or certification, extending the CE mark from the physical side of products to software, firmware, backend services, and anything with a network connection. It encodes existing best practices, enforces minimum product support lifecycles, and could mean developing stronger […]<\/p>\n","protected":false},"author":0,"featured_media":8163,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8162","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8162"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8162"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8162\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8163"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8162"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8162"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8162"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}