EU Cyber Resilience Act reshapes software security requirements

Overview

For decades, software companies shipped code with security flaws and faced little legal consequence. On September 11, 2026, that changes for any product sold in Europe. The European Union's Cyber Resilience Act now requires manufacturers to report actively exploited vulnerabilities within 24 hours, maintain software bills of materials listing every component in their products, and provide security updates for the product's entire expected lifespan.

The law covers everything from smartphone apps to industrial control systems—any product with digital elements sold in the EU market. Companies face fines up to €15 million or 2.5% of global revenue for violations. Full compliance requirements take effect in December 2027, but the vulnerability reporting obligations that begin today signal the end of the software industry's immunity from product safety accountability.

Play on this story Voices Debate Predict

Key Indicators

€15M

Maximum fine

Or 2.5% of global annual turnover, whichever is higher

24 hrs

Vulnerability reporting deadline

Early warning required within 24 hours of discovering an actively exploited vulnerability

90%

Products eligible for self-assessment

Only 'important' and 'critical' products require third-party conformity assessment

$1.5B

SBOM tooling market

Software bill of materials market experiencing rapid growth driven by regulatory mandates

Voices

Curated perspectives — historical figures and your fellow readers.

Ever wondered what historical figures would say about today's headlines?

Play

Exploring all sides of a story is often best achieved with Play.

Predict 4 ways this could play out. Contrarian picks score more — points lock when the scenario resolves. Log in to play

Timeline Five events from this story — drag them oldest to newest. Log in to play

Connections Sixteen names from the news. Find the four hidden groups of four. Log in to play

People Involved

Thierry Breton

Departed European Commission in September 2024

Juhan Lepassaar

Leading ENISA's CRA implementation efforts

Organizations Involved

European Commission

Supranational antitrust authority

Implementing CRA through delegated and implementing acts

The executive branch of the European Union, responsible for proposing legislation and implementing decisions.

European Union Agency for Cybersecurity (ENISA)

EU Agency

Operating Single Reporting Platform from September 2026

The EU agency dedicated to achieving a high common level of cybersecurity across Europe.

Open Source Security Foundation (OpenSSF)

Industry Foundation

Providing guidance and training for open source compliance

A cross-industry collaboration to improve the security of open source software.

Timeline

September 2021 December 2027

13 events Latest: December 11th, 2027 Showing 8 of 13

Tap a bar to jump to that date

December 2027
Full CRA Compliance Required
Latest Enforcement

All essential cybersecurity requirements take effect. Products with digital elements must meet security-by-design standards, provide SBOMs, and maintain security updates throughout their expected lifespan.
December 11th, 2027
December 2026
Product Liability Directive Applies
Legal

Member states must have transposed the new Product Liability Directive, making software manufacturers strictly liable for defective products including security flaws.
December 9th, 2026
September 2026
Vulnerability Reporting Obligations Begin
Enforcement

Manufacturers must now report actively exploited vulnerabilities within 24 hours and severe security incidents within 72 hours through ENISA's Single Reporting Platform. These obligations apply to all products already on the EU market.
September 11th, 2026
June 2026
Notified Body Framework Takes Effect
Legal

The legal framework for notification of conformity assessment bodies became applicable, enabling third-party certification for important and critical products.
June 11th, 2026
January 2025
OpenSSF and Linux Foundation Launch CRA Initiative
Industry

The Open Source Security Foundation and Linux Foundation Europe launched a joint initiative to help open source maintainers and manufacturers prepare for CRA compliance.
January 14th, 2025
December 2024
CRA Enters Into Force
Legal

The Cyber Resilience Act officially entered into force, beginning the transition period for manufacturers to achieve compliance.
December 10th, 2024
November 2024
New Product Liability Directive Published
Legislative

The revised Product Liability Directive was published, explicitly including software as a 'product' subject to strict liability for defects, complementing CRA requirements.
November 18th, 2024
October 2024
Council Adopts CRA
Legislative

The Council of the European Union formally adopted the Cyber Resilience Act, completing the legislative process.
October 10th, 2024
March 2024
European Parliament Approves CRA
Legislative

The European Parliament formally approved the Cyber Resilience Act by a substantial majority, sending it to the Council for final adoption.
March 12th, 2024
December 2023
Political Agreement Reached
Legislative

The European Parliament and Council reached political agreement on the CRA text, including exemptions for non-commercial open source development and refined product categorizations.
December 1st, 2023
September 2022
Commission Publishes CRA Proposal
Legislative

The European Commission formally proposed the Cyber Resilience Act, introducing mandatory cybersecurity requirements for products with digital elements sold in the EU market.
September 15th, 2022
March 2022
Public Consultation Opens
Consultation

The European Commission launched a public consultation to gather input from industry, civil society, and member states on the proposed regulation.
March 1st, 2022
September 2021
von der Leyen Announces CRA in State of the Union
Announcement

European Commission President Ursula von der Leyen first announced plans for a Cyber Resilience Act in her State of the Union address, citing the need for EU-wide cybersecurity standards for connected products.
September 15th, 2021

#timeline [x-show="expanded"] { display: revert !important; opacity: 1 !important; } #timeline .timeline-toggle-btn { display: none; }

Historical Context

3 moments from history that rhyme with this story — and how they unfolded.

April 2016 - May 2018

General Data Protection Regulation (GDPR) (2016-2018)

The EU adopted the GDPR in April 2016 with a two-year transition period before enforcement began in May 2018. The regulation established comprehensive data protection requirements with fines up to €20 million or 4% of global revenue. Companies worldwide scrambled to comply, and the regulation reshaped global privacy practices.

Then

Initial enforcement was gradual, with regulators issuing guidance and warnings before major fines. Many organizations remained non-compliant past the deadline.

Now

GDPR became the global standard for privacy regulation, with California, Brazil, and other jurisdictions adopting similar frameworks. Companies now routinely apply GDPR standards worldwide rather than maintaining separate systems.

Why this matters now

The CRA follows GDPR's regulatory model: a transition period, substantial fines, and extraterritorial reach. Industry expects similar dynamics—initial compliance gaps, gradual enforcement escalation, and eventual global adoption as manufacturers prefer uniform standards over regional fragmentation.

May 2021

US Executive Order 14028 on Improving the Nation's Cybersecurity (2021)

President Biden issued Executive Order 14028 requiring software vendors selling to the federal government to provide SBOMs, attest to secure development practices, and meet NIST security standards. The order created new supply chain security requirements for the $90 billion federal software market.

Then

Federal agencies began requiring SBOMs in procurement contracts. SBOM tooling market grew rapidly as vendors scrambled to comply.

Now

EO 14028 established SBOM as a mainstream security requirement and drove adoption of SPDX and CycloneDX formats. It created the foundation for EU-US regulatory alignment on software supply chain transparency.

Why this matters now

The US executive order and EU CRA represent converging regulatory approaches to software supply chain security. Both require SBOMs in machine-readable formats, creating pressure for global standardization and demonstrating that software transparency requirements are becoming baseline expectations in major markets.

December 2020

SolarWinds Supply Chain Attack (2020)

Russian intelligence operatives compromised SolarWinds' software build system, inserting malware into updates distributed to 18,000 customers including US government agencies and major corporations. The attack remained undetected for months and exposed the vulnerability of software supply chains.

Then

Emergency incident response across thousands of organizations. Congressional hearings and executive branch reviews of federal cybersecurity.

Now

Directly motivated EO 14028 and accelerated EU work on the CRA. Transformed software supply chain security from a niche concern to a board-level and regulatory priority.

Why this matters now

The SolarWinds attack demonstrated why regulators consider software supply chain transparency essential. The CRA's SBOM requirements and vulnerability reporting obligations directly address the blind spots that allowed the attack to succeed and spread undetected.