Pull to refresh
Logo
Daily Brief
Following Why
EU Cyber Resilience Act reshapes software security requirements

EU Cyber Resilience Act reshapes software security requirements

Rule Changes
By Newzino Staff |

Mandatory vulnerability reporting, software bills of materials, and product liability for digital products

December 11th, 2027: Full CRA Compliance Required

Overview

For decades, software companies shipped code with security flaws and faced little legal consequence. On September 11, 2026, that changes for any product sold in Europe. The European Union's Cyber Resilience Act now requires manufacturers to report actively exploited vulnerabilities within 24 hours, maintain software bills of materials listing every component in their products, and provide security updates for the product's entire expected lifespan.

The law covers everything from smartphone apps to industrial control systems—any product with digital elements sold in the EU market. Companies face fines up to €15 million or 2.5% of global revenue for violations. Full compliance requirements take effect in December 2027, but the vulnerability reporting obligations that begin today signal the end of the software industry's immunity from product safety accountability.

Key Indicators

€15M
Maximum fine
Or 2.5% of global annual turnover, whichever is higher
24 hrs
Vulnerability reporting deadline
Early warning required within 24 hours of discovering an actively exploited vulnerability
90%
Products eligible for self-assessment
Only 'important' and 'critical' products require third-party conformity assessment
$1.5B
SBOM tooling market
Software bill of materials market experiencing rapid growth driven by regulatory mandates

Interactive

Exploring all sides of a story is often best achieved with Play.

Ever wondered what historical figures would say about today's headlines?

Sign up to generate historical perspectives on this story.

Sign Up

Debate Arena

Two rounds, two personas, one winner. You set the crossfire.

People Involved

Thierry Breton
Thierry Breton
Former European Commissioner for Internal Market (2019-2024) (Departed European Commission in September 2024)
Juhan Lepassaar
Juhan Lepassaar
Executive Director, European Union Agency for Cybersecurity (ENISA) (Leading ENISA's CRA implementation efforts)

Organizations Involved

European Commission
European Commission
EU Executive Body
Status: Implementing CRA through delegated and implementing acts

The executive branch of the European Union, responsible for proposing legislation and implementing decisions.

European Union Agency for Cybersecurity (ENISA)
European Union Agency for Cybersecurity (ENISA)
EU Agency
Status: Operating Single Reporting Platform from September 2026

The EU agency dedicated to achieving a high common level of cybersecurity across Europe.

Open Source Security Foundation (OpenSSF)
Open Source Security Foundation (OpenSSF)
Industry Foundation
Status: Providing guidance and training for open source compliance

A cross-industry collaboration to improve the security of open source software.

Timeline

  1. Full CRA Compliance Required

    Enforcement

    All essential cybersecurity requirements take effect. Products with digital elements must meet security-by-design standards, provide SBOMs, and maintain security updates throughout their expected lifespan.

  2. Product Liability Directive Applies

    Legal

    Member states must have transposed the new Product Liability Directive, making software manufacturers strictly liable for defective products including security flaws.

  3. Vulnerability Reporting Obligations Begin

    Enforcement

    Manufacturers must now report actively exploited vulnerabilities within 24 hours and severe security incidents within 72 hours through ENISA's Single Reporting Platform. These obligations apply to all products already on the EU market.

  4. Notified Body Framework Takes Effect

    Legal

    The legal framework for notification of conformity assessment bodies became applicable, enabling third-party certification for important and critical products.

  5. OpenSSF and Linux Foundation Launch CRA Initiative

    Industry

    The Open Source Security Foundation and Linux Foundation Europe launched a joint initiative to help open source maintainers and manufacturers prepare for CRA compliance.

  6. CRA Enters Into Force

    Legal

    The Cyber Resilience Act officially entered into force, beginning the transition period for manufacturers to achieve compliance.

  7. New Product Liability Directive Published

    Legislative

    The revised Product Liability Directive was published, explicitly including software as a 'product' subject to strict liability for defects, complementing CRA requirements.

  8. Council Adopts CRA

    Legislative

    The Council of the European Union formally adopted the Cyber Resilience Act, completing the legislative process.

  9. European Parliament Approves CRA

    Legislative

    The European Parliament formally approved the Cyber Resilience Act by a substantial majority, sending it to the Council for final adoption.

  10. Political Agreement Reached

    Legislative

    The European Parliament and Council reached political agreement on the CRA text, including exemptions for non-commercial open source development and refined product categorizations.

  11. Commission Publishes CRA Proposal

    Legislative

    The European Commission formally proposed the Cyber Resilience Act, introducing mandatory cybersecurity requirements for products with digital elements sold in the EU market.

  12. Public Consultation Opens

    Consultation

    The European Commission launched a public consultation to gather input from industry, civil society, and member states on the proposed regulation.

  13. von der Leyen Announces CRA in State of the Union

    Announcement

    European Commission President Ursula von der Leyen first announced plans for a Cyber Resilience Act in her State of the Union address, citing the need for EU-wide cybersecurity standards for connected products.

Scenarios

1

CRA Becomes Global De Facto Standard

Discussed by: Industry analysts at Gartner, legal firms including Hogan Lovells and White & Case

Major manufacturers adopt CRA requirements globally rather than maintaining separate product lines, similar to how GDPR shaped global privacy practices. US Executive Order 14028 already requires SBOMs for federal contractors, and alignment between EU and US standards accelerates worldwide adoption. By 2028, CRA compliance becomes a competitive advantage and procurement requirement even outside Europe.

2

Compliance Bottleneck Delays Enforcement

Discussed by: Linux Foundation research reports, industry surveys on CRA readiness

Most manufacturers are unprepared for September 2026 obligations. Linux Foundation surveys show wide knowledge gaps among affected companies. Insufficient conformity assessment bodies and unclear technical standards create a compliance backlog. The Commission extends grace periods or issues limited enforcement guidance while industry catches up, similar to early GDPR implementation.

3

Open Source Ecosystem Fragments

Discussed by: OpenSSF, Eclipse Foundation, open source advocacy groups

Despite exemptions for non-commercial open source, the compliance burden on commercial users creates friction. Some open source projects add restrictive licenses or geo-blocking for EU users. Manufacturers struggle to obtain compliance attestations from upstream maintainers. The ecosystem bifurcates between CRA-compliant and non-compliant software supply chains.

4

SBOM Tooling Market Consolidation

Discussed by: VDC Research, Gartner, industry analysts covering software composition analysis

The CRA's SBOM mandate accelerates market growth but also consolidation. Major platform vendors acquire specialized SBOM and software composition analysis companies. A few dominant platforms emerge as the standard for CRA compliance, integrating vulnerability tracking, reporting automation, and audit preparation. The market reaches $3 billion by 2028.

Historical Context

General Data Protection Regulation (GDPR) (2016-2018)

April 2016 - May 2018

What Happened

The EU adopted the GDPR in April 2016 with a two-year transition period before enforcement began in May 2018. The regulation established comprehensive data protection requirements with fines up to €20 million or 4% of global revenue. Companies worldwide scrambled to comply, and the regulation reshaped global privacy practices.

Outcome

Short Term

Initial enforcement was gradual, with regulators issuing guidance and warnings before major fines. Many organizations remained non-compliant past the deadline.

Long Term

GDPR became the global standard for privacy regulation, with California, Brazil, and other jurisdictions adopting similar frameworks. Companies now routinely apply GDPR standards worldwide rather than maintaining separate systems.

Why It's Relevant Today

The CRA follows GDPR's regulatory model: a transition period, substantial fines, and extraterritorial reach. Industry expects similar dynamics—initial compliance gaps, gradual enforcement escalation, and eventual global adoption as manufacturers prefer uniform standards over regional fragmentation.

US Executive Order 14028 on Improving the Nation's Cybersecurity (2021)

May 2021

What Happened

President Biden issued Executive Order 14028 requiring software vendors selling to the federal government to provide SBOMs, attest to secure development practices, and meet NIST security standards. The order created new supply chain security requirements for the $90 billion federal software market.

Outcome

Short Term

Federal agencies began requiring SBOMs in procurement contracts. SBOM tooling market grew rapidly as vendors scrambled to comply.

Long Term

EO 14028 established SBOM as a mainstream security requirement and drove adoption of SPDX and CycloneDX formats. It created the foundation for EU-US regulatory alignment on software supply chain transparency.

Why It's Relevant Today

The US executive order and EU CRA represent converging regulatory approaches to software supply chain security. Both require SBOMs in machine-readable formats, creating pressure for global standardization and demonstrating that software transparency requirements are becoming baseline expectations in major markets.

SolarWinds Supply Chain Attack (2020)

December 2020

What Happened

Russian intelligence operatives compromised SolarWinds' software build system, inserting malware into updates distributed to 18,000 customers including US government agencies and major corporations. The attack remained undetected for months and exposed the vulnerability of software supply chains.

Outcome

Short Term

Emergency incident response across thousands of organizations. Congressional hearings and executive branch reviews of federal cybersecurity.

Long Term

Directly motivated EO 14028 and accelerated EU work on the CRA. Transformed software supply chain security from a niche concern to a board-level and regulatory priority.

Why It's Relevant Today

The SolarWinds attack demonstrated why regulators consider software supply chain transparency essential. The CRA's SBOM requirements and vulnerability reporting obligations directly address the blind spots that allowed the attack to succeed and spread undetected.

14 Sources:
+8
European Commission Hogan Lovells Keysight Technologies Open Source Security Foundation Linux Foundation FOSSA Anchore White & Case European Commission Wikipedia Cycode European Commission Open Source Security Foundation Linux Foundation