If your organization is not already preparing to comply with the Cyber Resilience Act (CRA), now's the time to begin. This is a European-wide regulation, which means it will be implemented in the same way across all European Union (EU) member states. However, its practical application will impact anyone placing digital products or products with digital elements into the European market.
We ended our Summer of Software Regulations & Compliance webinar series with Eloise Ryon, Senior Manager of European and Digital Policy at Schneider Electronic. Her discussion with Ilkka Turunen, Field CTO at Sonatype, covered some of the far-reaching impacts of the CRA and what it means for development and the future of innovation.
As society becomes more connected and reliance upon digital products increases, the goal of the CRA is to raise the bar for products to meet essential security requirements.
Even though the industry is still waiting for the text of the legislation to be finalized, it will go into effect at the end of 2027.
One of its key provisions is that every piece of software will be required to get a CE mark indicating compliance. Getting the mark and maintaining the ability to do business in the EU should catalyze organizations to do what they can to ensure compliance and business continuity.
A key component is the requirement that every component within the software supply chain needs to be understood in order to guarantee they are not shipping exploitable software. This almost requires an automated approach to managing software bills of materials (SBOMs).
These new requirements have raised concerns about how innovation might suffer as a result of more regulations. The reality is that the world's software supply chains are being targeted more and more frequently, and regulations like CRA can help raise the bar industry-wide for cybersecurity standards.
You can watch Understanding the Cyber Resilience Act on demand now.