Cyber Resilience Act (CRA)

The Cyber Resilience Act, often referred to as the CRA, is a European Union regulation designed to establish mandatory cybersecurity requirements for hardware and software products. Formally proposed by the European Commission on September 15, 2022, the regulation entered into force on December 10, 2024. Reporting obligations begin in September 2026, full compliance is required from December 2027.

The CRA targets "products with digital elements", which includes any software or device that connects to a network or the internet (e.g., to check for updates or licenses).

The act fills a critical regulatory gap by shifting responsibility for cybersecurity from users to manufacturers. It establishes a risk‑based approach, under which most products can rely on self‑assessment. In contrast, critical and important products—such as browsers, password managers, and industrial automation systems—must undergo stricter third‑party certification.

Unlike previous voluntary guidelines, the CRA introduces a binding framework that ensures security is prioritized throughout the entire lifecycle. The regulation is a central part of the broader EU Cybersecurity Strategy, aimed at protecting consumers and professional users from digital threats.

The scope of the CRA covers all products with networking software, i.e., it is not restricted to a certain domain like ISO 21434 is for Automotive. For development tools like compilers or static analysis tools, the main question is: does the tool have a network connection (e.g., to check for updates or licenses)? In this case it might be impacted by cyber-security attacks over the network. Open‑source software is excluded from the CRA. However, commercial software that includes open‑source components must ensure CRA compliance.

The degree to which products are impacted depends on their criticality. The following classes are defined in the CRA:

• (Most) Critical products, e.g., smartcards

• Important Products Class II: e.g., Firewalls and secure hypervisors

• Important Products Class I: e.g., VPN and Anti-Virus products

• Normal Software: Any other product with non-free software

All products with software (including the normal software) must follow the EU CRA. There are only three exceptions:

1. Stand-alone open-source software

2. Products without any network connection

3. Products introduced prior to the CRA where the new version has no major change regarding network connectivity.

In the last case the product owner has, however, to ensure that a reporting of security incidents in compliance with Article 14 of the EU CRA is established.

Manufacturers and developers must now integrate security-by-design and security-by-default principles into their development processes. This means that cybersecurity is no longer an afterthought added at the end of production; it must be a fundamental requirement from the initial planning phase.

Under the CRA, manufacturers are obligated to document and address all known vulnerabilities and provide regular security updates for a product’s expected lifetime or a minimum of five years. This shift requires a rigorous systematic evaluation of the software supply chain, ensuring that every library or third-party component used in a product meets the same high standards of integrity.

The CRA, unlike many other safety standards, does not differentiate software into new software, re‑used software, and development tools, but requires the same rigor for all software (except open‑source software).

Despite its goals, the CRA has faced significant pushback from the software community and industry experts. One major concern involves the impact on open-source software. Critics argue that the broad definitions in the act could hold individual developers or non-profit foundations liable for security flaws in free software, which might discourage innovation and collaboration. There are also worries that the requirement to report unpatched vulnerabilities within 24 hours could help hackers by creating a database of known weaknesses before a fix is ready.

Additionally, many small and medium-sized businesses fear the high cost of compliance. The need for third-party testing and extensive documentation can be a heavy financial burden for smaller companies. Some experts also point out that the regulation might lead to a fragmented market if international manufacturers decide the cost of entering the European market is too high. These critics suggest that while the intent of the CRA is good, the practical implementation could lead to unintended consequences for the digital economy.

While the Cyber Resilience Act affects almost all digital products sold in the EU, industries involved in safety-critical systems must act with the most urgency. The automotive, aerospace, robotics, and medical device sectors are particularly affected because their products often have long lifecycles and high stakes for human safety.

Validas has defined a process to classify incidents in standard software such as common tools and libraries. The process also includes reporting to the European single reporting platform, which must be used starting September 11th, 2026. It is fully compliant with all obligations of Article 14 of the EU CRA. With this process, Validas can support all providers—not only tool and library providers—with unchanged software products to ensure compliance with the EU CRA.

Validas is currently extending the process to cover newly developed standard software, enabling all software developers to benefit from the Validas compliance guarantee and the V&V checklists that document adherence to the EU CRA.

Validas ensures that the software components within the digital product meet the rigorous integrity levels required by both functional safety and the new Cyber Resilience Act mandates.

• European Commission: Cyber Resilience Act. https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act

• Federal Office for Information Security: Cyber Resilience Act. https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Cyber_Resilience_Act/cyber_resilience_act_node.html