Cyber Resilience Act: Security Requirements in Development

On October 10th, 2024, the EU Parliament mandated security standards for connected software with the enactment of the Cyber Resilience Act (CRA). The act mandates that full compliance needs to be achieved within 36 months. However, according to Article 14, vulnerability reporting obligations must be met within 21 months of enactment.

Because the regulation applies to products with digital components able to connect to a network, including both direct and indirect connections. This definition goes beyond typical software and includes IoT devices, web applications, server infrastructure, and containerized services in software supply chains.

Virtually all products sold in the EU that use digital components or network connections fall under the scope of the CRA act. The clock is running, as we have under 2 years to fulfill the first requirements and less than 3 years to achieve full compliance.

Non-compliance carries a financial penalty of €15 million or 2.5% of global annual turnover, whichever is greater. The regulation applies to every company selling products in the EU, even if they’re outside the EU. What is interesting is the change is liabilities. This shift in blame is also interesting, because now C-level, corporate leaders will be personally liable in case a security incident takes place. And depending on the impact, class action lawsuits will follow breaches.

Leave a Comment