What is the Cyber Resilience Act?

What does the Cyber Resilience Act mean for companies developing software products? The new EU regulatory framework sets clearer requirements for cybersecurity in products with digital elements, from development and documentation to updates and long-term maintenance.maintenance. In this article, we look at what the Cyber Resilience Act is, which businesses are affected and why it's smart to start preparing well in advance.

CRA EU's new regulatory framework

Cyber Resilience Act is the new EU framework for cybersecurity in products with digital elements. It covers every piece of hardware and software you put on the EU market that can be connected, updated or handle data in any way. It aims to raise the basic level of security, reduce the number of vulnerabilities and ensure that products are more secure both when they are launched and throughout their lifetime.

For companies developing electronic products with software, this is a regulatory framework that cannot be ignored. EU Cyber Resilience Act affects not only how products are developed, but also how safety is documented, maintained and monitored over time. For many development companies, it therefore becomes an issue that touches on development, product liability and business.

Two Codiax employees in front of a computer screen.

Why the EU has introduced the Cyber Resilience Act

This is because many digital products have been on the market for a long time with poor security, unclear information and weak support for security updates. The EU wants to change this by setting clearer requirements for manufacturers and other actors in the supply chain. The idea is that security should not be 'added on' afterwards, but built in from the start.

It also allows users and purchasers to better understand whether a product actually meets a reasonable level of safety. In practice, the aim is both to reduce risks and to make the market more transparent.

In short, the Cyber Resilience Act means that:

Manufacturers must build in cybersecurity from the start

Products must be able to be updated and maintained safely during their lifecycle

Vulnerabilities must be addressed and in some cases reported

Some products may need to be checked by an independent party before being sold

Products that fulfil the requirements receive the CE marking

The aim is to make it easier for consumers and businesses to choose safer digital products and reduce the risks of cyber threats.

What is covered by the CRA framework?

The Cyber Resilience Act applies to products with digital elements. This can range from software and connected devices to more advanced solutions in industry, medtech, automotive systems or other types of embedded systems. If a product contains digital functionality and can be affected by cybersecurity risks, it is likely to be relevant in this context.

For Codiax's target groups, it is particularly relevant because many products are based on Linux-based systems, Embedded Linux and various types of proprietary software. Here it quickly becomes clear that CRA is not just a legal issue, but something that affects the entire product development. Understanding the Cyber Resilience Act is therefore not just about translating the regulations, but about understanding what it means in practice for development teams building and maintaining products.

What does the Cyber Resilience Act mean in practice?

In practice this means Cyber Resilience Act security must be included early in the development process. Manufacturers need to work in a more structured way with risk assessments, security requirements, technical documentation and vulnerability management. It is not enough that a product works technically. It must also be possible to prove that the product has been developed with cybersecurity in mind.

Products covered by the regulatory framework must fulfil basic cybersecurity requirements, and some product categories are subject to more stringent conformity assessment processes before they can be sold on the EU market. Products that fulfil the requirements must be CE marked.

What does it mean for developing companies?

For development organisations, this often means that working practices, documentation and responsibilities need to be clarified. This is especially true in environments where many components are involved, such as FOSS, Linux deployments, BSP customisations and third-party dependencies. This conclusion is close to how the CRA describes life cycle responsibilities and documentation requirements.

Safety becomes part of the lifecycle

CRA is not just about the launch of a product. It also sets requirements for how vulnerabilities are managed during the support period, making security work an ongoing part of product responsibility.

Which companies are affected?

The main obligations lie with the manufacturer, i.e. the operator who places the product on the market under his own name. But importers and distributors are also affected by the regulations. The CRA shifts responsibility from the development table directly to the management team. For companies developing electronic products with software, this is particularly important. Many such products rely on complex Linux systems, open source, update management and long-term maintenance. Therefore, the EU Cyber Resilience Act becomes relevant long before a product reaches the market.

How are open source and Linux-based systems affected?

For many companies, this is a key issue. A large proportion of today's products are based entirely or partly on open source code. CRA has therefore received a lot of attention in the open source world. The basic principle is that free and open source software is not treated in the same way in all situations, but that much depends on how it is made available and in what context it is used.

For companies building products on top of FOSS, Embedded Linux or other Linux-based systems, this means that it's not enough to rely on a component being widely available. The finished product still needs to fulfil relevant requirements.

CVE management becomes even more important

For development companies, it is therefore important to have control over components, known CVEs, update flows and documentation. This is where Codiax's expertise in embedded Linux and CVE management becomes particularly relevant in practice.

When will the Cyber Resilience Act apply?

The regulatory framework entered into force on 10 December 2024, but the main obligations start to apply on 11 December 2027. However, some elements apply earlier. The rules on the reporting of actively exploited vulnerabilities and serious incidents will apply from 11 September 2026.

This means that organisations should not wait until 2027 to start preparing. For many organisations, the work may need to start much earlier, especially if processes for vulnerability management, documentation or product maintenance are not already in place.

What are the reporting requirements?

As of 11 September 2026, manufacturers will have to report actively exploited vulnerabilities and serious incidents affecting the security of their products. The reporting will be done through the EU Common Reporting Structure and will follow specific timelines.

Processes need to be in place on time

This requires companies to be able to actually detect, assess and address vulnerabilities in time. Among the requirements are that products should be as secure as possible from the start, have secure by default, be able to receive security updates, protect data and availability, reduce the attack surface and have clear processes for vulnerability management, including SBOM, tests, disclosure policy and contact route for reported vulnerabilities. For companies working with long product lifecycles and advanced Linux systems, it is therefore particularly important to have both technical dependencies and internal processes in order.

A requirement - but also an opportunity

Companies that have good control over their Linux systems, dependencies and CVE management are often better equipped when customers start to ask for more detailed security, documentation and compliance requirements. In this way, CRA can become both a requirement and an opportunity.

Get help with work and processes affected by the Cyber Resilience Act

Not sure how the Cyber Resilience Act affects your product or development process? Don't wait until September!
Codiax helps companies that build products with software to gain better structure, control and confidence in the work ahead.

Contact Codiax

Frequently asked questions about the Cyber Resilience Act

Which businesses are affected by the EU Cyber Resilience Act?
The rules are particularly important for companies that develop, manufacture, import or distribute products with software. This includes businesses in medtech, industry, automotive and other areas where embedded systems are common.
Why is CRA important for development companies?
For developers building products in areas such as medtech, automotive systems, industry or advanced electronics, CRA is important because it brings cybersecurity closer to the product itself. In other words, security is not just something that belongs in the IT environment or at policy level. It becomes an important part of the development chain, from architecture and BSP to updates, support and long-term maintenance.
Does the Cyber Resilience Act also apply to software?
Yes, CRA covers not only physical hardware but also software and other products with digital elements. For many companies, this means that cybersecurity needs to become a more explicit part of the whole development process
Does the Cyber Resilience Act only apply to IoT products?
No, not only. The regulatory framework is particularly relevant for connected products and IoT devices, but also covers other types of products with digital components sold on the EU market.
Is open source exempt from the CRA?
Not always. Some free and open source software may be exempt, but it depends on how it is used, distributed and whether it is part of a commercial context. Therefore, it is important to look at the finished product, not just at individual components.
When will the Cyber Resilience Act apply in the EU?
The regulations came into force in December 2024, but different parts start to apply at different times. Therefore, it is wise not to wait too long to review processes, documentation and vulnerability management.
Why is the Cyber Resilience Act important?
It is important because it makes cybersecurity a clearer part of product liability. For companies developing advanced software products, it is not only about compliance, but also about being better prepared for customer requirements, procurement and future maintenance. Find out more on the European Commission website.