CRA and friends: EU product, service and software regulation

Learn about the EU Cyber Resilience Act's impact on software products, including compliance requirements, open source exemptions, and new security obligations for manufacturers.

Key takeaways
  • The EU Cyber Resilience Act (CRA) applies to products with digital elements but explicitly exempts open source software unless used commercially

  • Manufacturers have key obligations under CRA including:

    • Providing security updates for 5-10 years
    • Conducting risk assessments
    • Implementing vulnerability management and CVD processes
    • Providing documentation to market surveillance authorities
  • The “steward” role is a new concept introduced to help coordinate between open source projects and regulatory requirements

  • Simply publishing open source code on platforms like GitHub does not constitute “placing on the market” - commercial activity is required for CRA obligations to apply

  • Self-assessment is the minimum requirement for most software products under CRA, with stricter requirements for Class 1, Class 2 and critical products

  • The regulation introduces CE marking requirements for software products in the EU market

  • Market surveillance authorities have different oversight approaches for open source vs closed source software

  • CRA enforcement begins after 21 months, with full application after 36 months

  • Manufacturers must provide Software Bills of Materials (SBOMs) but these don’t need to be public

  • The regulation aims to establish security baselines while minimizing impact on open source development models