EU Cyber Resilience Act

• Official EU CRA Regulations
• Survey Results: Open Source Community Readiness for the CRA Regulations
• CRA Compliance Best Practices for Open Source
• OpenSSF CRA Blogs‍
• GitHub Inventory of Additional Relevant Resources
• TFiR Interviews Kusari about the CRA

What is the EU Cyber Resilience Act (CRA) and who must comply?

The EU Cyber Resilience Act is a comprehensive cybersecurity legislation that establishes mandatory security requirements for products with digital elements sold in the European Union.

Who must comply:

• Software manufacturers and developers selling products in the EU
• Hardware manufacturers with connected devices or IoT products
• Cloud service providers serving EU customers
• Any organization worldwide that distributes software or connected devices in Europe

The CRA applies regardless of where your company is headquartered—if you sell digital products to EU customers, you must comply. Full compliance is required by 2027, with penalties up to 2.5% of global annual revenue for non-compliance.

‍

What are Software Bills of Materials (SBOMs) and why are they required for CRA compliance?

An SBOM is a comprehensive inventory listing all software components, libraries, and dependencies in your software product. Under the CRA, SBOMs serve as critical transparency documents for vulnerability management and regulatory compliance.

Key SBOM requirements for CRA:

• Complete component inventory including all direct and transitive dependencies
• Vulnerability data and patch status for each component
• Machine-readable formats (SPDX, CycloneDX) with API access
• Real-time updates when components change
• Integration with vulnerability databases and threat intelligence

SBOMs enable rapid incident response, supply chain risk assessment, and provide the transparency regulators need to verify your security practices.

‍

How should organizations prepare their software development lifecycle (SDLC) for CRA compliance?

CRA compliance requires "security-by-design" integration throughout your entire SDLC, not just bolt-on security measures.

Essential SDLC preparations:

• Secure development practices: Implement automated security scanning (SAST, DAST, SCA) in CI/CD pipelines
• Policy enforcement: Use binary authorization to ensure only compliant, signed artifacts reach production
• Continuous monitoring: Deploy real-time vulnerability scanning and incident response capabilities
• Documentation and audit trails: Maintain comprehensive records of security decisions and compliance activities
• Cross-functional governance: Align development, security, legal, and compliance teams around shared responsibilities