The EU Cyber Resilience Act (CRA) is set to transform the landscape of cybersecurity compliance for manufacturers, developers, and supply chain providers across Europe—and its impact will be felt far beyond the EU’s borders. While the EU CRA won’t be fully enforced until 2027, the time for organizations to prepare is now. In a recent episode of “Exploited: The Cyber Truth,” RunSafe Security CEO Joseph M. Saunders broke down what the CRA means, who it affects, and why it’s a wake-up call for the entire technology ecosystem.
What Is the CRA and Who Does It Affect?
The EU Cyber Resilience Act originated from a European Commission proposal in 2022, underwent extensive review, and was approved in March 2024. The Act was published in November 2024, with phased requirements beginning in September 2026 (notably, incident and vulnerability reporting) and full compliance—including Software Bill of Materials (SBOM) mandates—by December 2027.
If you manufacture or sell cyber-enabled devices in the EU—think everything from baby monitors to smartwatches—you are likely subject to the CRA. There are some exceptions for industries already tightly regulated, such as automotive and aviation, but for most hardware and software products with digital components, the EU CRA will apply.
The Act is designed to address the growing security and privacy risks of connected devices, emphasizing not just critical infrastructure but also everyday consumer products.
Key Provisions: Lifecycle Security and SBOMs
One of the most significant aspects of the Cyber Resilience Act is its requirement for a “Secure by Design” approach. This means organizations must plan for, design, develop, and maintain secure products from inception through end-of-life. Security is no longer an afterthought, but must be embedded throughout the entire product lifecycle.
A central pillar of compliance is the Software Bill of Materials (SBOM). Much like a list of ingredients on food packaging, an SBOM details every component—especially third-party and open-source code—within a product. This transparency is crucial for identifying vulnerabilities and managing risk across complex supply chains.
“Software Bill of Materials is actually an essential point to help share across the ecosystem, across the value chain. It’s a new journey to elevate your security posture even higher by really knowing exactly what’s in all those components in your final product.” — Joseph M. Saunders
New Liabilities and the Cost of Non-Compliance
The CRA introduces substantial new liabilities for non-compliance, including fines of up to €10 million or 2.5% of global turnover. These penalties aim to ensure organizations take cybersecurity seriously. While some may view this as a burden, Saunders argues these “sticks” are necessary to promote best practices, improve code quality, and enhance organizational resilience.
How Are Organizations Preparing?
Forward-looking companies are already taking action to align with EU CRA requirements:
- Cross-functional planning: Security is being embedded across legal, development, marketing, and product teams.
- SBOM adoption: Organizations are building workflows to generate and update SBOMs throughout the lifecycle.
- Supply chain scrutiny: Greater transparency is being demanded from vendors and partners.
- Incident response readiness: Detection, reporting, and remediation capabilities are being strengthened.
The Role of Cyber Insurance in a Post-CRA World
Even with the best Secure by Design development practices in place, vulnerabilities will still surface. No software is flawless, and the complexity of modern digital ecosystems—particularly those reliant on third-party and open-source components—means that gaps in security are nearly unavoidable.
The EU Cyber Resilience Act (CRA) raises the stakes, holding manufacturers and developers accountable for the entire lifecycle of their products. This makes cyber insurance not just a smart investment but a strategic imperative.
“Cyber insurance for products is a great idea,” Saunders said, explaining how you can set up engineering processes to follow certain steps to reduce risk. If you can demonstrate that you are taking steps to avoid an attack, then an insurer can provide coverage.
As compliance obligations expand and the consequences of non-conformance grow more serious, organizations need robust risk transfer mechanisms to safeguard against the financial fallout of cyber incidents and regulatory breaches.
In the post-CRA environment, insurers may begin requiring evidence of strong cybersecurity hygiene—such as regular vulnerability assessments, real-time monitoring, SBOM documentation, and incident response readiness—as prerequisites for coverage or lower premiums. By combining proactive security practices with the safety net of cyber insurance, companies can create a more resilient posture while minimizing exposure to emerging risks.
Preparing to Compete in the Cyber Resilience Economy
The EU CRA signals a fundamental shift in how security is expected to be built, managed, and demonstrated across connected products. It’s a wake-up call for organizations that have deprioritized security in favor of speed or cost savings.
By embracing Secure by Design principles, adopting Software Bill of Materials (SBOM) practices, and building security into every stage of the product lifecycle, forward-thinking organizations can prepare for regulatory compliance and gain a competitive edge. These efforts increase stakeholder trust, improve software quality, and reduce time-to-remediate when issues arise.
Rather than viewing the CRA as a burden, it should be seen as a blueprint for building trust in the digital age. Organizations that act now will not only avoid fines and reputational damage, they’ll also be better positioned to lead in a marketplace that increasingly rewards transparency, security, and resilience.
