Product Software Security for CRA Readiness
RunSafe’s Approach to Vulnerability Risk and Lifecycle Security
As products have become increasingly software-driven and connected, vulnerabilities in embedded and third-party software introduce real security risk. Manufacturers’ security practices must maintain continuous visibility into all software inside their products, understand vulnerability exposure, and manage cybersecurity risk across the entire product lifecycle. This shift requires more automated processes and tooling to track software, assess risk, and maintain security after a product release. Further, RunSafe protects at runtime against the exploitation of vulnerabilities even when a patch is not applied, dramatically reducing liability exposure.
New European Union Requirements
To address rising cybersecurity risks in connected devices, the European Union introduced the Cyber Resilience Act (CRA), establishing mandatory security requirements for products sold in the EU market. The regulation applies to products with digital elements — software such as embedded firmware, operating systems, applications, and third-party libraries. Manufacturers are expected to demonstrate:
- Visibility into software components
- Understanding of vulnerability exposure
- Risk-based remediation decisions
- Ongoing security management across the product lifecycle
“From our perspective, adding RunSafe means we have more opportunity to shrink the attack surface and reduce overall risks for our customers since security is now already built into our product.”
How RunSafe Supports CRA Readiness
RunSafe helps manufacturers close the operational gaps introduced by the CRA by providing the software visibility, risk clarity, and lifecycle security oversight required to demonstrate secure product development and ongoing vulnerability management.
Software Transparency
Knowing exactly what software is inside shipped products
- Automated build-time SBOM generation for firmware and software
- Full software inventory across firmware, operating systems, applications, and libraries
- Complete dependency tree visibility including third-party and open-source components
Vulnerability and Risk
Understanding which vulnerabilities actually create real risk
- Maps CVEs directly to software components identified in the SBOM
- Determines whether vulnerabilities are exploitable or theoretical risk
- Provides residual risk analysis to guide patch, mitigate, or monitor decisions
Product Lifecycle Visibility
Maintaining cybersecurity visibility throughout the product lifecycle
- Continuous SBOM generation tied to product builds to ensure accuracy
- Ongoing vulnerability monitoring against shipped product versions
- Options to make vulnerabilities non-exploitable when patches are delayed or unavailable
A Stroger Cybersecurity Position
RunSafe provides technical evidence and reporting that supports these elements.
| Component | Supported by RunSafe |
|---|---|
| Cybersecurity Risk Assessment Report | ✓ |
| Secure Development Lifecycle Documentation | ✓ |
| Software Bill of Materials (SBOM) | ✓ |
| Vulnerability Management & Monitoring Plan | ✓ |
| Incident Response & Regulatory Reporting Procedure | ✓ |
| Supply Chain Due Diligence Records | ✓ |
| Security Update & Support Policy | ** |
| EU Declaration of Conformity & CE Marking File | ✓ |
** Subject to RunSafe customers’ practice
Why RunSafe?
RunSafe helps manufacturers provide clear visibility into the software inside their products and understand which vulnerabilities create real risk. By delivering continuous insight into software components, vulnerability exposure, and product lifecycle security, RunSafe enables manufacturers to demonstrate secure product development and maintain the cybersecurity assurance required under the CRA.
Latest Resources
The Top 8 Medical Device Vulnerabilities of 2026
Key Takeaways Malware infections remain the leading attack type from 2025 to 2026, affecting 48% of organizations that experienced an incident. Remote access exploitation increased to 38% in 2026, up from 28% in 2025, making it one of the fastest-growing threat...
How RunSafe Supports FDA 524B Cybersecurity Submissions for Medical Devices
Key Takeaways An SBOM is required, but not enough. FDA 524B requires proof of active software risk control, including vulnerability analysis, remediation decisions, and postmarket monitoring. Exploitability analysis is the differentiator. The FDA doesn't expect zero...
Medical Device Cybersecurity in 2026: Progress Is Real, But the Gap Is Widening
Key Takeaways Cyberattacks on medical devices are rising despite stronger procurement requirements. 80% of affected organizations reported moderate or significant impact on patient care. Legacy devices are the gap that procurement cannot close. More than a quarter of...