Navigating the EU Cyber Resilience Act

Fred Bals Corey Hamilton

Authored by Fred Bals, Corey Hamilton

Jul 17, 2025 / 7 min read

Table of Contents

The European Union (EU) has taken a significant step towards enhancing cybersecurity with the introduction of the Cyber Resilience Act (CRA). This legislation aims to ensure that all digital products and their associated services are secure and resilient against cyber threats. As the CRA is set to impose stringent requirements on manufacturers and suppliers, software organizations must prepare to meet these new standards. This blog post will provide an overview of the EU Cyber Resilience Act, offer tips for compliance, and highlight how Black Duck Software's products and services can help organizations prepare for the expected requirements.

The CRA: What it is, and what it does

The CRA establishes a new baseline of cybersecurity for products with digital elements sold within the European Union. Its core objectives are to

  • Ensure manufacturers embed security into products with digital elements from the very beginning of the design and development phase, and maintain this security throughout the product’s entire life cycle
  • Establish a coherent cybersecurity framework across the EU, simplifying compliance for producers of both hardware and software
  • Enhance the transparency of the security features and properties of digital products, empowering businesses and consumers to make more-informed choices
  • Enable businesses and consumers to use these digital products securely, armed with better information and more resilient technology

The phrase “products with digital elements” encompasses a spectrum of items, from Internet of Things (IoT) devices like smart home appliances and wearables to traditional software such as operating systems, applications, firmware, and even individual hardware and software components.

The inclusion of “remote data processing solutions” in the definition is noteworthy, as it extends the CRA’s reach to cloud services that are integral to a physical product’s functionality, even if standalone software-as-a-service products are generally excluded. Many modern IoT devices, for example, rely on back-end cloud services for features like data storage, analytics, or remote control. If these back-end services are essential to the PDE’s operation and security, they fall within the CRA’s scope.

Learn more about the CRA and other key regulations with our guide, "Key Regulations Shaping Software Supply Chain Security and the Role of SCA"

Get the Guide
The CRA’s scope and impact

Manufacturers have the most significant responsibilities. A manufacturer is defined as the entity responsible for designing, developing, or producing PDEs, or having these products marketed under their name or trademark. Manufacturer obligations include

  • Ensuring PDEs meet essential cybersecurity requirements conducted thorough cybersecurity risk assessments 

  • Performing conformity assessments to demonstrate compliance

  • Drawing up detailed technical documentation, which must include a Software Bill of Materials 

  • Implementing robust vulnerability handling processes throughout the product’s life cycle, including providing timely security updates

These obligations apply to manufacturers irrespective of their geographical location if their products are sold or made available within the European Union. 
 
Importers have distinct obligations under the CRA, which include

  • Ensuring that the manufacturer has carried out the appropriate conformity assessment procedures 

  • Verifying that the product bears the CE marking (“conformité Européenne,” meaning “European conformity”) and is accompanied by the required documents as determined by the member state concerned

  • Ensuring their own name and contact information are indicated on the product 

  • Informing the manufacturer and authorities if they identify a cybersecurity risk associated with a product they have placed on the market


Distributors also have specific duties, including

  • Acting with due care in relation to the requirements of the CRA 

  • Verifying that the product bears the CE marking and is accompanied by the required documents as determined by the member state concerned

  • Informing the manufacturer or importer and authorities if they identify a cybersecurity risk associated with a product 

Key provisions of the CRA

The CRA includes five major facets. These include

Security by Design

Manufacturers must ensure that products are designed with security in mind from the outset. This includes implementing robust security features and conducting regular security assessments.

Vulnerability Management

Organizations must have processes in place to identify, report, and address vulnerabilities in their products. This includes maintaining a vulnerability disclosure policy and providing timely updates and patches. 

Transparency and Documentation

Manufacturers must provide clear and detailed documentation about the security features and vulnerabilities of their products. This documentation should be accessible to consumers and regulatory authorities.

Post-Market Surveillance

Organizations must monitor their products for security issues even after they have been released to the market. This includes conducting regular security audits and responding to any reported vulnerabilities. 

Penalties for Non-Compliance

The CRA includes significant penalties for non-compliance, including fines and the potential for product recalls.

Preparing for the EU Cyber Resilience Act

1. Understand the Requirements

The first step in preparing for the CRA is to thoroughly understand the requirements. This includes

Reading the legislation: Organizations should ensure that they are familiar with the full text of the CRA and any accompanying guidelines or regulations.

Consulting experts: Organizations should ensure that their legal and cybersecurity teams have a comprehensive understanding of the requirements.

Staying informed: Organizations should keep up with any changes or updates to the CRA, as some details may still be undefined or subject to change.


2. Conduct a Security Assessment

Conduct a thorough security assessment of organizational processes to identify any gaps. This assessment should cover

Product design: Evaluate security features and design principles.

Development practices: Review development processes to ensure they align with security best practices.

Vulnerability management: Assess processes for identifying, reporting, and addressing software vulnerabilities.

Documentation: Ensure that there is clear and detailed documentation about the security features and vulnerabilities of products.

 
3. Implement Security by Design

Adopt a secure-by-design approach to ensure that security is integrated into every stage of the product life cycle. This includes

Secure software development practices: Implement secure coding practices and use tools to identify and mitigate code vulnerabilities before they go into production.

Regular security testing: Conduct regular security testing, including penetration testing.

Security training: Provide ongoing security training for development and operations teams.


4. Establish a Vulnerability Management Program

Develop a robust vulnerability management program to identify and address vulnerabilities in your software. This program should include

Patch management: Implement a process for developing and distributing security patches and updates.

Incident response plan: Develop an incident response plan to quickly and effectively respond to security incidents.

Vulnerability disclosure policy: Create a clear and accessible vulnerability disclosure system such as a “bug bounty” program that rewards researchers for finding software flaws.


5. Ensure Transparency and Documentation

Provide clear and detailed documentation about the security features of your products. This documentation should be accessible to consumers and regulatory authorities. Consider

User manuals: Include security information in user manuals and product documentation.

Online resources: Provide online resources, such as security advisories and FAQs, to keep consumers informed.

Regulatory compliance: Ensure that your documentation meets the requirements of the CRA and other relevant regulations.


6. Implement Post-Market Surveillance

Monitor your products for security issues even after they have been released to the market. This includes

Regular security audits: Conduct regular security audits to identify and address any new vulnerabilities.

Consumer feedback: Encourage consumers to report security issues and provide a clear and accessible process for doing so.

Continuous improvement: Use feedback and audit results to continuously improve product security.

 
7. Stay Compliant with Ongoing Requirements

The CRA includes ongoing requirements for compliance, such as regular security assessments and updates. Tools to help you to stay compliant include

Compliance management system: Implement a compliance management system to track and manage compliance efforts.

Regular training: Provide regular training on the requirements of the CRA and best practices for cybersecurity.

Third-party audits: Consider third-party audits to ensure that your products and processes meet the requirements of the CRA.

How to achieve EU CRA compliance

Manufacturers’ CRA obligations are extensive, spanning the entire product life cycle from initial design to postmarket surveillance and end-of-life considerations. The CRA requirements make solutions like Black Duck® SCA and Coverity® Static Analysis indispensable for performing due diligence. The CRA’s mandate for products to be delivered with “no known exploitable vulnerabilities” necessitates that manufacturers implement robust prerelease scanning processes. To confidently attest to this state, organizations must systematically scan all software components—both open source and proprietary—using up-to-date vulnerability databases and advanced analysis tools.

How Black Duck solutions support CRA compliance

Automated discovery and inventory

Black Duck SCA automates the discovery and inventory of open source and third-party components in their codebase. This is crucial for ensuring that all components are identified and managed, which helps to adhere to the documentation requirement of the CRA. 

License compliance

Black Duck also identifies open source licenses, so organizations can be sure they comply with license requirements. This helps reduce the risk of legal issues and ensures that all components are used in a compliant manner. 

Vulnerability management

Black Duck uses vulnerability data found in the National Vulnerability Database to identify known software vulnerabilities in open source and third-party components. It provides detailed reports and recommendations for addressing these vulnerabilities, helping organizations prepare for the vulnerability management requirements of the CRA. 

Dependency analysis

Black Duck provides a detailed view of component dependencies, helping organizations ensure that all third-party components are secure and up-to-date, which is a key requirement of the CRA. 

SBOM generation

Black Duck can generate Software Bill of Materials (SBOMs) in various formats, including SPDX and CycloneDX. SBOMs are a detailed inventory of all components used in a product and help ensure transparency and compliance, which is a crucial part of the CRA. 

Integration with development workflows

Black Duck integrates seamlessly with development and CI/CD workflows, making it easy to incorporate security practices into the development process. This helps organizations proactively address the secure-by-design requirements of the CRA and ensures that security is integrated into every stage of the product life cycle. 

Continuous monitoring and reporting

The EU Cyber Resilience Act is a significant step toward enhancing cybersecurity in the digital landscape. By understanding the requirements, conducting thorough security assessments, and implementing robust security practices, organizations can be prepared for the CRA and ensure compliance.  

 

 

Charting your course: Proactive steps to CRA compliance

Navigating the complexities of the CRA requires a proactive and strategic approach. Organizations should not wait until the final deadlines to begin compliance.

While the journey to full CRA compliance will present challenges for manufacturers, importers, and distributors—requiring investment in processes, tools, and expertise, it also brings significant opportunities. Adherence to the CRA is not merely about avoiding penalties; it is an avenue for organizations to build inherently more secure and trustworthy products. In an increasingly security-conscious market; products bearing the CE mark signifying CRA compliance will likely gain a competitive edge, reassuring customers and partners of their commitment to robust cybersecurity practices.  

The EU Cyber Resilience Act is just one piece of the evolving global puzzle of software supply chain security. To understand how it fits into the broader regulatory landscape and how Black Duck can be a cornerstone of your compliance strategy for multiple mandates, download our comprehensive guide, “Key Regulations Shaping Software Supply Chain Security and the Role of SCA.” Equip yourself with the knowledge to build trust and ensure resilience in today’s interconnected world.

Download the Guide
Continue Reading
Explore Topics
Agile, CI/CD
AppSec Best Practices
Artificial Intelligence
Automotive
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security