CVEium
Sign Up

EU Cyber Resilience Act: What Software Teams Need to Know

The EU CRA introduces mandatory cybersecurity requirements for products with digital elements. Here is what it means for your team.

The EU Cyber Resilience Act (CRA) was adopted in 2024 and introduces mandatory cybersecurity requirements for all products with digital elements sold in the European Union. If you develop or distribute software in the EU market, this regulation affects you.

Key deadlines

  • September 2026: Vulnerability reporting obligations begin. Manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours of becoming aware of them.
  • December 2027: Full compliance required. All applicable requirements must be met, including SBOM maintenance, vulnerability handling, and coordinated disclosure.

What the CRA requires

Software Bill of Materials

The CRA requires manufacturers to "identify and document vulnerabilities and components contained in the product, including by drawing up a software bill of materials." This means maintaining a machine-readable SBOM for each product release in a standard format like CycloneDX or SPDX.

Vulnerability handling

Article 13 requires manufacturers to handle vulnerabilities "without delay." In practice, this means:

  • Continuously monitoring your dependencies for newly published CVEs
  • Assessing the impact of each vulnerability on your product
  • Remediating or mitigating confirmed vulnerabilities within appropriate timeframes
  • Documenting your assessments and remediation actions

Coordinated disclosure

When a vulnerability is confirmed to affect your product, you must communicate this to downstream users in a timely manner. VEX documents provide the standard format for this communication.

How to prepare

  1. Inventory your software components: Generate SBOMs for all your product releases
  2. Establish a vulnerability monitoring process: Set up automated scanning against your SBOMs
  3. Define SLA deadlines: Establish remediation timelines by severity level
  4. Implement a triage workflow: Document your vulnerability assessments systematically
  5. Set up disclosure processes: Be ready to generate and publish VEX documents

How CVEium CIS helps

CVEium CIS was designed around CRA compliance requirements. It provides SBOM management, automated CVE scanning, structured triage with SLA tracking, VEX generation in multiple formats, an approval workflow for publication, and compliance attestation reports that can be shared with authorities.

The September 2026 deadline for vulnerability reporting is approaching. The time to establish your vulnerability management process is now.