nex-IT Usługi Informatyczne
BlogFree IT ToolsFreeContact Us
Back to blog
Cybersecurity

Cyber Resilience Act (CRA) - What Software Producers Need to Know

Practical guide to new EU cybersecurity requirements for digital products. Learn how to prepare your company for CRA compliance and avoid penalties.

nex-IT TeamMay 26, 20264 min read
Cyber Resilience Act (CRA) - What Software Producers Need to Know

What is the Cyber Resilience Act?

Cyber Resilience Act (CRA) is an EU regulation introducing mandatory cybersecurity requirements for products with digital elements. It applies to both hardware and software sold in the EU market.

If your company produces or sells:

  • Software (applications, systems, libraries)
  • IoT devices
  • Network equipment
  • Automation systems
  • Products with embedded software

...then CRA directly applies to you.

When does CRA take effect?

  • December 2024 - regulation entered into force
  • September 2026 - obligation to report vulnerabilities and incidents
  • December 2027 - full application of all requirements

Time is running out - it's worth starting preparations now.

Key CRA Requirements

1. Security by Design

Security must be considered from the beginning of the project, not as an add-on:

  • Planning authentication mechanisms before writing the first line of code
  • Encrypting sensitive data
  • Privilege separation (principle of least privilege)
  • Regular cybersecurity risk assessment

2. SBOM - Software Bill of Materials

Software Bill of Materials (SBOM) is a mandatory list of all:

  • External libraries
  • Dependencies
  • Open source components
  • Product constituent elements

SBOM allows you to:

  • Quickly assess the impact of a new vulnerability on the product
  • Speed up risk analysis
  • Plan remediation actions more effectively

Tools for generating SBOM:

  • CycloneDX
  • SPDX
  • Syft
  • Trivy

3. Vulnerability Handling Process

CRA requires an organized vulnerability response process:

a) Reporting Channel

  • Dedicated email address (e.g., security@yourcompany.com)
  • Contact form
  • security.txt file (RFC 9116) in the .well-known directory

b) Verification and Assessment

  • Is the vulnerability exploitable?
  • What is the impact on users?
  • Are there signs of active exploitation?

c) Patch or Mitigation

  • Testing security patches
  • Releasing as quickly as possible
  • Do not release new versions with new features if you know about an unresolved vulnerability

d) CVE Publication

  • Assign CVE identifier
  • Publish CVE entry
  • Collaborate with national CSIRT teams

4. Incident Reporting

Producers must report:

  • Actively exploited vulnerabilities
  • Serious incidents affecting product security

Reports are submitted through the Single Reporting Platform managed by ENISA.

5. Security Updates

  • Automatic installation of patches by default
  • Option for users to defer or opt out
  • Security updates separated from functional changes (if possible)
  • Minimum 5 years of support for the product

6. Technical Documentation

Mandatory documentation includes:

  • Product architecture description
  • Security mechanisms
  • Component list (SBOM)
  • Vulnerability and incident registry
  • Risk acceptance decisions

Documentation must be available to the market surveillance authority on request.

How to Prepare Your Company for CRA?

Step 1: Audit Current State

  • Which products fall under CRA?
  • What security processes already exist?
  • Where are the biggest gaps?

Step 2: Assign Responsibilities

  • Designate person/team responsible for product security
  • Even in small companies - formal assignment of responsibility

Step 3: Implement SBOM

  • Choose SBOM generation tool
  • Integrate with build process (CI/CD)
  • Automatic generation with each build

Step 4: Create Vulnerability Handling Process

  • Publish security.txt
  • Prepare response template for reports
  • Establish SLA for response and patch

Step 5: Prepare Documentation

  • Don't create documentation "before audit"
  • Document decisions continuously
  • Use ALM tools (GitLab, Jira + Confluence)

Consequences of Non-Compliance

  • Financial penalties - up to EUR 15 million or 2.5% of annual turnover
  • Ban on placing product on EU market
  • Product recall obligation
  • Reputation loss

How nex-IT Can Support Your Business?

As an IT company, we support clients with technical security aspects:

  • Infrastructure protection - firewalls, network monitoring, endpoint protection
  • Security solutions deployment - Sophos, UniFi, backup systems
  • Incident response - assistance when threats are detected
  • Technical consulting - security architecture advisory

If your company needs IT security support - contact us.

Useful Resources

Summary

The Cyber Resilience Act is not just a regulatory obligation - it's an opportunity to organize security practices in your company. Well-implemented processes:

  • Limit incident impact
  • Increase customer trust
  • Improve product quality

Don't wait until the last moment - start preparations today.

Article prepared based on CERT Polska guide "Best practices for software security management" (May 2026).

CRACyber Resilience ActcybersecuritySBOMCVEEU regulationssoftware security

Related articles

Sophos - Comprehensive Cybersecurity Solutions for Businesses | Sophos Partner

Discover Sophos solutions: XDR, MDR, firewall, email and endpoint protection. As an official Sophos partner, nex-IT will help you implement the best security for your business.

Read more

How to Protect Your Business from Cyberattacks

Learn about the most important cyber threats and proven methods to protect your business. A practical guide for small and medium enterprises.

Read more

Ransomware - What to Do When Your Data Is Encrypted?

Step by step guide on how to respond to a ransomware attack. What to do, what to avoid, and how to recover data without paying ransom.

Read more
Back to Blog