Understanding the EU’s Cyber Resilience Act (CRA)

The Cyber Resilience Act (CRA) introduces a much-needed framework for standardizing the cybersecurity practices of companies operating in the European Union (EU). The regulation sets clear expectations for hardware and software manufacturers, developers, and distributors, outlining how they should manage and address vulnerabilities at every stage of the product lifecycle. Given the critical role of software in most modern products, a proactive approach to securing the software development lifecycle (SDLC) has become an important part of all regulations aimed at overall technology product security.

Because some of the CRA’s provisions around vulnerability and incident reporting will take effect in 2026 — with all requirements being enforced by the end of 2027— organizations should act now to assess their cybersecurity measures and chart a path for compliance. 

What is the Cyber Resilience Act? 

The Cyber Resilience Act is a new EU regulation that focuses on improving the cybersecurity of products with digital elements (PDEs) sold within the EU. According to the law, the CRA applies to “economic operators” that participate in the EU market, including manufacturers, importers, and distributors of PDEs. 

The two main categories of essential requirements outlined in the CRA are: 

• Product cybersecurity requirements (Annex I, Section 1) that focus on protection against exploitable vulnerabilities and security risks in the product's design, development, and production phases (i.e., secure by design principles). 

• Vulnerability handling requirements (Annex I, Section 2) that focus on identifying and documenting vulnerabilities, ensuring a rapid response to exploitable vulnerabilities, and providing users with security updates. 

These categories cover both product pre-deployment and post-deployment. In the pre-deployment phase, static application security testing (SAST) and software composition analysis (SCA) both play an important role in ensuring that products are secure by design. Early and real-time vulnerability detection and auto-fixing ensure that security issues are prevented from creating more complex, bigger, and more high-stakes problems once they go into production.

Today, however, we will focus on compliance with the CRA as it relates to software supply chain security.

Software supply chain security and the Cyber Resilience Act

As digital products become more interconnected, vulnerabilities — particularly in third-party and open source components — pose significant risks. Research indicates that cybersecurity threats circulating via open source package repositories increased by more than 1300% between 2020 and 2023. 

By mandating that organizations identify, mitigate, and disclose vulnerabilities throughout the product lifecycle, the CRA highlights the critical role of supply chain security and forces organizations to shore up their security gaps. The regulation also emphasizes the importance of proactive risk management via its requirements for continuous monitoring and timely updates to address emerging threats. 

Three essential pillars for complying with the Cyber Resilience Act 

To meet the CRA's essential requirements — particularly around vulnerability management and timely remediation — organizations must prioritize three foundational pillars: software bill of material (SBOM) generation, vulnerability management, and rapid reporting. 

SBOM generation and maintenance 

The CRA requires organizations to maintain accurate and up-to-date SBOMs to promote transparency and accountability in tracking all software components. It states that SBOMs must be “in a commonly used and machine-readable format covering at the very least the top-level dependencies of the product.” 

To save time and effort, consider using a tool that integrates with development workflows to automate your SBOMs. For example, Snyk scans projects to identify all software components, including third-party and open-source dependencies, and generates SBOMs in standard, CRA-accepted formats like CycloneDX and SPDX. 

Vulnerability management and remediation  

The CRA’s vulnerability handling requirements emphasize proactive identification and clear disclosure of vulnerabilities. As such, the regulation mandates regular SBOM updates to ensure that documentation reflects the current state of every component through the product lifecycle. It also instructs organizations to “address and remediate vulnerabilities without delay, including by providing security updates.”

The CRA Annex 1 also suggests products with digital elements should:

• Ensure protection from unauthorized access by appropriate control mechanisms, including but not limited to authentication, identity, or access management systems.

• Protect the integrity of stored, transmitted, or otherwise processed data, personal or other, commands, programs, and configuration against any manipulation or modification not authorized by the user, as well as report on corruptions.

• Be designed, developed, and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques.

DAST scanning provided by Snyk can help identify and remediate these types of vulnerabilities (Authorisation, Data Modification, Exploit Mitigation) in running applications.

Snyk simplifies upstream component management and documentation. It tracks all dependencies (including transitive dependencies) and continuously monitors for changes or new vulnerabilities to ensure  SBOMs are up to date when new versions of the software are deployed. Beyond vulnerability identification, Snyk helps developers prioritize vulnerabilities based on a range of risk factors including signals like reachability and exploit maturity, in addition to traditional measures like severity. Snyk then provides recommendations on how to fix those prioritized issues directly within the tools the development teams already use. 

Asset inventory and rapid reporting 

To meet the CRA’s security monitoring and reporting requirements, organizations must maintain an accurate inventory of digital assets. Having full visibility into all PDEs, software versions, and dependencies in use allows them to pinpoint affected assets when new vulnerabilities are discovered quickly. Additionally, when an exploitable vulnerability is discovered, the CRA requires timely communication to all relevant parties (e.g., end-users, developers, manufacturers, regulators). 

These are both areas where a holistic view of applications and assets can significantly streamline compliance efforts. The Snyk developer security platform allows teams to track, analyze, and manage all assets and associated risks. It also facilitates rapid reporting by integrating vulnerability data with workflows for disclosure and remediation. When an exploitable vulnerability is detected, these tools enable organizations to identify impacted assets swiftly, prioritize fixes based on risk, and communicate updates to the necessary stakeholders. 

A trusted partner for CRA compliance  

CRA compliance isn’t just about meeting regulatory requirements; it’s about building a more secure and resilient digital ecosystem. Organizations can address software supply chain risks by focusing on these essential security practices while promoting trust with partners, end-users, and regulators. 

Snyk is a trusted security partner that has proven invaluable for maintaining compliance with other EU regulations, such as the Digital Operational Resiliency Act (DORA). With the introduction of the CRA, we’re inviting organizations to take advantage of our developer-friendly tools that streamline key activities like SBOM generation, vulnerability management, and rapid reporting. By integrating seamlessly into existing workflows, Snyk helps organizations achieve CRA compliance without slowing down software development. 

Interested in learning more about how Snyk can strengthen your software supply chain security for improved compliance? Book a live demo today.