Already after the summer, Swedish companies that build and sell products with software should be ready for the first part of the next major EU regulation in the area of cybersecurity. Cyber Resilience Act (CRA) will be introduced in two stages, with the first part coming into effect on September 11, 2026, while the larger part comes into effect in December 2027. So things are starting to get hectic. 

For years, terms of use for software products have gotten away with being sold ”as is,” with no promises of warranty or cybersecurity. The CRA aims to change this so that customers get what they already think they’re getting: products without known vulnerabilities that will be kept up to date over time. I would therefore argue that the regulation is not really a question of compliance but of reasonableness.

The CRA requires that all products that are or contain software must be free of known vulnerabilities that can be exploited at the time they are released for sale. This means that you should not be able to launch a new product without knowing that it does not contain any known security flaws. It also requires that the development process create evidence and documentation that this is the case. This means that there must be documented processes, security tests, and reports from security tools. All product companies must do this from December next year when the entire law comes into force.

But as of September 11th of this year, a reporting obligation will be introduced for products already on the market. This means that you must report this to the authorities within 24 hours of discovering a vulnerability that affects your customers. You must also be able to quickly send out an update. The CRA requires that you offer security updates for at least five years after the product has been sold. The consequences are not cosmetic: you may be forced to stop sales, recall products or pay penalty fees. 

What you need to secure for September is: 

1. The ability to detect: Do you have the ability to see when a customer is affected by a vulnerability?
2. The ability to report: Is there a process? Who owns it? Who should have the information?
3. The ability to remedy: Do you have the tools, processes and infrastructure to quickly develop and distribute updates?

You should also have started the major work of meeting all the requirements of the CRA when it comes into effect on December 11, 2027.

While it may feel overwhelming, there is support available. There are established processes to apply and models to follow. ENISA has published a preview of its upcoming ”Security by Design and Default Playbook” which provides concrete advice primarily for SMEs on how to work towards meeting the requirements of the CRA. 

It's high time to get started.