RSS

What has (can) the EU Cyber Resilience Act done (do) for you?

t-32 pts0 comments

What has (can) the EU Cyber Resilience Act done (do) for you?

What has (can) the EU Cyber Resilience Act done (do) for you?

© 2026 Peter N. M. Hansteen

The European Union Cyber Resilience Act (CRA) and its various international analogs are entering fully into force during 2026 and 2027, with new legal requirements that some have found to be perilous or challenging to software developers and possibly for open source developers in particular.

Some have predicted this legislation will be the end of open source software and the end of the world as we know it. In the present article, we will show that this is far from the case.

Note: This piece is also available with trackers but nicer formatting here.<br>without trackers but classic formatting only here.<br>-->

Yes, It's Later Than You Think

As we have mentioned in several earlier articles and presentations which I will provide links to in a moment,

On December 12 2027, it's already too late. The day before, the European Union Cyber Resilience Act (CRA) will have fully entered into force.

On December 11 2027, the Cyber Resilience Act is fully in force in the European Union member states and associated countries and territories.

From that date onward, suppliers of any "product with digital elements" are required to present those products along with a full overview and insight into all components and dependencies that went into making that product.

If you are a manufacturer or supplier of any "product with digital elements" are required to present those products along with a full overview and insight into all components and dependencies that went into making that product.

Unless, of course, you are a supplier that is fine with being considered at best second rate, or even being ineligible for lucrative contracts. Selling product that has not qualified for the CE mark for its product category will simply not do.

The European timeline for phased implementation of the CRA is outlined here, among other places.

From EU CRA: It's Later Than You Think, Time to Engineer Up! (also here)

If you are interested in what this means in practical terms, for individual developers, for organizations that have taken on the free software steward role, and for other participants in the wider community or ecosystem of the IT industry, read on.

The European Union Sets the Standard From Here On

The European Union Cyber Resilience Act is part of an expanding body of legislation, which includes General Data Protection Regulation (GDPR),<br>Regulation of the Digital Operational Resilience of the Financial Sector (DORA),<br>and Directive on Network and Information Systems (NIS2), that regulates information technology and products with digital elements in the European Union, associated states and territories.

The underlying motivation is to ensure the safety, wellbeing and civil rights of inhabitants of the EU, associated states and territories. It is important to keep this in mind as the basic driver behind the regulation.

One the face of it, initiatives to ensure the safety of individuals and businesses should not be controversial. Development of new technologies lead to changes in society that neither technologists, their customers nor the politicians they elect had been able to anticipate.

We will mention some key incidents in a few moments, but taken together these incidents made it clear that there was a need to come up with well defined legislation and a firm but reasonable enforcement regime.

In the area of cyber security and digital resilience, for a long time the specification and standardization work was fairly well in sync between the European and US efforts for all the obvious reasons.

Early on, the USA was the first to enact formal legislation for the subject area in the form of the US Executive Order 14028 of May 12, 2021, Improving the Nation's Cybersecurity (2021), and the EU finally enacted their version of the legislation as the EU Cyber Resilience Act (CRA) in 2024. For both sets of legislation the plan was to have the specific parts enter into force gradually and in sync across the Atlantic.

However, it took the second Trump administration one year and nine days to rescind the US Executive Order 14028 of May 12, 2021, Improving the Nation's Cybersecurity leaving the specifications and emerging standards as optional only for projects and procurement under federal authorities of the United states.

The European Union, on the other hand, has not let up its efforts. This means that going forward, it is the European Union Cyber Resilience Act (CRA) that defines the parameters for those of us who develop products with digital elements (PDEs) intended for any international market that includes the European Union and associated states and territories.

Let's move on to what the practical consequences will be for various categories of people and organizations as the legislation enters into force.

We will take the boring parts first, move on to the scary things...

resilience european cyber union legislation product

Related Articles

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

German ruling declares Google liable for false answers in AI Overviews

ahlCVA15 ptsgoogle court search overviews content users
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.