The CRA is coming: Are you ready?

U.S. cybersecurity and data privacy laws can seem somewhat antiquated. While the United States was once a leader, adopting tech-related legislation such as the Computer Fraud and Abuse Act (CFAA) in 1986 and the Health Insurance Portability and Accountability Act (HIPAA) a decade later, less has been done legislatively in the last three decades to set guardrails for industry on things like software quality and security — even as software and technology have blossomed and permeate every industry, homes, businesses and communities. 

On the other side of the Atlantic, however, there is a different story. The European Union has enacted a slew of regulations in recent years as part of its Digital Decade architecture, including the Networking and Information Systems Directive 2 (NIS2), the General Data Protection Regulation (GDPR), the Digital Operations Resilience Act (DORA), and now the Cyber Resilience Act (CRA), which will be in full effect as of December 10, 2027.

The CRA sets important, baseline security requirements for digital products sold in the EU: expanding the EU’s European Conformity (CE) certification to cover cybersecurity and resilience for hardware and software bought and sold in the EU. That includes “secure by demand” requirements for manufacturers and mandates public disclosure (to regulators and customers) of cybersecurity incidents and software vulnerabilities. And it imposes stiff penalties for noncompliance, with fines of up to €15 million (currently $16.05 million USD) or 2.5% of total worldwide annual revenues (a.k.a. turnover). 

That’s a big shift for software publishers and the tech industry as a whole. But are companies ready for that change? In a conversation at the RSAC Conference in San Francisco, Forrester Research analyst Madelein van der Hout urged organizations to be prepared — and warned that most are not. 

Speaking at RSAC, van der Hout emphasized the complexity of the CRA — as well as predicting how this sweeping new policy will reshape how software is built, sold, and maintained in the EU. Here are the key takeaways from the discussion.

[ See webinar: Strategies for Securely Onboarding Vendor Software ]

The deadline is sooner than you think

A common misconception is that the law will have no force until December 2027.

“The first deadline for the Cyber Resilience Act — it’s not December 2027,” van der Hout said. “It’s September 2026. … You have half a year to prepare.”
—Madelein van der Hout

September is when mandatory incident-reporting obligations for vendors take effect. If a vulnerability is actively exploited, manufacturers must notify both regulators and affected customers. That will require a big adjustment, since many organizations still struggle with basic visibility into vulnerabilities and incidents, let alone coordinated disclosure.

Much of what the CRA seeks to enforce are things that have long been inconsistently applied: timely detection, clear communication, and accountability across the software lifecycle.

Casting a wide net is what it's about

One of the most significant aspects of the CRA is its scope.

The regulation applies to “products with digital elements,” a deliberately broad definition that includes software, firmware, and connected devices. “It’s written for manufacturers, resellers, distributors of products with a digital component, … which is every product,” van der Hout said.

This expansive scope ensures that the CRA will reach far beyond traditional software vendors. Any organization placing digital products on the EU market — whether a SaaS provider, a device manufacturer, or a software publisher — will fall under its requirements.

Secure by Design: From buzzword to requirement

At its core, the CRA enforces principles that have long been advocated but have been unevenly implemented.

Configurations that are secure by design and secure by default, often dismissed as buzzwords, are no longer optional under the CRA; they are regulatory requirements.

“You need to have certain standards and certain baseline rules apply to your products.”
—Madelein van der Hout

Any organization with legacy products will face the challenge of retrofitting security controls, which is significantly more expensive than building them in from the start.

Not a software vendor? You’re still at risk

Despite the CRA’s broad reach, many organizations assume that compliance is primarily a problem for vendors. While it’s true that manufacturers face regulatory penalties, said van der Hout, organizations that deploy software remain accountable for managing their own risk. That includes understanding dependencies, assessing exposure, and responding to incidents.

This aligns with a shift already underway in software supply chain security: shared responsibility across producers and consumers. ReversingLabs research shows that many organizations are struggling with this model, mainly because they lack the tools to fully assess the integrity of third-party software or detect tampering in delivered code.

The CRA raises the stakes by turning those gaps into compliance risks with serious, financial penalties for non-compliance.

A software industry shake-up is coming

While the CRA is a law governing EU businesses, it is likely to reshape the global software market, van der Hout said. 

Like the GDPR before it, the CRA will extend beyond Europe. Global companies that want access to the EU market will need to comply. And once those practices are in place, they are likely to become the default worldwide.

That makes the CRA more than a regional regulation; it’s a catalyst for change in how software is built, secured, and trusted. The organizations that act early will have an advantage. Those that wait may find themselves scrambling — not just to comply, but to keep up.

Still, that may not include many small- and early-stage vendors who decide to stay out of Europe as a way to skip CRA compliance.

“It’s not always plausible that [startups] are able to comply with that regulation because it costs a lot of money.”
—Madelein van der Hout

That will affect EU organizations that rely on those vendors, costing them critical suppliers, forcing them into product replacements, and potentially placing them in compliance violations. “What if you rely … completely on these products? You have a huge problem,” van der Hout said.

This introduces a new dimension of supply chain risk: vendor attrition driven by regulation.

The missing piece of the puzzle

As complex and costly as the CRA is, however, van der Hout said, it’s also necessary — and overdue. “I do believe it’s the missing piece of the puzzle,” she said.

To explain why, she drew an analogy to early automotive history. When cars first appeared, they shared roads with horse-drawn carriages — but without rules. The result was chaos. Over time, regulations introduced structure and safety.

For van der Hout, cybersecurity regulation serves a similar purpose:

“For me, cybersecurity regulation — those are brakes.”

In other words, the CRA is not just about compliance; it’s about creating a baseline of trust in digital products.

Lesson from GDPR: Don’t wait

For van der Hout, organizational readiness for the CRA echoes that for the rollout of the GDPR, when many organizations delayed action until the final months, triggering a scramble for compliance that strained vendors and customers alike.

“We always start too late,” she said. “All of a sudden the compliance date is around the corner, but we’re so not prepared.”

But, unlike GDPR, the CRA carries broader technical and operational implications tied directly to software development and security practices, van der Hout said.

The message for organizations is clear: waiting is not an option. To prepare for the CRA, companies should prioritize:

• Software supply chain visibility: Understand all components, dependencies, and third-party risks.
• Vulnerability management maturity: Move beyond CVEs to detect tampering, malware, and hidden risks.
• Incident-response readiness: Ensure the ability to detect, report, and communicate vulnerabilities quickly.
• Vendor risk planning: Identify critical suppliers and assess their ability to comply.

These steps are not just about regulatory alignment — they address the same gaps that attackers are already exploiting.

How (regulatory) braking can make you faster

In the end, van der Hout sees the CRA as an enabler of technology and innovation. A big fan of car racing, she recalls the America racing icon Mario Andretti’s quote that brakes are “for going faster” — giving cars the precision and control needed to navigate at high speeds. The same concept applies to software, van der Hout said.

“I thoroughly believe that is also how we should approach cybersecurity regulation. It should not just be your competitive advantage — it should be your accelerator.”