EU's Strict New Cyber Law Catches Firms Off Guard

A new survey reveals two-thirds of companies are unaware of the EU's major new Cyber Resilience Act, which is now taking effect.

The first elements of the European Union's Cyber Resilience Act (CRA) are now in effect, but a new survey reveals the industry is largely unprepared. According to a study by the Open Source Security Foundation, a staggering two-thirds of companies are not familiar with the landmark regulation. The CRA is a comprehensive new law designed to bolster the security of all hardware and software products sold in the EU. It establishes a baseline of cybersecurity requirements that manufacturers must meet throughout a product's lifecycle, aiming to protect consumers and businesses from insecure technology.

The widespread lack of awareness highlighted by the survey presents a significant risk for tech companies. The Cyber Resilience Act has wide-ranging implications, affecting everyone from individual developers to large multinational corporations. It mandates new security standards for product design, development, and maintenance, including obligations for vulnerability handling and transparent security reporting. For founders, CTOs, and security teams, non-compliance could eventually mean being barred from the massive EU market or facing steep penalties. The law fundamentally shifts the responsibility for security from the end-user to the vendor, making manufacturers legally accountable for the safety of their products.

This regulation is part of a broader global trend of increased government scrutiny over technology security. While the CRA will be phased in over time, its initial entry into force serves as a critical wake-up call. Companies that sell digital products to customers in the European Union must now urgently get up to speed on their new obligations. This includes assessing their current development practices, understanding the specific requirements for their product categories, and preparing for a new era of regulatory oversight. Ignoring the CRA is not an option for any business with a footprint in Europe.