Cyber Resilience Act (CRA) – Nordic Software Security Summit

The Cyber Resilience Act (CRA) is a legislation covering almost all products with software – from embedded systems and IoT to server software, PC software to mobile applications for phones and tablets.

The CRA applies all digital products sold in the EU, regardless of where the manufacturer, importer or distributor is located. If you sell to customers in the EU, you will be affected by the CRA.

Shifting responsibility for cyber security to the manufacturer

The CRA shifts responsibility for cyber security on to the manufacturer. The vendor gets responsibility for security during a product’s lifetime. CRA mandates free security updates, public disclosure of vulnerabilities and reporting to authorities if a vulnerability is exploited. The legislation enforces a lifecycle process, with Cybersecurity being part of the process from design to decomission.

The European CE mark that now also applies to software, indicates compliance with the legislation.

Open Source is included in the legislation

A manufacturer including Open Source components in a product is responsible for all the components within the product, both commercial and open source. The Open Source projects in general are not affected by the legislation, but if they want to make life easier for manufacturers they will want to handle cyber security in a professional way. Where the legislation is not very clear is where a company has a combination of Open Source software and commercial products. There’s not an exact definition of when you become a commercial entity with full responsibility according to the law and when a project is just an Open Source project. If there’s money involved, you need to find out. Both OpenSSF and ORCWG is working on producing more information and examples to guide projects that are combined with commercial activities.

The first step: Applies to all products sold

The first step, being in force from September 2026, applies to all products sold and in use in the market. In this step, manufacturers has to report all incidents to the authorities, both near misses and exploits. This also applies to incidents in the manufacturer’s systems that may affect the security of the products – software supply chain incidents.

The second step: CE mark for cybersecurity in all products

The second step applies from December 2027. All new products sold must be CE-marked, indicating a level of cybersecurity in the product sold and maintenance with free security upgrades during the product’s lifetime.

Learn more:

OpenSSF information about the CRA
OpenSSF and Linux Foundation free online class in CRA
ORCWG CRA FAQ Project
ORCWG – Eclipse Foundation

One day training and two day conference covering the coming legislation on the software industry

October 1-3, 2025

Hotel Birger Jarl, Stockholm, Sweden

Early bird pricing to Aug 1st!

Conference Agenda
Overview
Wednesday: Workshops
Thursday track one
Thursday track two
Friday track one
Friday track two

Partners 2025
Cybernode.se
Dataföreningen Väst
NCC-SE
Eclipse Foundation
ORCWG
OpenSSF
OWASP
SIG Security