I was recently interviewed by Information Security Media Group (ISMG) to discuss the EU Cyber Resilience Act (CRA), and it is encouraging to see the growing momentum around this important regulatory development.
The article explores how the CRA is set to fundamentally reshape the way digital products are designed, developed, and maintained across Europe. It introduces far-reaching obligations, including security-by-design requirements, mandatory vulnerability reporting, and long-term security update commitments.
The European Commission’s recent draft guidance represents a strong first step, providing helpful clarification on several key aspects of the regulation. However, a number of practical challenges remain.
As I noted in the interview:
“Some of the hardest issues, like software updates and cloud dependencies, are inherently difficult to regulate cleanly.”
In addition:
“Real-world architectures don’t always fit into these categories that the European Commission proposes.”
Uncertainty persists in areas such as the definition of “substantial modifications,” appropriate support periods, and the treatment of increasingly complex software ecosystems. These issues highlight that, while progress is being made, the implementation of the CRA is still very much a work in progress.
Further reading:
View Bank Info Security Blog Europe Girds for Looming IoT Security Regulations
