Skip to main content

CRA's Approach to Ongoing Software Security: Beyond Market Placement

The Cyber Resilience Act (CRA) makes it clear: launching your app, game, or software is just the beginning of your security responsibilities. The Act places significant emphasis on the security of your product throughout its entire lifecycle, particularly during its defined "support period".

Lifetime Security Commitment

You, as the manufacturer, are on the hook to ensure vulnerabilities are handled effectively even after your software is in users' hands. Article 13, Paragraph 8, mandates that you ensure vulnerabilities of your product, including its components, are handled effectively and in accordance with the essential cybersecurity requirements detailed in Annex I, Part II, for the entire support period. This isn't a passive role; it requires active monitoring and response.

Annex I, Part II: Your Rulebook for Ongoing Security

Annex I, Part II, lays out specific vulnerability handling requirements. These include:

  • Identifying and documenting vulnerabilities and components (like creating an SBOM).
  • Addressing and remediating vulnerabilities without delay, which includes providing security updates.
  • Regularly testing and reviewing the security of your software.
  • Having a coordinated vulnerability disclosure policy.
  • Securely distributing updates.
  • Providing security updates free of charge.

This ongoing commitment means that security is not just a feature you build at the start but a service you provide for the expected lifetime of your software. The CRA wants to ensure that software products don't become unsupported and vulnerable too quickly, leaving users exposed.

Key Takeway

The CRA mandates that your responsibility for your software's security extends far beyond its initial release. You must actively manage and remediate vulnerabilities throughout a defined support period, following the detailed requirements in Annex I, Part II.