The days of postponing cyber regulations are over.

The European Union (EU) Cyber Resilience Act (CRA) and the EU AI Act are ushering in a new era of accountability — one where organizations must prove their software is secure and was built securely from the start.

As these regulations take shape, they are fundamentally influencing how teams design, govern, and ship software. The shift impacts everything from open source consumption to AI adoption, supply chain practices, and long-term maintenance strategies.

Let’s break down what’s changing, why it matters, and how organizations can prepare.

Why the CRA Exists, and Why It’s Different

For decades, the world of open source has run on a quiet assumption: Use at your own risk. If something went wrong, the impact was usually treated as a cost of doing business.

Regulators see a different picture:

• Cyberattacks are increasing in frequency and impact.

• Critical infrastructure, consumer devices, and entire services now depend on software.

• Ransomware attacks and supply chain compromises are no longer rare occurrences, but commonplace threats.

Instead of hoping organizations “do the right thing,” CRA makes secure-by-design and secure-by-default practices a legal expectation.

From “Trust Me” to “Prove It”

One of the biggest shifts the CRA brings is the move from best effort to provable effort.

Manufacturers must now design secure software, provide timely updates throughout its life, and prove these practices were followed. Secure development, maintenance, and documentation are now the new baseline.

That evidence is where automation and artifacts like software bills of materials (SBOMs) become essential.

Instead of scrambling to reconstruct what you used or how you tested it, you’ll need:

• SBOMs generated as part of the build.

• Logs and attestations for key security checks.

• Traceability for vulnerabilities, patches, and risk decisions.

This practice is more than just good housekeeping for (Read more...)