The EU’s Cyber Resilience Act is a forcing function for change and driving software manufacturers and open source communities to align security, compliance, and innovation in a post-regulatory world.
The software industry in Europe is undergoing a transformation. With projected 2025 revenues topping $166.5 billion, and a digital economy contributing over $1 trillion to the EU GDP, the importance of robust cybersecurity standards cannot be overstated. In response, the European Union’s Cyber Resilience Act (CRA) marks a pivotal shift by positioning security and compliance as first-class citizens in the software development lifecycle.
In a recent episode of AppDevANGLE, I sat down with Mike Milinkovich, Executive Director of the Eclipse Foundation, to unpack what the CRA means for global software stakeholders and why developers, manufacturers, and open source foundations must act now.
The First Horizontal Regulation of Software
The CRA is not just another regional policy, it’s the world’s first horizontal regulation of software and digital products. It affects everything from consumer apps to industrial IoT, from web-based ERP systems to embedded firmware in everyday devices.
“This isn’t just about software,” said Milinkovich. “It’s about any product with digital elements. If it runs code and is sold in Europe, it’s covered.”
That includes everything from smart thermostats and routers to enterprise applications and cloud platforms. And for U.S., APAC, and other non-EU vendors? The rules still apply. If you want to sell in Europe, you must comply.
A New Normal for Software Development
At the heart of the CRA is a push for “secure by design” principles throughout the software lifecycle. That means implementing proactive security controls and not just bolting them on after deployment.
Research shows that this aligns with current enterprise maturity. For instance:
- 43% of EU-based enterprises already use ERP systems.
- 25% leverage CRM solutions.
- Both categories demand strong data privacy, compliance, and integration postures.
As organizations increase CI/CD automation, CRA readiness requires integrating automated security scanning, SBOM generation, vulnerability tracking, and compliance checks directly into development pipelines.
“Developers can’t treat compliance as a post-release task anymore,” I noted. “These requirements are now part of your build process.”
Open Source Projects and Commercial Manufacturers
A key challenge lies in the dynamic between open source contributors and commercial product manufacturers. Historically, companies pulled from open source repositories with little feedback or support flowing upstream.
But the CRA changes that.
“If you include open source in your product, you now have due diligence obligations,” said Milinkovich. “Manufacturers must engage with the projects they rely on. The old ‘thanks for the free stuff’ model won’t cut it anymore.”
To facilitate this, the Eclipse Foundation, the largest open source foundation based in Europe, plays a pivotal role. Through its Open Regulatory Compliance Working Group (ORC-WG)—which includes members like Nokia and Mercedes-Benz—the foundation is helping shape the 40+ harmonized European standards that define CRA implementation.
This cross-sector collaboration is crucial for aligning open source development with regulatory expectations.
A New Era of Tooling and Automation
As developers look to meet CRA compliance, the industry is responding with a new wave of tooling:
- Private startups are building CRA-focused compliance platforms.
- Open source initiatives are emerging from foundations to produce SBOMs, automate vulnerability disclosures, and support secure build practices.
- CI/CD plugins now offer built-in compliance gates and policy validation.
Yet many existing standards still assume software is proprietary and developed under one roof. That’s increasingly out of step with today’s reality.
“As much as 80–90% of modern software is made up of open source dependencies,” Milinkovich noted. “We need standards that reflect how software is actually built.”
This shift presents an opportunity to co-create next-generation security standards, ones that account for decentralized development, open source integration, and global distribution models.
The Clock is Ticking
While full CRA enforcement begins in December 2027, the clock is already ticking:
- Reporting obligations begin in September 2026.
- Auditing requirements for critical software may demand external certification.
- CE marking will be mandatory to ship regulated digital products into Europe.
“We’re already out of time,” Milinkovich warned. “The first drafts of these standards are due next month. If you haven’t started assessing your codebase, you’re behind.”
Our industry has seen this before: regulatory deadlines creep up faster than expected, and teams scramble to retrofit compliance. But this time, the scale is broader and the consequences will include market exclusion, legal risk, and reputational damage.
Shift Left on Security, Shift Now on Strategy
As I’ve said before, compliance isn’t just about checking boxes, it’s about building trust, reducing risk, and ensuring continuity across a fractured software ecosystem.
If you’re unsure where to start, visit orcwg.org for resources, FAQs, and community-led initiatives shaping the future of secure software. And if you’re overwhelmed, don’t hesitate to partner with service delivery organizations who can guide you through audit preparation, tooling integration, and continuous compliance workflows.
“This isn’t just about the CRA,” I concluded. “It’s about how we modernize security and resilience across the entire digital economy.”
