EU CRA: What software vendors need to know before 2027

The EU Cyber Resilience Act (CRA) is the most significant supply-chain security regulation any software vendor has faced this decade. If your products reach EU customers — directly or embedded in someone else's — you have until December 2027 to comply with the full text. The reporting obligations kick in earlier, in September 2026.

What the CRA actually requires

The CRA puts manufacturers of "products with digital elements" on the hook for the security of those products throughout their lifecycle. In practice, that means three things:

1. A documented SBOM for every product you ship, kept up to date for at least five years after the last unit is sold.
2. Vulnerability disclosure within 24 hours of becoming aware of an actively exploited vulnerability — to ENISA and to your users.
3. Security-by-design proof during the conformity assessment, including an SDLC that demonstrably handles security issues.

What "documented SBOM" means

The CRA does not mandate a specific format, but the technical documentation must be machine-readable and complete enough to allow a third party to identify components and their versions. CycloneDX 1.7 and SPDX 2.3 are both safe choices today.

How to prepare now

You don't need to have a CRA program in place tomorrow, but you should be doing three things by Q4 2026:

• Generate SBOMs for every shipping product, not just the open-source ones
• Set up a 24-hour disclosure path — who gets paged, what template do they use, how do you reach ENISA
• Build evidence trails for each release: vuln scan results, fix decisions, signoffs

This is where SBOMVault.ai's compliance dashboard saves teams hundreds of hours: the evidence is captured automatically as you upload and process SBOMs, so the conformity assessment becomes a download rather than a project.