The CRA will have a broad impact on the technology industry, affecting manufacturers, suppliers, and service providers. It is particularly relevant for organizations that produce or distribute digital products including software, hardware, and connected devices. The legislation aims to create a more secure digital environment by setting high standards for cybersecurity and holding organizations accountable for meeting these standards.  

Manufacturers have the most significant responsibilities. Importers and distributors also have distinct obligations under the CRA, which includes verifying CE marking, which signifies a PDE complies with the CRA’s essential cybersecurity requirements. They must also ensure required documentation and inform authorities about identified cybersecurity risks.

Yes. If open source is integrated into a commercial PDE, the manufacturer of that PDE is fully responsible for ensuring the entire product, including the open source components, complies with the CRA.

Certain product categories are excluded, primarily because they are already covered by existing sector-specific EU legislation that includes cybersecurity requirements. Notable exclusions are

• Medical devices
• Motor vehicles
• Software-as-a-service products, provided they do not involve local software components on the user’s device that are necessary for its functioning
• Products developed or modified exclusively for national security or defense purposes
• Spare parts with digital elements supplied by the original manufacturer that are exempt under certain conditions

The CRA applies to all PDEs that are placed on the market of the European Union. This means that any manufacturer, importer, or distributor intending to sell or otherwise make PDEs available to end users within the EU must comply with the CRA’s provisions regardless of their own geographical location.

The CRA’s implementation is phased, allowing manufacturers, importers, and distributors time to adapt to the new requirements. Vulnerability and incident reporting obligations commence on September 11, 2026, significantly earlier than the full applicability of most other provisions, which begins on December 11, 2027.

Black Duck security solutions help organizations confidently meet CRA requirements by enabling enhanced secure development practices, robust vulnerability management, and comprehensive transparency into third-party components.

• Black Duck^® SCA: Black Duck’s industry-leading software composition analysis (SCA) solution provides complete visibility into open source and third-party code by automatically identifying dependencies and uncovering security, licensing, and quality risks. Black Duck SCA can also generate accurate and complete Software Bills of Materials (SBOMs) in formats such as SPDX and CycloneDX to meet industry and regulatory requirements.
• Coverity^® Static Analysis: Black Duck’s leading static application security testing solution offers fast, accurate, and scalable security detection to uncover defects in proprietary code.
• Defensics^® Fuzzing: Defensics is a comprehensive, powerful, and automated black box solution that identifies unknown vulnerabilities in protocols and APIs to validate the resilience, quality, and security of software applications.
• Software Risk Manager^™: An application security posture management (ASPM) solution, Software Risk Manager helps DevSecOps teams consolidate the findings across their manual and automated testing tools into a single system of record. This provides complete visibility across the software development life cycle.