Cyber Resilience Act (CRA) – what software vendors should do now

CRA changes everyday software delivery in two ways: (1) security must be demonstrated systematically across the lifecycle, and (2) vulnerability handling is no longer optional — it becomes part of product responsibility.

What this means in practice

Secure development lifecycle: requirements, threat modelling, testing and release as a repeatable process.
Vulnerability management: intake channel, triage, fixes and release cadence — documented and measurable.
Updates and lifecycle: how updates are delivered, to whom, on what schedule, and how legacy versions are handled.
SBOM and dependencies: visibility into components and clear practices for updates and remediation.
Documentation: implemented controls, rationale and audit trail — so it still makes sense a year later.

Why this is also an opportunity

Once lifecycle and documentation are in good shape, products handle customer requirements, audits and integrations more smoothly. The same work often improves quality and maintainability.