Is Your Software Ready for the EU's New Cyber Law - Even If You Never Leave the UK?

If you build software, sell digital products, or run a marketplace for third-party tools, there's a regulation coming that most UK businesses haven't heard of - and it doesn't care where you're based. The EU's Cyber Resilience Act (CRA) applies to any product placed on the EU market. Sell to a single customer in France? You're in scope.

With key obligations landing in September 2026 and full enforcement from December 2027, the window to prepare is shorter than it looks.

What is the Cyber Resilience Act?

The CRA is EU-wide product security legislation that applies to hardware and software products with digital elements. Unlike the UK's own Cyber Security and Resilience Bill -- which focuses narrowly on critical national infrastructure -- the CRA casts a much wider net. Mobile apps, SaaS plugins, browser extensions, business software: if it connects to a device or network and you sell it commercially, it's almost certainly in scope.

The aim is straightforward: no more software shipped with known vulnerabilities, no more security treated as an afterthought. Manufacturers must embed security from design through to end of support.

What does it actually require?

For most software products, which fall into the standard "default" category, the requirements centre on four areas:

Security by design. Products must ship with no known exploitable vulnerabilities, minimal attack surface, secure default configuration, and a mechanism for delivering security updates.

A documented risk assessment. You need to demonstrate that you've identified and addressed cybersecurity risks before placing the product on the market, and that this assessment is kept up to date.

A Software Bill of Materials (SBOM). A machine-readable inventory of your dependencies -- every library, package, and component your product relies on. Formats like CycloneDX or SPDX are the standard.

Vulnerability handling. A published disclosure policy, a process for receiving and acting on vulnerability reports, and a commitment to issue free security updates for the supported lifetime of the product.

Do you need a CE mark?

Yes, if you're selling into the EU market. For default-category products, this doesn't require a third party -- you self-certify by completing your risk assessment, producing technical documentation, writing an EU Declaration of Conformity, and affixing the CE mark. It's more paperwork than expense, but it needs to be done properly and kept current.

Higher-risk product categories (security software, identity management tools, firewalls) face stricter conformity assessment requirements including mandatory third-party review.

What about pen testing?

Formal penetration testing is not explicitly mandated by the CRA. However, you must credibly demonstrate that your product contains no known exploitable vulnerabilities. For anything handling authentication, personal data, or payments, a pen test is the most defensible way to evidence that claim. For lighter-weight modules and tools, a combination of automated scanning (SAST, dependency checking) and documented code review is likely sufficient for self-certification.

What if you run a marketplace?

If you sell other people's software through your platform, you're a distributor under the CRA. You're not responsible for building compliance into products you didn't make, but you are responsible for not knowingly listing non-compliant ones. Practically, this means your seller terms should require module authors to provide a valid EU Declaration of Conformity and CE mark as a condition of listing -- and you need a mechanism to pull products quickly if a vulnerability is reported.

Two dates UK businesses must know

11 September 2026 -- Vulnerability and incident reporting obligations begin. Manufacturers must notify the relevant EU CSIRT within 24 hours of discovering an actively exploited vulnerability in their product. This is less than 16 months away.

11 December 2027 -- Full CRA compliance required. From this date, non-compliant products cannot legally be placed on the EU market.

What should you do now?

1. Classify your products. Determine whether they fall into the default, important (Class I or II), or critical category. This determines your conformity assessment route.

2. Audit your dependencies. Start generating SBOMs now. Tools like Syft, CycloneDX CLI, or built-in package manager integrations make this straightforward.

3. Formalise your security processes. Document your secure development lifecycle, code review practices, and vulnerability handling procedures. The technical file isn't just compliance theatre -- regulators can request it.

4. Publish a vulnerability disclosure policy. This can be as simple as a security.txt file and a dedicated email address with a documented response SLA.

5. Review your supplier and marketplace contracts. If you depend on third-party components or host third-party products, contractual CRA obligations need to flow down the supply chain.

The CRA isn't going away, and unlike GDPR, there's no grace period for good intentions. The businesses that start the groundwork now will find certification a formality. Those that leave it to 2027 will find it a crisis.

The penalties for non-compliance reach up to €15 million or 2.5% of global annual turnover, whichever is higher.