Most companies still aren’t ready for Europe’s new cyber rules

Enterprises are largely unprepared for the EU’s cyber resilience act

The Cyber Resilience Act is no longer a distant topic for legal teams or compliance officers, it’s a real, immediate challenge for every enterprise operating in or selling to the European Union. According to the Open Source Security Foundation (OpenSSF), two-thirds of organizations don’t even know what the Act entails.  The first wave of CRA requirements came into effect on June 11, setting in motion a new era of accountability for digital products.

This law demands rigorous security standards for both hardware and software before they reach the EU market. Yet far too many executive teams are treating it as tomorrow’s problem. When organizations underestimate regulations like the CRA, they expose themselves to more than just legal penalties, they risk cascading failures across their technology stacks. With digital ecosystems increasingly interlinked through shared software and open-source components, a gap in compliance today can become a full-scale crisis tomorrow.

Business leaders should view the CRA not as another layer of bureaucracy, but as a structural shift in how the EU defines and enforces digital trust. Compliance is not optional; cybersecurity resilience is now an operational expectation. That means embedding security into every layer of product design, supply chain management, and vendor oversight. The companies that get this right early will not only avoid heavy fines but will also win long-term trust from regulators, customers, and partners.

Christopher Robinson, Chief Technology Officer at the OpenSSF, summed up the situation plainly: despite extensive public discussion, most companies still “aren’t aware of the implications of the Act.” The penalties alone make ignorance costly, fines can reach €15 million or 2.5% of annual global turnover. The clock on compliance has already started ticking.

The CRA introduces new compliance roles and a phased set of obligations

The Cyber Resilience Act changes the game for how organizations manage software security. It’s not just about product vendors anymore. Every enterprise using, integrating, or distributing software with digital components must adapt. One of the Act’s most important features is the introduction of a new role, the open-source steward. This role ensures that organizations know exactly what software they rely on, where it comes from, and how it’s secured. That’s essential because open-source code is often buried deep in supply chains, reused across countless applications without much visibility.

The CRA’s implementation is rolled out in phases. Since June 11, EU member states have started designating conformity assessment bodies. By September 11, manufacturers will have to begin reporting known vulnerabilities. And by December 11, 2027, all key obligations, along with steep penalties for non-compliance, will be enforced. This timeline offers a temporary advantage: it gives enterprises space to prepare, provided they act now.

To comply, companies must also formalize something known as a software bill of materials (SBOM). Think of this as a verified inventory of every software component within a product, proving that it meets security standards. Many companies, particularly those supplying the U.S. federal government, already fulfill similar requirements. Aligning with these standards early not only ensures compliance but also simplifies operations and reduces risk exposure on a global scale.

Executives should recognize that the phased rollout is designed to help. It allows organizations to integrate compliance progressively, reassessing vendor relationships, tightening open-source policies, and reinforcing internal security frameworks without major disruption. Those that wait, however, will face a compressed timeline and higher costs later on.

As Christopher Robinson of the OpenSSF noted, most organizations have “little idea which of the roughly 700 million open-source projects on GitHub are being used” within their systems. That uncertainty alone makes the open-source steward role more critical than ever. Identifying and securing every piece of code in use is no longer just good practice, it’s the law.

Misunderstanding the CRA’s scope and compliance requirements

A major reason many enterprises remain unprepared for the Cyber Resilience Act is a basic misunderstanding of whom the law applies to. Too many assume it only affects product manufacturers or software vendors. That belief is incorrect. The CRA applies to any company using, distributing, or integrating software within the EU market, including enterprises that rely heavily on open-source code.

This misunderstanding creates a dangerous blind spot. Organizations often operate under the assumption that their partners or software suppliers carry the compliance burden. But the responsibility is shared across the entire development and supply chain. If a company’s systems use non-compliant components, the company itself can be held accountable. In a connected business environment, regulatory responsibility now extends far beyond the walls of a single enterprise.

Executives who underestimate this scope risk more than fines. They risk long-term reputational damage and operational disruption. Global markets are already following Europe’s lead, Japan, for instance, is considering similar cybersecurity laws. Companies that fail to prepare for the CRA today may find themselves playing catch-up as other jurisdictions adopt comparable rules. The point is clear: cyber resilience and regulatory readiness are no longer optional.

This is where leadership matters. Senior teams must create clarity across every business unit. Regulatory alignment should not sit solely with compliance officers, it must become a strategic focus embedded into product, engineering, and procurement processes. With penalties reaching up to €15 million per infraction or 2.5% of annual global turnover, these requirements demand corporate-level attention, planning, and ownership.

Christopher Robinson, CTO of the Open Source Security Foundation, has emphasized that it’s time for every stakeholder in the software supply chain to understand the full extent of the CRA. Enterprises can no longer afford the luxury of assuming security and compliance are someone else’s problem.

The CRA serves as a critical step towards assigning clear responsibility

For years, digital product security has suffered from fragmented accountability. When vulnerabilities surfaced, responsibility was often unclear, sometimes landing on the vendor, sometimes the user, or lost somewhere in between. The CRA finally addresses this by enforcing clear responsibility along the entire software supply chain. Every organization involved in bringing a digital product to market will now be expected to prove that the software meets defined security standards.

This shift marks an important evolution in regulatory thinking. The modern software ecosystem is built on layers of open-source and commercial code, reused and modified countless times. Without accountability, weak components can enter products unnoticed, creating vulnerabilities that spread across customers and industries. The CRA forces alignment, companies must now know exactly what dependencies they are integrating, document them, and maintain secure practices throughout development and deployment.

For executives, this is both a challenge and an opportunity. The challenge lies in restructuring internal processes to achieve transparency and compliance. The opportunity lies in driving higher standards across the business, which can strengthen competitive advantage. Companies that adopt full-scope visibility into their software supply chain will not only meet the CRA’s demands but also enhance product reliability, client confidence, and market differentiation.

Cybersecurity consultant Hans Study described the change succinctly: “Almost every application has dependencies… what the CRA does is make it harder for companies to dodge that responsibility when they are building, selling, or placing products with digital elements on the market.” His point underscores the heart of the regulation, accountability is no longer negotiable.

For leadership teams, the next steps should focus on three priorities: establish ownership of security responsibilities, ensure fast traceability of components, and integrate compliance reporting into core operations. Organizations that act decisively will not only meet regulatory demands but will also operate with a stronger, more transparent digital foundation.

The integration of artificial intelligence in software development complicates CRA compliance efforts

Artificial intelligence is changing how software is built, but it is also creating new risks that most companies haven’t yet addressed. The CRA assumes that organizations fully understand what’s in their software and how it’s constructed. That assumption doesn’t hold when AI systems are generating large portions of code. As AI integration increases, it becomes harder to verify code origins, dependencies, and compliance with internal governance standards.

AI coding assistants and generative development tools don’t read a company’s security policies, licensing rules, or open-source usage guidelines. This means code produced by AI can bypass established compliance checks, introducing hidden vulnerabilities or untraceable dependencies into the software. For organizations subject to the CRA, this breaks the transparency and accountability the Act demands.

Executives need to view this as a structural issue. AI-generated code must be treated as a regulated asset within the organization. Security and compliance teams need to retrace all inputs and outputs tied to AI-assisted development, ensuring consistency with legal and ethical requirements. The sooner companies integrate automated auditing and version control around AI-generated code, the easier it will be to demonstrate compliance once full enforcement begins.

Michael Callahan, Vice President of Cyber Strategy at Salt Security, captured the concern clearly. He explained that AI-generated code “may contain dependencies, patterns, or vulnerabilities that your security team cannot easily trace back to a specific decision or a specific developer.” This calls for new oversight structures, clear ownership, more frequent reviews, and alignment between AI operations and corporate compliance frameworks.

The message for leadership is direct: AI innovation should move in lockstep with regulatory and security readiness. Enterprises that achieve this balance will gain both technological speed and operational credibility under the CRA’s stricter standards.

A significant number of organizations are skeptical about meeting the CRA compliance deadline

Despite knowing the stakes, many organizations are far behind in preparation. The OpenSSF survey found that only 41% of manufacturers expect to meet full CRA compliance by December 2027. Another 39% aren’t sure when they will be ready. This shows a widespread lack of confidence and planning in an area where clarity is essential.

Executives should recognize that delay carries increasing risk. The CRA’s timeline has been clearly communicated, but companies are still underestimating the work required, structural changes to supply chains, audits of open-source usage, establishment of new compliance roles, and upgraded reporting systems. For enterprises with complex global operations, the effort spans legal, technical, and strategic dimensions.

Waiting for the regulation to “settle” or for enforcement examples to appear is a high-risk strategy. The regulatory fines are significant, up to €15 million or 2.5% of global annual turnover per violation, and will escalate quickly once enforcement begins. Christopher Robinson, CTO of the Open Source Security Foundation, noted that the CRA could follow the same pattern as GDPR, where a few large fines were enough to force rapid industry compliance. He cautioned that such penalties could “wipe out an SME and seriously hit large corporations.”

Corporate leaders should use the remaining window to push compliance initiatives from the top down. This means forming cross-functional teams that connect legal, technical, and procurement departments, ensuring that compliance progress is measurable and transparent. More importantly, it requires financial commitment. Meeting CRA standards is not a one-time project, it’s a sustained operational upgrade that redefines how companies manage software risk.

For executives, the goal should be simple but urgent: prioritize readiness today. By integrating compliance timelines into strategic planning and investing in continuous security improvements, organizations can transition from reactive to resilient before the CRA’s full enforcement in late 2027.

Key takeaways for leaders

• Regulatory awareness gap demands urgent leadership focus: Most companies remain unaware of the EU Cyber Resilience Act (CRA), which enforces strict cybersecurity standards. Leaders should immediately assess current compliance readiness to avoid legal, financial, and reputational risk.
• Structured rollout offers a short window for preparation: The CRA’s phased implementation allows time to act, but early adaptation is critical. Executives should assign accountability, build the open-source steward role, and create verified software inventories before 2027 enforcement.
• Misunderstanding scope increases exposure: Many firms wrongly assume the CRA only affects vendors. Leadership teams must clarify internal responsibilities and reexamine software supply chains to ensure full compliance across all digital operations.
• Clear accountability transforms supply chain security: The CRA ends ambiguity around responsibility for software security. Executives should enforce transparent oversight of all software components and embed accountability and traceability within product lifecycle management.
• AI-generated code adds compliance complexity: The rise of AI in development breaks traditional assumptions about software traceability. Leaders must strengthen oversight of AI-driven coding processes and ensure all generated code meets security and regulatory standards.
• Compliance will require sustained investment and urgency: With only 41% of firms expecting to meet CRA standards by 2027, immediate executive action is needed. Companies should fund cross-functional compliance programs now to secure resilience and avoid severe financial penalties later.