{"id":4416,"date":"2026-06-25T16:08:32","date_gmt":"2026-06-25T16:08:32","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/25\/eu-cyber-resilience-act-overview-requirements-and-timelines\/"},"modified":"2026-06-25T16:08:32","modified_gmt":"2026-06-25T16:08:32","slug":"eu-cyber-resilience-act-overview-requirements-and-timelines","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/25\/eu-cyber-resilience-act-overview-requirements-and-timelines\/","title":{"rendered":"EU Cyber Resilience Act: Overview, Requirements, and Timelines"},"content":{"rendered":"<p>The EU Cyber Resilience Act (CRA) was officially introduced on December 10th 2024, to protect foundational EU values in the face of rising cyberattack threats. As cyberattacks targeting products with digital elements have grown more frequent and costly, the regulation establishes the first horizontal cybersecurity baseline for all hardware and software products sold in Europe. The urgency is real given that in <a href=\"https:\/\/www.docker.com\/resources\/software-supply-chain-security-report\/\" target=\"_blank\" rel=\"noreferrer noopener\">Omdia\u2019s 2026 software supply chain security report<\/a>, 77% of organizations reported experiencing a supply chain incident in the last year.<\/p>\n<p>The regulation <strong>will take full effect on December 11, 2027,<\/strong> but mandatory vulnerability reporting obligations take effect on <strong>September 11, 2026<\/strong>. For teams <a href=\"https:\/\/www.docker.com\/blog\/what-is-software-supply-chain-security\/\" target=\"_blank\" rel=\"noreferrer noopener\">building and shipping containerized software<\/a>, the CRA turns practices like SBOM generation, vulnerability disclosure, and image hardening from voluntary best practices into legal requirements.<\/p>\n<p>This guide covers what the EU CRA requires, who it applies to, how its SBOM mandate connects to container build workflows, and what teams need to do before the compliance deadlines arrive.<\/p>\n<div class=\"wp-block-ponyo-zeta organism toc-exclude\">\n<blockquote class=\"container\">\n<h2 class=\"wp-block-ponyo-heading text-lg\">\n        Key takeaways<br \/>\n    <\/h2>\n<ul class=\"wp-block-list\">\n<li>The CRA requires all products with digital elements sold in the EU to meet cybersecurity standards by December 2027.<\/li>\n<li>Manufacturers must include a machine-readable SBOM in technical documentation for every product.<\/li>\n<li>Actively exploited vulnerabilities and severe incidents having an impact on the security of a product with digital elements must be reported to authorities within 24 hours starting September 2026.<\/li>\n<li>Container runtimes distributed commercially into the EU qualify as products with digital elements under the CRA.<\/li>\n<\/ul>\n<\/blockquote>\n<\/div>\n<h2 class=\"wp-block-heading\">What is the EU Cyber Resilience Act (CRA)?<\/h2>\n<p>Before the <a href=\"https:\/\/eur-lex.europa.eu\/eli\/reg\/2024\/2847\/oj\/eng\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CRA<\/a>, the EU had <a href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/policies\/cra-summary\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">no single, cross-sector regulation<\/a> setting cybersecurity baselines for\u00a0 products with digital elements. A smart thermostat, an enterprise database, and a container runtime were all subject to different (or no) cybersecurity obligations. There was no general obligation to patch vulnerabilities, disclose security incidents, or document the software of products with digital elements launched in the EU market. The CRA closes that gap with a horizontal regulation that applies across several industries, placing the primary burden on manufacturers.<\/p>\n<p>The regulation defines a product with digital elements as any software or hardware product, including its remote data processing solutions and any components placed on the market separately. That scope is intentionally broad: it covers everything from consumer IoT devices to enterprise software platforms to container images distributed through registries. Manufacturers must design products securely, handle vulnerabilities throughout the product lifecycle, and provide transparency about software composition.<\/p>\n<h3 class=\"wp-block-heading\">How the CRA relates to NIS2<\/h3>\n<p>The CRA is one part of the broader EU cybersecurity strategy that includes other regulatory frameworks, like NIS2 and DORA. Since the CRA and NIS2 both deal with cybersecurity obligations, they\u2019re easy to conflate, but they target different things. The CRA applies to cybersecurity of <strong>products<\/strong> with digital elements, while <a href=\"https:\/\/www.dlapiper.com\/en\/insights\/publications\/2026\/02\/cyber-resilience-act-the-fine-line-between-saas-and-digital-products\" rel=\"nofollow noopener\" target=\"_blank\">NIS2 applies to the cybersecurity of <strong>essential and important entities<\/strong><\/a>.<\/p>\n<p>Recital 12 of CRA even affirms that SaaS, PaaS, or IaaS solutions are subject to NIS2, in principle carving them out of its own scope. However,\u00a0the line is blurry for products depending on cloud infrastructure.<\/p>\n<p>The <a href=\"https:\/\/ec.europa.eu\/info\/law\/better-regulation\/have-your-say\/initiatives\/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">European Commission\u2019s March 2026 draft guidance<\/a> introduced a three-part test for determining when a cloud component falls under CRA scope: <\/p>\n<ol class=\"wp-block-list\">\n<li>Does the processing happen remotely? <\/li>\n<li>Would the product lose a core function without it? <\/li>\n<li>Did the manufacturer design, develop, or is control of that remote component under its responsibility?<\/li>\n<\/ol>\n<p>If the answer to all three is yes, the cloud component is part of the product for CRA purposes. Where that test pulls a cloud component into scope and the component processes personal data, the GDPR applies on top of the CRA rather than in place of it, so you still need to assign controller and processor roles and confirm a lawful basis.<\/p>\n<h2 class=\"wp-block-heading\">Who the CRA applies to<\/h2>\n<p>The CRA assigns obligations based on your role in bringing a product to market.<\/p>\n<div class=\"wp-block-ponyo-table\" data-highlighted-columns=\"null\" data-highlighted-rows=\"null\">\n<table class=\"responsive-table\">\n<tbody class=\"wp-block-ponyo-table-body\" data-highlighted-columns=\"[]\" data-highlighted-rows=\"[0]\">\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>Role<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>Obligations<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><strong>Manufacturers<\/strong><\/p>\n<p><em>The heaviest set of obligations. <\/em><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p>The manufacturer has assessment obligations before placing the product on the market, in order to ensure compliance with the cybersecurity requirements set out in the CRA. <\/p>\n<p>After this process, the manufacturer can affix the CE marking and attach a declaration of conformity to its products. After placement on the market, the manufacturer is required to handle vulnerabilities in the products throughout their lifetime and to report actively exploited vulnerabilities and severe incidents.<\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><strong>Importers and distributors<\/strong><\/p>\n<p><em>Fewer obligations. <\/em><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p>Both must ensure that the manufacturer complied with a set of obligations, but also retain documentation and act upon becoming aware of non-conformity of the product with the CRA or a vulnerability.<\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><strong>Open-source software stewards<\/strong><\/p>\n<p><em>A new CRA category.<\/em><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p>Mainly for micro-enterprises and small and medium-sized enterprises, including start-ups, individuals, non-profit organizations and academic research organizations, that systematically support open-source used in commercial activity. <\/p>\n<p>Scaled-down obligations covering, in particular, putting in place a cybersecurity policy and vulnerability handling, but also cooperation with market surveillance authorities and certain reporting obligations.<\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<h2 class=\"wp-block-heading\">Key requirements for the EU CRA<\/h2>\n<p>The CRA organizes its requirements into two main areas, both defined in Annex I of the regulation: essential cybersecurity requirements for product properties, and vulnerability handling obligations for the product lifecycle.<\/p>\n<figure class=\"wp-block-image size-full\"><img data-opt-id=1502762498  fetchpriority=\"high\" decoding=\"async\" width=\"2048\" height=\"1075\" src=\"https:\/\/www.docker.com\/app\/uploads\/2026\/06\/image.png\" alt=\"image\" class=\"wp-image-91787\" title=\"- image\" \/><\/figure>\n<h3 class=\"wp-block-heading\">Security by design<\/h3>\n<p>Products must be designed, developed, and produced to ensure an appropriate level of cybersecurity based on a risk assessment. In practice, this means shipping with secure default configurations, minimizing the attack surface by removing unnecessary components, protecting the confidentiality and integrity of stored and transmitted data, and providing mechanisms for secure updates. <\/p>\n<p>For container images, the security-by-design requirement maps directly to image hardening:<\/p>\n<ul class=\"wp-block-list\">\n<li>minimal base layers<\/li>\n<li>no unnecessary shells or package managers<\/li>\n<li>secure defaults out of the box. <\/li>\n<\/ul>\n<p>The essential requirements also include data minimization: a product should process only personal or other data that is adequate, relevant, and limited to what is necessary for its intended purpose.<\/p>\n<h3 class=\"wp-block-heading\">Vulnerability handling<\/h3>\n<p>Manufacturers must maintain processes for identifying, documenting, and remediating vulnerabilities throughout the support period they define for each product. This includes coordinated vulnerability disclosure policies, timely security updates, and public disclosure of fixed vulnerabilities with enough detail for users to assess impact and apply remediation. <\/p>\n<p>Security updates must be provided free of charge for the duration of the support period. Public disclosures should be limited to the technical detail users need and must not expose personal data, such as the identity of a reporter or of affected users, consistent with the CRA\u2019s expectation that disclosures avoid increasing risk and with GDPR limits on publishing personal data.<\/p>\n<h3 class=\"wp-block-heading\">Transparency and SBOMs<\/h3>\n<p>The CRA also requires manufacturers to include a <a href=\"https:\/\/www.docker.com\/blog\/what-is-an-sbom\/\" target=\"_blank\" rel=\"noreferrer noopener\">software bill of materials<\/a> in the technical documentation for every product with digital elements. The SBOM must be in a commonly used, machine-readable format and must include, at minimum, the top-level dependencies of the product. However, the regulation does not mandate a specific format, but in practice that typically means SPDX or CycloneDX.\u00a0 Scope the generated SBOM to package and dependency metadata and keep embedded secrets and personal data out of the artifact.<\/p>\n<p>An important nuance: The CRA does not require manufacturers to publish SBOMs publicly. SBOMs must be included in technical documentation and provided to market surveillance authorities on request. Also, the documentation must be retained for ten years after the product is placed on the market, or for the duration of the support period, whichever is longer.<\/p>\n<h3 class=\"wp-block-heading\">Incident and vulnerability reporting<\/h3>\n<p>Manufacturers must report actively exploited vulnerabilities and severe security incidents to the relevant national Computer Security Incident Response Team (CSIRT) and to <a href=\"https:\/\/www.enisa.europa.eu\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">ENISA<\/a> through a single reporting platform. The reporting timelines are:<\/p>\n<div class=\"style-plain wp-block-ponyo-houston\">\n<div class=\"wp-block-ponyo-icon\">\n<\/div>\n<p>Reporting timelines:<br \/>\u2013 <strong>24 hours<\/strong>: early warning notification<br \/>\u2013 <strong>72 hours<\/strong>: full notification with technical details<br \/>\u2013 <strong>14 days<\/strong>: final report after a corrective measure is available (for actively exploited vulnerabilities)<br \/>\u2013 <strong>1 month<\/strong>: final report from the 72-hour submission (for severe incidents)<\/p>\n<\/div>\n<p><strong>Note for Privacy: <\/strong>These reports can contain personal data, such as a reporter\u2019s identity or affected-user details, so limit each report to the technical information the CSIRT and ENISA actually need and handle any personal data in line with the GDPR.\u00a0 Notifications should also avoid disclosing information that would increase risk to users.<\/p>\n<h3 class=\"wp-block-heading\">Conformity assessment<\/h3>\n<p>Before placing a product on the EU market, manufacturers must complete a conformity assessment to verify compliance with the essential cybersecurity requirements. The type of assessment depends on how the product is classified under the CRA.<\/p>\n<h2 class=\"wp-block-heading\">Product categories and conformity assessment<\/h2>\n<p>The CRA classifies products into three tiers based on their cybersecurity risk, with each tier subject to increasingly rigorous conformity assessment procedures.<\/p>\n<div class=\"wp-block-ponyo-image\">\n                <img data-opt-id=398577001  fetchpriority=\"high\" decoding=\"async\" width=\"2320\" height=\"1218\" src=\"https:\/\/www.docker.com\/app\/uploads\/2026\/06\/docker_CRA-Product-Categories-2320x1218.jpg\" class=\"fade-in\" alt=\"EU CRA Product Categories including general, important class I, important class II, and\" title=\"- docker CRA Product Categories\" \/>\n        <\/div>\n<p>If you\u2019re shipping container runtimes, you likely fall into the Important Class II category and will need a third-party assessment. Products that pass their conformity assessment receive the CE marking, which indicates compliance with the CRA and allows them to be sold on the EU market. Products that fail, or that are found to be non-compliant after placement, can be ordered withdrawn or recalled by national market surveillance authorities.<\/p>\n<h2 class=\"wp-block-heading\">CRA timeline: 3 Deadlines that matter<\/h2>\n<p>The CRA entered into force on December 10, 2024, but its obligations phase in <a href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/factpages\/cyber-resilience-act-implementation\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">over three years<\/a>. Each milestone introduces a distinct set of requirements.<\/p>\n<div class=\"wp-block-ponyo-table\" data-highlighted-columns=\"null\" data-highlighted-rows=\"null\">\n<table class=\"responsive-table\">\n<tbody class=\"wp-block-ponyo-table-body\" data-highlighted-columns=\"[]\" data-highlighted-rows=\"[0]\">\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>Date<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>Milestone<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>What takes effect<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>June 11, 2026<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Conformity assessment bodies<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Member states must designate notifying authorities. Conformity assessment bodies begin formal notification and can start conducting assessments.<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>September 11, 2026<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Reporting obligations<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Manufacturers must report actively exploited vulnerabilities and severe security incidents to CSIRTs and ENISA. This retroactively applies to all products already on the EU market, not just new ones.<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>December 11, 2027<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Full enforcement<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>All essential cybersecurity requirements take effect: security by design, SBOM in technical documentation, vulnerability handling, conformity assessment, CE marking. Non-compliance triggers fines.<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>The key detail most teams miss: the September 2026 reporting obligation is applicable to products that are already in the market. It retroactively applies to products already on the EU market, not just new releases. If you are selling container images to EU customers today, your 24-hour reporting clock starts in months, not years.<\/p>\n<h2 class=\"wp-block-heading\">Penalties for non-compliance<\/h2>\n<p><a href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/HTML\/?uri=OJ:L_202402847#art_64\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Article 64<\/a> of the CRA establishes three penalty tiers for non-compliance, with fines set at the member-state level but capped by the regulation:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Up to \u20ac15 million or 2.5% of global annual turnover <\/strong>(whichever is higher) for failure to comply with essential cybersecurity requirements and other core obligations (Art. 64 (2))\u00a0<\/li>\n<li><strong>Up to \u20ac10 million or 2% of global annual turnover <\/strong>(whichever is higher) or failure to comply with other CRA obligations (Art. 64 (3))<\/li>\n<li><strong>Up to \u20ac5 million or 1% of global annual turnover <\/strong>(whichever is higher) for supplying incorrect, incomplete, or misleading information to authorities (Art. 64 (4))<\/li>\n<\/ul>\n<p>Beyond fines, market surveillance authorities can order product withdrawals, recalls, or outright bans from the EU market. For organizations selling software products into the EU, losing market access is often a more significant consequence than the fine itself.<\/p>\n<div class=\"style-plain wp-block-ponyo-houston\">\n<div class=\"wp-block-ponyo-icon\">\n<\/div>\n<p>Microenterprises and small enterprises are generally exempt from fines for missing the 24-hour early warning deadline on vulnerability and incident reporting. Open-source software stewards are not subject to fines for any CRA infringement.<\/p>\n<\/div>\n<h2 class=\"wp-block-heading\">Open-source software and the CRA<\/h2>\n<p>The CRA\u2019s treatment of open source was one of the most debated aspects during the legislative process. The final text draws a clear line based on commercial activity.<\/p>\n<p>Free and open-source software that\u2019s not used in the course of a commercial activity, either directly or through support, is outside the CRA\u2019s scope. Individual developers and volunteer maintainers are not classified as manufacturers under the regulation, as long as they operate outside a commercial activity. And the CRA explicitly does not apply to open-source software supplied for distribution outside the scope of a commercial activity.<\/p>\n<p>However, the regulation introduces a new role: the <strong>open-source software steward<\/strong>.\u00a0<\/p>\n<p>A \u201csteward\u201d is a legal person (a company or foundation, not an individual) that systematically supports the development of open source software intended for commercial activities. The CRA applies a light-touch regime for stewards with limited obligations. They must mainly:<\/p>\n<ol class=\"wp-block-list\">\n<li>Maintain a cybersecurity policy.<\/li>\n<li>Report actively exploited vulnerabilities.<\/li>\n<li>Cooperate with market surveillance authorities.\u00a0<\/li>\n<\/ol>\n<p>Critically, stewards are not subject to financial penalties for CRA infringements.<\/p>\n<p>Organizations that distribute open-source software under a commercial model, whether through paid support or commercial container image registries, are classified as manufacturers, not stewards. The distinction matters because manufacturers carry the full weight of CRA obligations, including conformity assessment and CE marking.<\/p>\n<h2 class=\"wp-block-heading\">What the CRA means for container teams<\/h2>\n<p>Everything above applies to the full universe of digital products. Here\u2019s where it gets specific. Container images and runtimes distributed commercially into the EU qualify as products with digital elements under the CRA. If your organization publishes container images in a registry that EU customers can pull from, and those images are part of a commercial offering, the CRA applies and you may be considered a manufacturer. This is true regardless of where your organization is headquartered.<\/p>\n<p>The practical implications span the entire container lifecycle:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Image composition transparency: <\/strong>Every image needs a machine-readable SBOM that documents at least the top-level dependencies. Image-layer SBOMs generated at build time, which capture OS packages, runtime libraries, and transitive dependencies, go further than the CRA\u2019s minimum.<\/li>\n<li><strong>Vulnerability management: <\/strong>Organizations must have processes to track, remediate, and report vulnerabilities in the components their images contain. Starting September 2026, all vulnerability and incident reporting obligations listed in Article 14 come into effect.<\/li>\n<li><strong>Security by design: <\/strong>Images should ship with minimal attack surfaces, secure default configurations, and no unnecessary components. <a href=\"https:\/\/www.docker.com\/blog\/what-are-hardened-images\/\" target=\"_blank\" rel=\"noreferrer noopener\">Hardened base images<\/a> with shells, package managers, and debug tools removed satisfy this requirement more directly than standard community images.<\/li>\n<li><strong>Provenance and integrity: <\/strong>The CRA\u2019s essential requirements include protecting the integrity of the product and verifying that components have not been tampered with. Cryptographic signatures and <a href=\"https:\/\/slsa.dev\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">provenance attestations<\/a> address this directly.<\/li>\n<li><strong>Support periods: <\/strong>Manufacturers must define and communicate a support period during which they will handle vulnerabilities. For container images, that means committing to a patch and rebuild cadence for the lifecycle of each supported image tag.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\">Compliance starts at the image layer<\/h2>\n<p>The CRA raises the bar for every organization that ships software into the EU. For container teams, the requirements map directly to practices the industry has been moving toward: hardened images, build-time SBOMs, provenance attestations, vulnerability monitoring, and defined support lifecycles. The difference is that these practices are no longer optional.<\/p>\n<p>Thankfully, <a href=\"https:\/\/www.docker.com\/products\/hardened-images\/\" target=\"_blank\" rel=\"noreferrer noopener\">Docker Hardened Images<\/a> ship with the artifacts the CRA demands: complete SBOMs, SLSA Build Level 3 provenance with non-falsifiable attestations, OpenVEX exploitability data, and cryptographic signatures. The images are minimal by default, continuously rebuilt against upstream fixes, and backed by defined support periods. Pair that with <a href=\"https:\/\/www.docker.com\/products\/docker-scout\/\" target=\"_blank\" rel=\"noreferrer noopener\">continuous vulnerability monitoring<\/a> against SBOM data limited to package and component metadata and excluding personal data and embedded secrets, and the CRA\u2019s 24-hour reporting clock starts with a known blast radius rather than a manual triage.<\/p>\n<ul class=\"wp-block-list\">\n<li>Get started with <a href=\"https:\/\/www.docker.com\/products\/hardened-images\/\">Docker Hardened Images<\/a> \u2192<\/li>\n<li>Explore vulnerability monitoring with <a href=\"https:\/\/www.docker.com\/products\/docker-scout\/\">Docker Scout<\/a> \u2192<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\">Frequently asked questions<\/h2>\n<div class=\"wp-block-ponyo-dominique organism\">\n<div class=\"container faq-list\">\n<div class=\" fade-in wp-block-ponyo-frank\">\n<h3 class=\"frank-heading\">\n        Does the CRA apply to container images?<br \/>\n        <span class=\"closed\"><br \/>\n<\/span><br \/>\n        <span class=\"open\"><br \/>\n<\/span><br \/>\n    <\/h3>\n<div class=\"content-outer\">\n<div class=\"content-inner\">\n<p>Yes, generally. Container images distributed commercially into the EU qualify as products with digital elements under the CRA. This applies whether the images are distributed as part of a software product, sold as managed services, or published in a commercial registry. The regulation applies based on commercial availability in the EU market, not on where the manufacturer is headquartered.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\" fade-in wp-block-ponyo-frank\">\n<h3 class=\"frank-heading\">\n        What SBOM format does the CRA require?<br \/>\n        <span class=\"closed\"><br \/>\n<\/span><br \/>\n        <span class=\"open\"><br \/>\n<\/span><br \/>\n    <\/h3>\n<div class=\"content-outer\">\n<div class=\"content-inner\">\n<p>The CRA requires a commonly used, machine-readable format but does not name a specific standard. In practice, that usually means <a href=\"https:\/\/spdx.dev\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">SPDX<\/a> or <a href=\"https:\/\/cyclonedx.org\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CycloneDX<\/a>. For container workflows, SPDX is the format <a href=\"https:\/\/docs.docker.com\/build\/metadata\/attestations\/sbom\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">BuildKit generates natively<\/a> as an image attestation. Whichever format you use, scope the SBOM to package and dependency metadata and exclude embedded secrets and personal data from the generated artifact.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\" fade-in wp-block-ponyo-frank\">\n<h3 class=\"frank-heading\">\n        Do I have to publish my SBOM publicly?<br \/>\n        <span class=\"closed\"><br \/>\n<\/span><br \/>\n        <span class=\"open\"><br \/>\n<\/span><br \/>\n    <\/h3>\n<div class=\"content-outer\">\n<div class=\"content-inner\">\n<p>No. The CRA requires SBOMs to be included in technical documentation and provided to market surveillance authorities upon request. There is no obligation to make them publicly available. However, organizations that do publish SBOMs as attestations attached to their images make it easier for downstream consumers to verify compliance and assess risk. If you do publish, scrub the SBOM and attestations of secrets, internal hostnames, and any personal data first, because a published artifact is difficult to retract.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\" fade-in wp-block-ponyo-frank\">\n<h3 class=\"frank-heading\">\n        Are open-source projects exempt?<br \/>\n        <span class=\"closed\"><br \/>\n<\/span><br \/>\n        <span class=\"open\"><br \/>\n<\/span><br \/>\n    <\/h3>\n<div class=\"content-outer\">\n<div class=\"content-inner\">\n<p>Open-source software is outside the CRA\u2019s scope as far as they are not made available on the market, and therefore supplied for distribution or use in the course of a commercial activity. Individual volunteer maintainers are not classified as manufacturers as far as they operate outside a commercial activity. However, organizations that distribute open-source software commercially (through paid support, managed services, or commercial registries) may be classified as manufacturers and subject to the full set of CRA obligations.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\" fade-in wp-block-ponyo-frank\">\n<h3 class=\"frank-heading\">\n        When do the CRA\u2019s SBOM requirements take effect?<br \/>\n        <span class=\"closed\"><br \/>\n<\/span><br \/>\n        <span class=\"open\"><br \/>\n<\/span><br \/>\n    <\/h3>\n<div class=\"content-outer\">\n<div class=\"content-inner\">\n<p>The SBOM requirement is part of the essential cybersecurity requirements in Annex I, which <strong>take full effect on December 11, 2027<\/strong>. However, the vulnerability reporting obligations that begin on September 11, 2026 are operationally much harder to meet without SBOM data, so the practical imperative to have SBOMs in place arrives well before the formal deadline.<\/p>\n<\/div>\n<\/div>\n<\/div><\/div>\n<\/div>\n<h3 class=\"wp-block-heading\">Source<\/h3>\n<p>Omdia,\u00a0<em>Securing the Software Supply Chain: Strategic Approaches to Support Scaling Development with AI Adoption<\/em>, May 2026.<\/p>","protected":false},"excerpt":{"rendered":"<p>The EU Cyber Resilience Act (CRA) was officially introduced on December 10th 2024, to protect foundational EU values in the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4417,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[4],"tags":[],"class_list":["post-4416","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-docker"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4416","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=4416"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4416\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/4417"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=4416"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=4416"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=4416"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}