EU’s Cyber Resiliency Act will put IT leaders to the test
Unlike most cyber security regulations, the EU’s Cyber Resilience Act is about product safety rather than processes or certification, extending the CE mark from the physical side of products to software, firmware, backend services, and anything with a network connection. It encodes existing best practices, enforces minimum product support lifecycles, and could mean developing stronger relationships with open source projects your organization relies on. And it comes with a deadline: by September 11 this year, you need to have vulnerability and incident reporting processes in place.
Even for organizations already using software bills of materials (SBOMs), following new CRA obligations to report an actively exploited vulnerability in a product within 24 hours, and having to deliver a full report within three days may prove hard to meet.
Although nearly everyone in SaaS alternative Cloudsmith’s recent Artifact Management Report generates SBOMs, only a quarter do that automatically rather than manually or on demand. Over half said a comprehensive report would need significant time and effort, while fewer than a third were very confident they could pass the kind of unexpected software supply chain audit the CRA’s spot checks will require.
Read more at CSO Online