Cyber Resilience Act: The first obligations take effect in September 2026

The Cyber Resilience Act (CRA), European regulation (EU) 2024/2847, was implemented on December 10th 2024. Its first binding requirements will come into effect on September 11th 2026, with full implementation scheduled for December 2027.

For the first time, the European Union is imposing mandatory cybersecurity requirements on all products containing digital components, both hardware and software, placed on the European market.

A Regulation That Targets Digital Products

Unlike the NIS2 directive, which focuses on the security of organisations, the CRA applies to the products themselves. Its scope is very broad: applications, connected devices, software, firmware, hardware components, any product integrating digital elements is covered, with the exception of pure cloud services (covered by NIS2), medical devices and vehicles, which are already governed by specific regulations.

The Cyber Resilience Act (CRA) classifies products into three levels of severity, which determine the applicable conformity assessment procedure: "default" products (self-assessment), "important" products of Class I and II (stricter assessment, potentially requiring a third party), and "critical" products (mandatory European certification).

Manufacturers, software publishers, application developers and hardware manufacturers bear most of the obligations. Importers and distributors are also affected, with conformity verification obligations before placing products on the market.

Penalties are aligned with those of the GDPR: up to €15 million or 2.5% of annual global turnover for non-compliance with essential cybersecurity requirements. Market surveillance authorities may also order the withdrawal of non-compliant products from the European market.

Key Requirements and How Yagaan Addresses Them

Annex I of the Cyber Resilience Act defines the requirements that products must meet. They must for instance be placed on the market without any known exploitable vulnerability and with a secure default configuration. Several of these requirements directly relate to application security, the core expertise of Yagaan, powered by Pradeo.

Security by Design

The CRA requires that cybersecurity be integrated from the design phase. A product must be placed on the market without any known exploitable vulnerability, with a secure default configuration, robust authentication mechanisms and a minimised attack surface. Security is no longer an add-on at the end of the cycle, it becomes a legal obligation from the very start of development.

Yagaan addresses this requirement with its Static Application Security Testing (SAST) solution, which integrates directly into CI/CD pipelines to analyse source code at every iteration, identifying vulnerabilities before production. The tool uses machine learning to prioritise flaws by their real criticality and provide contextual remediation guidance.

Vulnerability Management and 24-Hour Reporting

The CRA requires a structured process for detecting, correcting and communicating vulnerabilities throughout the entire product lifecycle, or for a minimum of five years after market placement. From 11 September 2026, manufacturers will be required to notify ENISA of any actively exploited vulnerability within 24 hours of discovery, provide a full report within 72 hours and a final report within 14 days.

Yagaan's In-App Protection directly addresses this requirement by detecting exploitation attempts on the deployed application in real time, enabling the identification and neutralization of attacks in production.

And before production, integrating Yagaan Static Application Security Testing (SAST) into the development cycle enables the detection of vulnerabilities in the source code, in line with this obligation to maintain security. By identifying and fixing flaws during development rather than later, software vendors reduce the risk of having to report exploitable vulnerabilities after the product has been released. 

Software Component Traceability

The CRA requires the production of an SBOM (Software Bill of Materials), a comprehensive inventory of all software components integrated into the product, including third-party libraries and open-source dependencies. This SBOM must be available to surveillance authorities on request.

For mobile applications, which are digital products within the meaning of the CRA, Yagaan Mobile Application Security Testing (MAST) enables security audits from their binary code (Android and iOS), identifying integrated third-party components and their vulnerabilities. This covers both internally developed applications and those from suppliers, contributing to the traceability required by the regulation.

Protection Against Tampering and Attacks in Production

The CRA requires that digital products minimise their attack surface and be protected against unauthorised access.

Yagaan contributes to these requirements with two complementary solutions. Shielding protects the application code against reverse engineering, cloning and tampering, concretely reducing the attack surface exploitable by an attacker. In-App Protection ensures real-time application protection during execution, detecting and neutralising attacks directly on the device.

Time to Prepare

The first binding Cyber Resilience Act deadline is just months away. For application developers, compliance requires integrating security into the development cycle and structured vulnerability management in their applications.

Yagaan, powered by Pradeo, supports organisations in this process by providing a complete application security suite, from development to execution.