Taming Cybersecurity Regulation: How to Prepare for the CRA

Product development organizations that design devices and digital services are facing an accelerating pace of regulation from authorities. The EU and the United States are aiming to improve cybersecurity, but in doing so, are also making the market for technological innovations more rigid. Companies that successfully navigate this regulation will gain a competitive advantage over their rivals.

How did Omoroi dive into this domain? We support product development organizations in mastering the requirements of the CRA. Understanding complex software systems and diverse technology stacks requires software experience and process expertise, both of which Omoroi possesses.

The CRA Regulation – A New Era of Cybersecurity

The CRA (Cyber Resilience Act) is the European Union's new regulation that will revolutionize the cybersecurity of digital components. It imposes stricter requirements for the lifecycle management of devices and software and requires manufacturers to ensure the cybersecurity of their products from start to finish.

What Does the CRA Mean in Practice?

The CRA regulation requires manufacturers to have an even stronger commitment to the cybersecurity of their products. This includes, among other things, the systematic monitoring, patching, and reporting of vulnerabilities. Starting from September 11, 2026, companies must report discovered vulnerabilities to the authorities.

SBOM – The Software Bill of Materials

An SBOM (Software Bill of Materials) is like a product's list of ingredients, but in a format suitable for the software world. It provides a comprehensive and detailed list of the components contained in a software product, their versions, authors, dependencies, and licenses. The role of the SBOM in meeting CRA requirements is central, as it provides the necessary foundation for identifying and managing components.

Why is SBOM important?

• Transparency: It increases transparency in the software development process, helping to understand everything a product contains.

• Vulnerability Management: When you know which components your software contains, you can easily track known vulnerabilities (e.g., from the NVD, GitHub advisory database) and react to them quickly.

• License Management: It helps ensure that all used components comply with the appropriate license terms.

• Regulatory Compliance: For example, the United States already requires SBOM reports for devices brought to market.

Challenges with SBOM

Although an SBOM is vital, creating and managing it can be challenging. In particular, a lack of automated reporting and differences between various formats (CycloneDX, SPDX) can slow down the process. Solutions exist, and automation is key. The inherent differences between devices and software within a product portfolio create additional challenges.

Vulnerability and Dependency Management

Software vulnerabilities can be gateways for attacks that may lead to data breaches, denial-of-service attacks, or other serious consequences. Dependency management is critical in this regard, as a large portion of vulnerabilities are found in third-party libraries and components.

How are vulnerabilities managed effectively?

• Automated Detection: It is important to use tools that automatically identify known vulnerabilities during and after development (e.g., Dependency-Track).

• Continuous Monitoring: Vulnerability databases are constantly updated. Therefore, it is important to monitor and update vulnerability information regularly.

• Prioritization: Not all vulnerabilities can be fixed at the same time. The most important thing is to prioritize fixes based on the severity of the vulnerabilities and their likelihood of being exploited.

• Integration: By integrating vulnerability management into the development process (e.g., via Jira), you ensure that vulnerabilities are handled systematically.

• Training and Knowledge Sharing: All team members—from developers to product owners—need information about vulnerabilities and how to manage them.

Examples of Technologies in this domain

• Dependency-Track: An automated solution that helps track component vulnerabilities and dependencies.

• CycloneDX and SPDX: Standardized formats for creating SBOMs.

• DefectDojo: A tool for visualizing and managing vulnerabilities.

Omoroi Supports R&D with Regulatory Requirements

Omoroi's working method typically includes a Proof of Concept (PoC) phase, where a solution is designed and implemented for a single product or service. Based on the findings from this phase, the solution's use is expanded to the entire product portfolio. Close customer collaboration and communication support achieving the goal. During the implementation phase, training and guidance ensure that knowledge is transferred to the client's teams.

Omoroi's extensive experience and deep understanding of embedded software development processes help product development organizations to produce the aforementioned reports in an automated way.

Software security is not a one-time project, but a continuous process. By adopting SBOMs, complying with the CRA regulation, and investing in automated vulnerability and dependency management, organizations can build a sustainable foundation for more secure software development.

We would be happy to discuss your situation and offer our help in responding to cybersecurity regulations. For more information, contact info@omoroi.fi or +358 40 163 2424.