When a Security Incident Happens Outside the EU: Does the CRA Still Apply? The global nature of cybersecurity raises a practical question for manufacturers. If an actor exploits a vulnerability outside the European Union, do the Cyber Resilience Act (CRA) reporting and remediation obligations still apply? The short answer is yes. If a manufacturer places a product on the EU

Software companies often rely on a familiar distinction: they regulate products, but not services. They have viewed cloud delivery models, subscription-based offerings, and remote processing as business innovations. They have also seen them as ways to reduce regulatory exposure. The EU Cyber Resilience Act (CRA) challenges this assumption. Under the CRA, the key question is not whether a company markets

One of the frequently asked questions surrounding the Cyber Resilience Act (CRA) concerns legacy products. Manufacturers ask whether they can sell older products in the EU after 11 December 2027 without updates. This blog explores the issue amid evolving CRA standards and upcoming compliance deadlines. CRA Scope and Market Placement The CRA applies to products placed on the market from

The EU’s growing focus on SBOMs, highlighted in ENISA’s SBOM Landscape Analysis – Towards an Implementation Guide, is a key step toward greater transparency and resilience in software supply chains. SBOMs are rapidly becoming a central building block for cybersecurity governance under the Cyber Resilience Act (CRA) and related frameworks. From Bitsea’s perspective, this direction is both necessary and overdue.

Open Source Everywhere — And a New Challenge On any given day, tech companies in Europe are shipping products with digital elements. Under the hood, chances are it’s running a wealth of Open Source-code. From encryption libraries to web frameworks, Open Source has become the backbone of digital innovation—indeed, a typical modern software product is often over 90% Open Source

As cars become more like computers on wheels, cybersecurity is becoming a major concern. With vehicles now connected to the internet and relying heavily on software, protecting them from cyber threats is essential. The Cyber Resilience Act (CRA) is a new European law designed to improve cybersecurity for digital products. While it does not directly apply to cars themselves (since

Navigating Open-Source-Compliance in 2024: The Critical Role of Scanning Depth and SBOMs In the evolving landscape of cybersecurity and software compliance, the importance of open source compliance cannot be overstated. New regulatory requirements like the Cyber Resilience Act (CRA), the Network and Information Security Directive (NIS2), and the Digital Operational Resilience Act (DORA) have introduced stricter obligations for organizations, especially

Today, we are shedding light on a topic that is still all too readily overlooked as the “little sister of programming”. What hardly anyone cared about 20 years ago is to be placed under state control in the immediate future! As we now know, a major focus of Bitsea is checking for hidden risks in software. Many people typically first

Open source is everywhere: Hardly any product today can do without digital components, from electric toothbrushes and baby monitors to smartwatches. Less obvious to many users is the security risk that such products pose for the end users. The new European Cyber Resilience Act (CRA) aims to ensure that consumers receive secure products. The regulation was announced in the EU

What is Cyber Resilience Act? The European Cyber Resilience Act (CRA) aims to set the boundary conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufactures take security seriously throughout a product’s life cycle. It was introduced by the European Parliament in