What do sausages have to do with software?

The Cyber Resilience Act (CRA), a brand new EU legislation, will come into full force on September 11. It covers all software distributed within the EU: from native mobile applications and software installed on computers, to embedded software distributed with physical devices.

The Act mandates that all software must be secure by design, that all its "ingredients" are disclosed, and that the software must be actively maintained for a substantial period of time.

New EU regulations? Here come the memes.

I can already see them, likely involving juxtaposing plastic bottle caps with super-advanced technology, with an amusing slogan along the lines of: “____ innovates, EU regulates”.

Or maybe you noticed the irony and let out a slight curse because you had to navigate yet another cookie banner just to read a blog post claiming this new regulation is actually good. More than good - it's great.

I'll be bold enough to guess your next thought as well. Not because I'm clairvoyant like Baba Vanga, but because I've heard this exact argument so many times from people in the industry that my chances of success are very high: "The EU is only good at regulating sausages." And on that, I absolutely agree with you. The EU excels at regulating sausages.

If given a choice, I would pick an EU sausage over any other, every single time. Not just because several member states produce some of the best sausages in the world, but because of the strict regulations governing their production.

I would choose them because I'd know every single ingredient that goes into them. I'd be confident feeding them to my children, knowing with near certainty that they won't contract trichinella, salmonella, or shigella.

I would know that all the E-numbered ingredients are unlikely to give me cancer. I would know they are made under a rigorous standard of cleanliness.

I appreciate that, and that is precisely why I appreciate this new regulation so much. It treats software in exactly the same way.

For instance, just as with the sausage, it mandates that I must know the list of ingredients that constitute the software running on my devices. Unlike the general public, those of us in the industry know that modern software is built using countless libraries and frameworks. Every modern application is merely a thin layer of custom code, typically no more than 20% of the total codebase. The rest is inherited, imported, and passed on to the end consumer with very little scrutiny.

That stops now.

The Cyber Resilience Act is coming: Is your software ready?

Get ready for the deadline: Discover the full CRA timeline and learn how to prepare your software for the upcoming milestones.

Learn more

Levelling the playing field for the diligent

Application manufacturers can no longer simply throw in whatever ingredient they find. Every component must be carefully considered, assessed, and proven secure.

As with the sausage, the new act requires that software must be safe by design. This assures me, as much as possible, that my devices won't be compromised with viruses or trojans, and that the app won't negligently expose my entire digital existence to the internet.

And, unlike sausages, but much like any other tech product sold in the EU, I can be sure that it will be actively supported for a reasonable amount of time.

I like that.

However, the main reason I like the Cyber Resilience Act (CRA) so much is that it requires every software manufacturer to adhere to best practices. It imposes the same rules used by the most diligent among us upon everyone.

What if you’re not ready?

If the application is distributed in the EU, this news might sound alarming, and depending on the application's design, it very well might be. This is especially true for those who are just now hearing about the September deadline. However, the most important thing to remember is that it is not too late, even if the application is not yet compliant, if there is a lack of a software bill of materials, or if the support structure isn't ready to track reported vulnerabilities in underlying libraries or the application's own code.

For those applications, there is still time to fix them to be compliant with the act, but most importantly, to do the right thing. Literally. To do what needed to be done in the first place.

Granted, doing the right thing is not always the easy thing to do, but it only needs to be hard once. Once the bill of materials is produced, once the checks are automated, and once the reporting structures are in place, things will run smoothly and reassuringly. Both for the manufacturers and their customers.

The mark of a good standard

That's why the CRA is great. It bears the most important mark of truly successful legislation: It is common-sensical, simple to implement, and it requires nothing from the consumer. No frustrating bottle tops to fight with, no bothersome banners to click. Nothing.

Just the reassuring feeling that software bearing the CE mark will be conceived, developed, and maintained in a secure manner.