Patch of the Day: Security Teams vs. the Cyber Resilience Act

As the US prepares to host football’s biggest tournament, security pros are preparing for a different kind of international showdown. The EU Cyber Resilience Act is coming soon (just like England's next World Cup triumph...), and it's the most significant mandatory cybersecurity regulation for software and hardware products in a generation. But who actually needs to comply, and exactly how you execute the perfect game plan, is less obvious than the headlines suggest.

The CRA applies to products with digital elements: software or hardware that connects to a network and ships a physical artefact, desktop app, firmware, or downloadable component. Pure SaaS with no client? You may be out of scope. But if you have an SDK, an agent, or a desktop client – you're on the pitch. Either way, even for those who don't need to be compliant, a lot of the requirements are just the building blocks of a good security program – i.e. worth paying attention to, regardless of which side of the draw you're on.

In this webinar, Dr Katie Paxton-Fear cuts through the confusion to explain exactly who the CRA applies to, what the six core obligations require, and what your engineering team needs to do before the September 2026 reporting deadline (and December 2027 full compliance date). You'll leave knowing whether you're in scope, and what a practical compliance programme actually looks like – as well as how you can take inspiration from this legislation to level up your security program anyway, putting it on a world-class footing.