Does the Cyber Resilience Act apply to websites and web applications?

The CRA primarily targets products with digital elements placed on the EU market — including firmware, software, and connected devices. Pure SaaS platforms are generally excluded (they fall under NIS2), but downloadable software, plugins, APIs distributed as products, and IoT-connected web tools can be in scope. If your web application is distributed as a product or bundled with hardware, you likely need to comply.

When does the Cyber Resilience Act come into force?

The CRA was published in the Official Journal of the EU in November 2024. Most obligations become enforceable by December 11, 2027, but the vulnerability reporting obligations kick in earlier — by September 11, 2026. Companies should start preparing now to meet these phased deadlines.

Cyber Resilience Act 2026: What Web Publishers and Developers Need to Know

Why the Cyber Resilience Act Matters for the Web Industry

The European Union’s Cyber Resilience Act (CRA) is the most ambitious cybersecurity regulation to target digital products in over a decade. Signed into law in late 2024, it introduces mandatory security requirements for virtually every product with a digital element sold or operated within the EU.

If you build websites, develop plugins, ship connected software, or manage digital infrastructure, this regulation demands your attention — starting now.

What Is the Cyber Resilience Act?

The CRA establishes a horizontal framework for cybersecurity requirements across the entire lifecycle of digital products. Think of it as the CE marking equivalent for software security.

Key facts at a glance:

Scope: Hardware and software products with digital elements (firmware, operating systems, apps, libraries, IoT devices)
Vulnerability reporting: Mandatory from September 2026
Full enforcement: December 2027
Penalties: Up to €15 million or 2.5% of global annual turnover, whichever is higher

Unlike GDPR, which focuses on personal data, the CRA focuses on the security of the product itself — from design to end-of-life.

Who Is Affected?

Manufacturers and Distributors

Anyone who places a product with digital elements on the EU market is considered a “manufacturer” under the CRA. That includes:

Software companies distributing downloadable applications
Developers shipping WordPress or PrestaShop plugins/modules
Hardware vendors bundling firmware or web dashboards
Open-source projects used commercially (with specific exemptions for non-commercial activity)

Web Agencies and Developers

If your agency builds custom software, APIs, or connected tools that are deployed as products — not just internal tools — the CRA applies to you. Even integrators who assemble components into a final product may bear compliance responsibility.

At Lueur Externe, a web agency based in the French Riviera with over 20 years of experience in secure web development, we have already started auditing client projects against the CRA framework to anticipate the 2026 reporting deadline.

Core Requirements for Developers

The CRA introduces several obligations that will change day-to-day development practices:

Security by Design

Products must be delivered with secure default configurations
No known exploitable vulnerabilities at the time of release
Encryption of sensitive data in transit and at rest where applicable

Vulnerability Handling

Establish a coordinated vulnerability disclosure policy
Report actively exploited vulnerabilities to ENISA within 24 hours
Provide security updates for a minimum of 5 years (or the expected product lifetime)

Documentation and Transparency

Maintain a Software Bill of Materials (SBOM) listing all components and dependencies
Provide clear user documentation on security features and update procedures
Affix CE marking only after completing a conformity assessment

How Does It Compare to Existing Regulations?

Aspect	GDPR	NIS2	Cyber Resilience Act
Focus	Personal data	Critical infrastructure operators	Digital products
Applies to	Data controllers/processors	Essential & important entities	Manufacturers, importers, distributors
Max fine	€20M / 4% turnover	€10M / 2% turnover	€15M / 2.5% turnover
Effective	2018	October 2024	September 2026 (reporting) / December 2027 (full)

The CRA fills a gap: while GDPR protects data and NIS2 secures networks, the CRA secures the products themselves.

Practical Steps to Prepare Now

Don’t wait for the enforcement deadline. Here is a realistic roadmap:

Inventory your digital products — Identify which of your outputs qualify as “products with digital elements.”
Generate SBOMs — Tools like Syft, CycloneDX, or SPDX can automate this for your codebases.
Implement a vulnerability disclosure process — Even a simple security.txt file is a start.
Review your update pipeline — Can you push security patches quickly and reliably for the next 5 years?
Train your team — Developers, project managers, and stakeholders all need CRA awareness.

Conclusion: Compliance Is a Competitive Advantage

The Cyber Resilience Act is not just another regulatory hurdle — it is a signal that the EU is raising the bar for digital product security. Companies that adapt early will earn trust, reduce risk, and differentiate themselves in an increasingly regulated market.

Whether you manage an e-commerce platform on PrestaShop, maintain a portfolio of WordPress sites, or develop custom web applications, now is the time to assess your exposure.

Lueur Externe helps businesses across Europe build secure, compliant digital products. From architecture audits to vulnerability management workflows, our team can guide you through every step of CRA readiness.

Get in touch with our experts today →