“The AI did it” won’t save you when EU regulators come knocking
The EU's Cyber Resilience Act (CRA) will soon hold organizations accountable for cybersecurity, with reporting obligations starting September 2026 and full compliance by December 2027. The regulation applies to all connected products and software sold in the EU, including AI-generated code. Key requirements include secure-by-design development, lifecycle vulnerability handling, SBOM transparency, and 24-hour reporting of exploited vulnerabilities. Organizations must act now to audit, document, and implement SBOM tools. "The AI did it" is no defense.
Article intelligence
Key points
- The EU Cyber Resilience Act (CRA) imposes strict cybersecurity requirements on all connected products sold in the EU, with key deadlines in 2026 and 2027.
- Organizations must integrate security into development lifecycle, provide SBOMs, and report actively exploited vulnerabilities within 24 hours.
- AI-generated code is not exempt; regulators demand transparency and human oversight.
- Proactive CRA readiness can turn compliance into a competitive advantage.
Why it matters
This matters because the EU Cyber Resilience Act (CRA) imposes strict cybersecurity requirements on all connected products sold in the EU, with key deadlines in 2026 and 2027.
Technical impact
May affect agent architecture, tool calling, workflow automation, and product integration.
The European Union’s Cyber Resilience Act (CRA) is just months away from ushering in a new era of accountability that’s designed to protect consumers from escalating cyber harm. The window to achieve compliance closes a little more on two key dates:
September 11, 2026: Key reporting obligations for actively exploited vulnerabilities begin.
December 11, 2027: All other major obligations for software and hardware developers apply.
Organizations must act now–in the midst of AI upending software development–to minimize cybersecurity risk and protect their ability to sell software in the EU.
The broad scope and core shift
The CRA is not a niche regulation. It is the first “horizontal” regulation applying to nearly every connected product or piece of software sold in the EU. This broad scope makes no distinction between human-written or AI-generated code, a critical aspect of change in modern software development.
Organizations are entering an era of legal accountability while placing increasing trust in autonomous tooling that can generate code faster than teams can fully review and understand it. Security “best practices” are becoming mandated requirements, imposing a significant documentation burden across the entire Software Development Lifecycle (SDLC), especially as AI coding tools drastically increase code volume.
“Organizations are entering an era of legal accountability while placing increasing trust in autonomous tooling.”
To meet the CRA’s standard of due diligence, organizations must provide streamlined, standardized evidence that their products are built correctly and maintained securely. Security and compliance leaders must immediately build a readiness plan.
Consider this: Auditing and gating every security practice — from thousands of daily commits to production deployments and post-deployment monitoring — is a massive coordination effort. Incorporating new compliance requirements into daily workflows is highly time-intensive, especially as AI radically accelerates development.
Key provisions on the books
While some implementation details are pending, the core mandates are set:
Secure by design: Security must be integrated into every phase of the development lifecycle (design, coding, testing, deployment). This requires auditable evidence of consistently followed secure development practices, including ensuring that products have no known exploitable vulnerabilities at the time they are placed on the market.
Lifecycle vulnerability handling: Compliance extends beyond the initial release, requiring a continuous process for vulnerability management and disclosure. Manufacturers must commit to lifecycle patching and ongoing vulnerability management. Crucially, this obligation encompasses handling vulnerabilities that arise in integrated third-party components (including open source) throughout the product’s supported lifecycle.
Radical transparency (SBOM): To undergo conformity assessments, manufacturers must produce specific technical documentation. This requires generating Software Bill of Materials (SBOMs) and demonstrating component transparency. Organizations will need to reliably generate CRA-relevant metrics and documentation, including specific SBOM inputs, lifecycle support data, and evidence of vulnerability handling, to plug into these mandatory assessments.
Rapid vulnerability reporting: The delay of vulnerability disclosures is over. Manufacturers must report any actively exploited vulnerabilities to the EU’s cybersecurity agency, ENISA, within 24 hours of becoming aware of them. This demands significant behavioral and process shifts.
Despite ongoing developments to the specific “harmonized standards” and the final guidance following the recent draft consultation, the core legal obligations are clear enough to act upon today.
Accountability across the organization
The CRA makes cybersecurity a cross-functional effort, moving accountability beyond a siloed security team:
Developers & engineering leadership: Responsible for owning the tension between release speed and provable secure-by-design deliveries —the auditable proof required for compliance.
Product security teams: Own vulnerability handling, disclosure processes, SBOM accuracy, and meeting the 24-hour reporting window to ENISA.
Legal & compliance: Manage formal certification, liaise with regulators, and ensure all reporting obligations are correctly fulfilled.
Executive leadership: Responsible for governance, budget, and oversight. They must ensure an audit trail exists to demonstrate due diligence and risk management.
AI leadership & tiger teams: Strategically scales AI adoption while maintaining trust in AI output by managing capacity limits and preserving AI ROI.
What to audit and prioritize today
With the core rules established, start your CRA readiness audit immediately to mitigate risk and avoid last-minute efforts:
Inventory everything: Create a comprehensive inventory of all software products and their supply chain dependencies. Pay special attention to AI-generated code and open source components, which often present unique challenges in provenance and vulnerability management.
Document practices: Formally review and document your secure development lifecycle practices. If it isn’t documented, a regulator will assume it didn’t happen.
Implement SBOM Tools: Start generating and managing detailed, accurate SBOMs now. This foundation will put you in a strong position, regardless of how technical standards evolve.
“‘The AI did it’ will not be a defense for a security flaw.”
The complexity of AI-generated coding is significant. Regulators are likely to demand a high degree of transparency and human oversight. “The AI did it” will not be a defense for a security flaw. Implementing robust processes for verifying, testing, and securing AI-generated code as developers adopt the tools is always easier than playing catch-up later.
From burden to competitive advantage
The window to prepare is closing. The work is substantial, and proactive teams that start their readiness audits today will reduce risk and avoid the panic and cost of a last-minute push.
Ultimately, preparing for the CRA is not just about avoiding penalties. It is a catalyst for building more secure, resilient, and maintainable software. By embedding these mandated practices, CRA readiness becomes a driver of product quality and a significant competitive advantage in a market demanding trust and transparency.
The post “The AI did it” won’t save you when EU regulators come knocking appeared first on The New Stack.