Blog & updates
Guides, explainers, and CRA news
Long-form articles on the topics our readers ask about most. Updated as the regulation evolves and ENISA publishes new guidance.
Generate a CRA-compliant SBOM in 15 minutes
The EU Cyber Resilience Act effectively requires every software product on the EU market to ship with a software bill of materials. The tutorial I wish I'd had when I started: pick a format, generate it for your stack, validate it, and wire it into CI, in about 15 minutes.
EU CRA vs DORA vs NIS2: how the three EU cybersecurity laws compare
What is the EU CRA, and how does it differ from DORA and NIS2? A high-level comparison of the three EU cybersecurity regulations: who they apply to, what they require, the deadlines, and where they overlap. Plain-English tables for product, service, and finance teams.
Are products built before 2027 grandfathered under the CRA?
Article 69 of the EU Cyber Resilience Act creates a real but narrow grandfathering carve-out for products placed on the market before 11 December 2027, until a substantial modification trips the trigger. Here's what that means in practice.
CRA for mobile app developers: a practical guide
What Android and iOS developers actually need to do to comply with the EU Cyber Resilience Act — from SBOM and CE marking through to vulnerability disclosure.
Open source and the CRA: who has to do what
When the CRA applies to OSS, the new 'open source steward' role, and what changes for hobbyist projects, funded foundations, and commercial bundling.
ENISA Single Reporting Platform (SRP), explained
How the ENISA SRP works, who registers, what gets reported, and how the 24h / 72h / 14-day timeline plays out in practice.