EU Cyber Resilience Act: What the December 2026 Deadline Means for AI Software Products
· 4 min read
The EU Cyber Resilience Act (CRA) entered into force in December 2024. Most obligations apply from December 2027, but certain reporting requirements (vulnerability and incident reporting to ENISA) apply from September 2026. Products with digital elements — including AI-embedded software — are in scope.
If you're selling software into the EU that includes AI components, the CRA applies to your product. This is separate from the EU AI Act: the CRA covers cybersecurity; the AI Act covers AI governance. Both apply simultaneously to AI software sold in the EU.