TLDR: Aikido Security helps you to comply with the Cyber Resilience Act. We also help you to automate security policies and compliance checks for SOC2, ISO27001, CIS & NIS2.
Here, we explain its importance of the Cyber Resilience Act and how Aikido helps you to comply with it.
WTF is the Cyber Resilience Act and Why Does It Matter for Software Security?
The Cyber Resilience Act (CRA) is an European Union (EU) regulation, effective from December 2024, that establishes baseline cybersecurity and compliance requirements for all products with digital elements - including their building blocks (hardware and software) - that are sold into the EU. This includes Software-as-a-Service (SaaS) products that qualify as remote data processing solutions. It impacts all manufacturers selling into the European Union, not just EU-based companies.
This places liability for preventing cybersecurity failures on manufacturers, with significant penalties for non-compliance - up to €15m or 2.5% of global turnover. Products should therefore be built from the start with security in mind.
The regulation aims to provide clear guidelines to those impacted - but if it was clear, you wouldn’t be reading this page, so let's break it down for you.
Why Was The Cyber Resilience Act Introduced?
The European Commission designed the CRA to safeguard consumers and businesses buying products with digital elements because - quite frankly -a lot of products that are internet-connected (otherwise referred to as the Internet of Things) aren’t updated - and therefore not secure. In fact, one of the biggest DDoS attacks recorded was the Mirai botnet (Dyn attack), which turned unsecured IoT devices into an army of attack machines. Another issue for the EU to resolve was how increasingly difficult it was for consumers and businesses to know which products are secure when they’re purchasing something.
The CRA makes sure the software and connected devices are updated, secure, and resilient to cyberattacks. Many products have historically shipped with known vulnerabilities, fueling large-scale supply chain attacks, the CRA aims to change that.
How CRA Compliance Affects Developers and Security Teams
If you’re part of an engineering or security team, it has a big impact, because it changes the way you design, build, test and ship software. From vulnerability management to incident response, compliance means embedding security by design into your development lifecycle.
How Aikido Security Simplifies CRA Compliance Requirements
The CRA lists strict requirements for manufacturers, from vulnerability scanning and SBOM generation to resilience against DoS attacks. Aikido helps you meet these requirements with automated security scanning, runtime protection, and compliance reporting in one central system.
Here's a more in-depth look at how Aikido helps you to comply with specific requirements:
Products should provide an appropriate cybersecurity level based on risks
Aikido helps by continuously monitoring your code, cloud and runtime against known risks. This provides you with a good overview of security posture.
Products should be delivered without any known exploitable vulnerabilities
This is where Aikido is essential; Aikido provides a number of scanners that look for vulnerabilities. These include SAST - scanning your source code for security vulnerabilities, Software Composition Analysis (SCA) - open-source dependency vulnerability scanning, virtual machine scanning (AWS EC2 instances), DAST, cloud security posture management (CSPM) - cloud misconfig checks, API scanning, Secrets scanning, Container scanning, Infrastructure-as-Code (IaC) scanning, malware scanning, and open-source-license scanning.
And before delivering any product, Aikido provides Zen, which is a Runtime Application Self-Protection (RASP), that protects an application by providing an in-app firewall. This detects threats as your application runs, stops attacks like zero-days in real-time, and automatically blocks critical injection attacks. By installing Zen, you don’t have to worry about new vulnerabilities.
Products should protect the availability of essential functions, including the resilience against and mitigation of denial of service attacks.
Aikido’s Zen can filter malicious traffic at the edge and apply rate limiting, helping to mitigate DoS/DDoS attacks. It reduces the blast radius of volumetric or resource-exhaustion attacks before they hit application logic.
Products should minimise negative impact on the availability of services provided by other devices or networks.
Aikido Zen can ensure compromised services don’t propagate abuse traffic outward.
Products should be designed, developed and produced to limit attack surfaces, including external interfaces.
By identifying exposed services, insecure code, and vulnerable dependencies, Aikido helps reduce attack surfaces. Autonomous penetration testing probes interfaces and endpoints dynamically, helping to identify unexpected exposures.
Products designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques.
By detecting vulnerable libraries or unsafe coding practices early via Aikido code quality, Aikido actively reduces exploitability. Our autonomous penetration testing validates whether mitigations (eg. WAF rules, sandboxing, safe deserialization) actually stop real-world exploits. Meanwhile, DAST can validate whether runtime defences actually work, and essentially tell you if the check is (or isn’t) effective under attack. By simulating exploit attempts, it verifies that even if a vuln exists, compensating controls can limit damage.
Vulnerabilities can be addressed through security updates, including, where applicable, through automatic updates and the notification of available updates to users.
Aikido continuously monitors for new vulnerabilities in your dependencies and alerts you, helping you to ensure updates are applied promptly.
Manufacturers should identify and document vulnerabilities and components contained in the product, including drawing up a software bill of materials (SBOM) in a commonly used and machine-readable format covering at the very least the top-level dependencies of the product.
You can use Aikido to export a full Software Bill of Materials (SBOM) in CycloneDX or SPDX with one click. This provides a complete inventory of all packages and their licenses for audits and transparency.
In relation to the risks posed to the products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates.
Aikido is the best option for cutting time to remediate as our scans cut noise (false positives) by 95%. In addition, our Static Application Security Testing (SAST) tool can rule out the possibility of exploitability, and when this can’t be ruled out, it automatically triages the alerts for you to prioritize.
What’s more, we can remediate a number of issues automatically in one click with our AutoFix feature. We know from our own research of developers, AppSec Engineers and CISOs across Europe and the US, that 79% of organizations already use AI autofix tools for vulnerabilities, with another 18% interested in doing so.
Findings from our new autonomous penetration testing solution can also be integrated into remediation pipelines, making it easier to validate that fixes actually work.
Apply effective and regular tests and reviews of the security of the product with digital elements.
Aikido will soon be providing autonomous penetration testing that is more thorough and efficient than manual alternatives, enabling organizations to perform automated tests on an on-demand or continual basis. (This transforms weeks-long pen tests into assessments that take less than an hour). Separately, Aikido also automates security testing on every code change or build, ensuring continuous reviews.
Beyond ISO27001, NIS2, and DORA: What the CRA Adds
Many organizations already comply with frameworks like ISO27001, NIS2, or DORA. These mainly focus on how your company manages security at the organizational level (policies, risk management, incident response, and reporting). Aikido already provides compliance reports within its platform for:
- ISO 27001:2022 Compliance
- SOC2 Compliance
- OWASP Top 10 Compliance
- CIS Compliance
- NIS2 Compliance
- NIST 800-53 Compliance
- PCI Compliance
- HIPAA Compliance
- DORA Compliance
- HITRUST LVL3 Compliance
- ENS Compliance
- GDPR
The Cyber Resilience Act (CRA) is different. It introduces product-level security obligations, which means the regulation applies directly to the digital products you build and sell. Compliance is not just about proving you have the right processes in place, but also proving that your product itself is secure:
- It must ship without known vulnerabilities
- It must include an SBOM
- It must be resilient to attacks (e.g. DoS/DDoS)
- It must receive ongoing security updates
- It must be tested regularly for exploitable flaws
These are requirements on the product itself, not only on your company’s security management system.
Other Security Tools You May Need for Full CRA Compliance
While Aikido covers code, cloud, and runtime security in one central system, the CRA also touches on identity management, encryption, data protection, and network security. Depending on your environment, you may need complementary tools such as IAM, cryptographic controls, or disaster recovery solutions alongside Aikido.
FAQ
Conclusion
The Cyber Resilience Act sets a new standard for secure software in Europe. Compliance is no longer optional. For engineering and security teams, it means building with security at the core and proving that your products meet CRA requirements.
Aikido Security makes this simple. From code to cloud to runtime, Aikido gives you automated scanning, code quality, SBOM generation, pen testing, and runtime protection in one platform. No juggling multiple tools. No extra noise. Just faster paths to compliance and safer products.
Ready to see how Aikido helps you check off CRA requirements?
Book a demo and start building secure software without slowing down your team.
.avif)
