Complying with the Cyber Resilience Act (CRA) using Aikido Security

TLDR: Aikido Security helps you to comply with the Cyber Resilience Act. We also help you to automate security policies and compliance checks for SOC2, ISO27001, CIS & NIS2.
Here, we explain its importance of the Cyber Resilience Act and how Aikido helps you to comply with it.

What is the Cyber Resilience Act and Why Does It Matter for Software Security?

‍The Cyber Resilience Act (CRA) is an European Union (EU) regulation, introduced in December 2024, that establishes baseline cybersecurity and compliance requirements for all products with digital elements - including their building blocks (hardware and software) - that are sold into the EU. This includes Software-as-a-Service (SaaS) products that qualify as remote data processing solutions. It impacts all manufacturers and distributors selling digital products in the European Union, not just EU-based companies.

This places liability for preventing cybersecurity failures on manufacturers, with significant penalties for non-compliance, up to €15m or 2.5% of global turnover.  This effectively means product cybersecurity becomes a market entry barrier and non-negotiable requirement for staying relevant in the digital supply chain.

The regulation aims to provide clear guidelines to those impacted - but if it was that clear, you wouldn’t be reading this page, so let's break it down for you.

Why Was The Cyber Resilience Act Introduced?

The European Commission introduced the CRA to combat the low baseline level of product security across the internal market. The rapidly growing number of digital products that are frequently placed on the market with known vulnerabilities, often without providing security updates, expands the attack surface of consumers and businesses. Even though they may often seem harmless, just one connected device can serve as an entry point for malicious actors looking to compromise a wider network.

To protect consumers, the CRA places critical products, including smart door locks, baby monitoring systems, alarm systems, connected toys, and wearable health technology, under stricter compliance, effectively shifting the burden away from the end-user onto the manufacturer. By legally mandating automatic security updates by default and requiring clear user instructions, the CRA ensures that consumers are properly informed and can maintain their devices in a secure state without needing advanced technical expertise.

Another issue the EU wants to resolve is how difficult it is for consumers and businesses to know which products are secure when they’re purchasing something.

The CRA makes sure the software and connected devices are updated, secure, and stay resilient to ever evolving cyberattacks. Many products have historically shipped with known vulnerabilities, fueling large-scale supply chain attacks, the CRA aims to change that.

When does the CRA go into effect?

For teams building software, the timeline comes down to two deadlines:

• Starting September 11 2026, software builders must comply with mandatory reporting rules, meaning you are legally required to report any actively exploited vulnerabilities or severe security incidents to EU authorities within 24 hours of becoming aware of them. 
• The second and final deadline is December 11 2027, which is when your products must fully comply with all essential security requirements, including a secure configuration by default, a declaration of conformity, and bear the CE marking to be sold in the EU market.

The CRA Product Classifications

The CRA defines four classification tiers for products with digital elements, based on their inherent cybersecurity risks:

• Default Class: This covers the majority of products and allows manufacturers to perform a self-assessment to prove CRA compliance without mandatory third-party audits.
• Important Class I: This category contains products with foundational security roles, such as operating systems, password managers, and routers, requiring stricter validation, for example via harmonized standards (which are under development).
• Important Class II: This higher-risk bracket covers operational security components like firewalls, hypervisors, and intrusion detection tools, and requires independent testing by a notified body mandatory before market entry.
• Critical: Reserved for highest-security software and hardware, such as smartcards, secure elements, and smart meter gateways, this class requires an independent third-party conformity assessment via a Notified Body.

How CRA Compliance Affects Developers and Security Teams 

If you’re part of an engineering or security team, it has a big impact, because it changes the way you design, build, test and ship software. From vulnerability management to incident response, compliance means embedding security by design into your development lifecycle.

How Aikido Security Simplifies CRA Compliance Requirements

The CRA lists strict requirements for manufacturers, from vulnerability scanning and SBOM generation to resilience against DoS attacks. Aikido helps you meet these requirements with automated security scanning, runtime protection, and compliance reporting in one central system.

Here's a more in-depth look at how Aikido helps you to comply with specific requirements:Products should provide an appropriate cybersecurity level based on risks Aikido helps by continuously monitoring your code, cloud and runtime against known risks. This provides you with a good overview of security posture.
‍
Products should be delivered without any known exploitable vulnerabilities‍

This is where Aikido is essential; Aikido provides a number of scanners that look for vulnerabilities. These include SAST - scanning your source code for security vulnerabilities, Software Composition Analysis (SCA) - open-source dependency vulnerability scanning, virtual machine scanning (AWS EC2 instances), DAST, cloud security posture management (CSPM) - cloud misconfig checks, API scanning, Secrets scanning, Container scanning, Infrastructure-as-Code (IaC) scanning, malware scanning, and open-source-license scanning.

And before delivering any product, Aikido provides Zen, which is a Runtime Application Self-Protection (RASP), that protects an application by providing an in-app firewall. This detects threats as your application runs, stops attacks like zero-days in real-time, and automatically blocks critical injection attacks. By installing Zen, you don’t have to worry about new vulnerabilities.

Products should protect the availability of essential functions, including the resilience against and mitigation of denial of service attacks.

Aikido’s Zen can filter malicious traffic at the edge and apply rate limiting, helping to mitigate DoS/DDoS attacks. It reduces the blast radius of volumetric or resource-exhaustion attacks before they hit application logic. 

Products should minimise negative impact on the availability of services provided by other devices or networks.‍

Aikido Zen can ensure compromised services don’t propagate abuse traffic outward.

Products should be designed, developed and produced to limit attack surfaces, including external interfaces.‍

By identifying exposed services, insecure code, and vulnerable dependencies, Aikido helps reduce attack surfaces. Autonomous penetration testing probes interfaces and endpoints dynamically, helping to identify unexpected exposures. 

Products designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques.‍

By detecting vulnerable libraries or unsafe coding practices early via Aikido code quality, Aikido actively reduces exploitability. Our autonomous penetration testing validates whether mitigations (eg. WAF rules, sandboxing, safe deserialization) actually stop real-world exploits. Meanwhile, DAST can validate whether runtime defences actually work, and essentially tell you if the check is (or isn’t) effective under attack. By simulating exploit attempts, it verifies that even if a vuln exists, compensating controls can limit damage.

Vulnerabilities can be addressed through security updates, including, where applicable, through automatic updates and the notification of available updates to users.‍

Aikido continuously monitors for new vulnerabilities in your dependencies and alerts you, helping you to ensure updates are applied promptly. 

Manufacturers should identify and document vulnerabilities and components contained in the product, including drawing up a software bill of materials (SBOM) in a commonly used and machine-readable format covering at the very least the top-level dependencies of the product.‍

You can use Aikido to export a full Software Bill of Materials (SBOM) in CycloneDX or SPDX with one click. This provides a complete inventory of all packages and their licenses for audits and transparency.

In relation to the risks posed to the products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates.‍

Aikido is the best option for cutting time to remediate as our scans cut noise (false positives) by 95%. In addition, our Static Application Security Testing (SAST) tool can rule out the possibility of exploitability, and when this can’t be ruled out, it automatically triages the alerts for you to prioritize.

What’s more, we can remediate a number of issues automatically in one click with our AutoFix feature. We know from our own research of developers, AppSec Engineers and CISOs across Europe and the US, that 79% of organizations already use AI autofix tools for vulnerabilities, with another 18% interested in doing so. 

Findings from our autonomous penetration testing can also be integrated into remediation pipelines, making it easier to validate that fixes actually work.

What’s more, we can remediate a number of issues automatically in one click with our AutoFix feature. We know from our own research of developers, AppSec Engineers and CISOs across Europe and the US, that 79% of organizations already use AI autofix tools for vulnerabilities, with another 18% interested in doing so. 

Findings from our new autonomous penetration testing solution can also be integrated into remediation pipelines, making it easier to validate that fixes actually work. 

Apply effective and regular tests and reviews of the security of the product with digital elements.

Aikido provides autonomous penetration testing that is more thorough and efficient than manual alternatives, enabling organizations to perform automated tests on an on-demand or continual basis. (This transforms weeks-long pen tests into assessments that take less than an hour). Separately, Aikido also automates security testing on every code change or build, ensuring continuous reviews.

Beyond ISO27001, NIS2, and DORA: What the CRA Adds

Many organizations already comply with frameworks like ISO27001, NIS2, or DORA. These mainly focus on how your company manages security at the organizational level (policies, risk management, incident response, and reporting). Aikido already provides compliance reports within its platform for:

• ISO 27001:2022 Compliance
• SOC2 Compliance‍
• OWASP Top 10 Compliance‍
• CIS Compliance‍
• NIS2 Compliance‍
• NIST 800-53 Compliance
• PCI Compliance
• HIPAA Compliance
• DORA Compliance
• HITRUST LVL3 Compliance
• ENS Compliance
• GDPR

The Cyber Resilience Act (CRA) is different. It introduces product-level security obligations, which means the regulation applies directly to the digital products you build and sell. Compliance is not just about proving you have the right processes in place, but also proving that your product itself is secure:

• It must ship without known vulnerabilities
• It must include an SBOM, covering at least top-level dependencies
• It must be resilient to attacks (e.g. DoS/DDoS)
• It must receive automatic security updates, for at least 5 years
• It must be tested regularly for exploitable flaws

These are requirements on the product itself, not only on your company’s security management system.

Other Security Tools You May Need for Full CRA Compliance

While Aikido covers code, cloud, and runtime security in one central system, the CRA also touches on risk assessment, functional and architectural security, identity management, encryption, data protection, and network security. Depending on your environment, you may need complementary tools such as IAM, threat modeling tools, cryptographic controls, or disaster recovery solutions alongside Aikido.

FAQ

Conclusion

The Cyber Resilience Act sets a new standard for secure software in Europe. Cybersecurity is no longer an optional compliance checkbox, but a market entry barrier. For engineering and security teams, it means designing for security from the start and proving that your products meet CRA requirements.

Aikido Security makes this simple. From code to cloud to runtime, Aikido gives you automated scanning, code quality, SBOM generation, pen testing, and runtime protection in one platform. No juggling multiple tools. No extra noise. Just faster paths to compliance and safer products.Ready to see how Aikido helps you check off CRA requirements?

Book a demo and start building secure software without slowing down your team.