EU Software Regulation

What happens when the EU decides your "as-is" disclaimer is worth nothing?

The Cyber Resilience Act reclassifies software as a physical product. If you ship anything with a digital component — which covers almost everything — you're a manufacturer now. Manufacturers carry no-fault liability: you don't have to be negligent, the product just has to be defective and cause harm. Every substantial update resets a ten-year liability clock. The "move fast and break things" era has a legal expiry date, and it's 2027.

How Brussels goes global without asking

The EU sets the global baseline because no serious company maintains two codebases. They comply everywhere. This is how GDPR rewrote global privacy norms without a single international treaty. The question isn't whether the Cyber Resilience Act spreads globally — it's how fast.

What you actually have to do

Maintain a Software Bill of Materials — a full inventory of every dependency you ship, with you accountable for all of it. Document your architecture. Prove your security process. The immediate bottleneck is a shortage of Conformity Assessment Bodies to run the audits, which is creating a gatekeeper problem for anyone trying to enter the European market before the deadline.

Build ready-to-comply today, or explain to your board why you walked away from 450 million customers.