The EU’s Cyber Resilience Act (CRA)
Early in 2024 when we were still selling our commercial software, we restricted its sale or resale to the US and most countries outside Europe. We explain why below.
The EU’s Cyber Resilience Act (CRA) became law in 2024 and allows a three year grace period for compliance.
We believe that it is impossible for a small business such as ours was to achieve compliance with the Act.
In view of this we stopped selling our software into any country which adopts the CRA or a local equivalent. This includes all EU and EEA countries, EU candidate countries, and some others with access to the single market such as Switzerland and the UK (where we were based).
Our Opinion on the CRA
It appears to us that the CRA was written by one of the big consultancies to generate as much consulting compliance revenue as possible, and at the same time squeezing out small businesses that can neither comply on their own nor afford to hire a consulting company to do the compliance for them.
The CRA lacks proper provision for small businesses and for open source software developers, exposing them to considerable legal risk. For open source developers it means that something that some of them do for fun and for interest and to share their expertise becomes something for which they might be sued—something that open source licences specifically protect against, but which the CRA overrides. And for small businesses, the burden of the extra bureaucracy and the additional risks of predatory legal action make selling into Europe extremely unattractive.
Overall, the CRA is bad news for European software innovation and will ensure that Europe lags even further behind the US and elsewhere in years to come.