"The AI did it" won't save you when EU regulators come knocking
The EU Cyber Resilience Act (CRA) imposes strict regulations on digital products, requiring compliance by December 2027. Companies must report vulnerabilities within 24 hours and ensure no known exploitable vulnerabilities are present at market launch. AI-generated code carries the same legal responsibility as hand-written code, making it crucial for engineering teams to audit their code for compliance.
- ▪The CRA requires that all digital products sold in the EU must have no known exploitable vulnerabilities at market launch.
- ▪Companies must report actively exploited vulnerabilities to ENISA within 24 hours of discovery.
- ▪AI-generated code is treated legally the same as hand-written code, placing the onus of compliance on manufacturers.
Opening excerpt (first ~120 words) tap to expand
try { if(localStorage) { let currentUser = localStorage.getItem('current_user'); if (currentUser) { currentUser = JSON.parse(currentUser); if (currentUser.id === 3895707) { document.getElementById('article-show-container').classList.add('current-user-is-article-author'); } } } } catch (e) { console.error(e); } Andrew Kew Posted on May 30 "The AI did it" won't save you when EU regulators come knocking #security #devops #webdev #cloud The EU Cyber Resilience Act has been on everyone's "we'll deal with it later" list since it entered into force in December 2024. Later is arriving: vulnerability reporting requirements kick in September 2026, and full compliance is mandatory by December 2027.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at DEV.to (Top).
Discussion
0 commentsMore from DEV.to (Top)
