{"id":13073,"date":"2026-01-12T07:26:12","date_gmt":"2026-01-12T15:26:12","guid":{"rendered":"https:\/\/www.coretechnologies.com\/blog\/?p=13073"},"modified":"2026-01-12T07:30:11","modified_gmt":"2026-01-12T15:30:11","slug":"eu-cyber-resilience-act","status":"publish","type":"post","link":"https:\/\/www.coretechnologies.com\/blog\/company\/eu-cyber-resilience-act\/","title":{"rendered":"Q&A: Do You Comply With The EU Cyber Resilience Act (CRA)?"},"content":{"rendered":"
\"Do<\/div>\n
\n  I work for a large technology company based in Germany. Last year, we bought an Unlimited OEM License for AlwaysUp<\/a> and integrated it into our industrial automation delivery chain.<\/p>\n

As an important supplier, we want to ensure that your company takes a holistic approach to Cybersecurity. And in particular, we’d like to know if you’ll be implementing the new EU Cyber Resilience Act (CRA)<\/a>. Please provide a short statement.<\/p>\n

If your product will comply, we can rely on that. If you cannot confirm conformity (mostly in case delivery is done outside the EU market), we may have to analyze further effects on our side and raise additional requests\/requirements.<\/p>\n

— Michael S.<\/p>\n<\/div>\n

Hi Michael, thanks for reaching out.<\/p>\n

Even though we’re based in the USA, our team has been tracking this new EU regulation ever since it started taking shape in 2023. It soon became clear that the CRA would impact us since we have many customers deploying our software in the EU.<\/p>\n

But let’s start at the beginning.<\/p>\n

\n
\n
\"\"<\/a><\/div>\n<\/div>\n

What is the Cyber Resilience Act (CRA)?<\/h2>\n

The EU Cyber Resilience Act<\/a> enhances cybersecurity standards for hardware and software products by requiring manufacturers and retailers to infuse cybersecurity throughout the lifecycle of their products. It came into force in November 2024 and organizations in the European Union have until December 2027 to achieve full compliance.<\/p>\n

Our company isn’t located in the EU and we don’t make any hardware products. But we do create software used by EU companies. As such, we must help our EU customers adhere to the CRA<\/b>.<\/p>\n

Fortunately the CRA aligns with other global standards — like ISO 27001:2022<\/a> — which we already embrace. So let’s review what we have in place today.<\/p>\n

\n
\n
\"\"<\/a><\/div>\n<\/div>\n

We’re serious about security<\/h2>\n

To understand we do today, please review this article detailing how we keep our software (and company) safe and secure<\/a>. There, you’ll see that we’ve infused information security best practices throughout our processes and practices.<\/p>\n

But even though there’s overlap with the CRA and other time-tested standards, the new regulation brings its own perspectives. It deserves dedicated examination. Therefore, from our viewpoint as a US-based software producer, we’ll review 10 major requirements of the CRA and briefly describe how we support you and other EU organizations in each area.<\/p>\n

\n
\n
\"\"<\/a><\/div>\n<\/div>\n

CRA Requirement #1: No exploitable vulnerabilities<\/h2>\n

Don’t ship software with serious flaws<\/p>\n

How we help you to comply<\/h3>\n

It\u2019s very important to check for malware at every stage of the software production pipeline. And, most importantly, the final product must be pristine. That’s why we engage third-party services to verify that nothing strange has crept into our software.<\/p>\n

For example, before release, we run all our applications through Virustotal<\/a> — a well-respected online virus-scanning engine owned by Google. We halt the release if any critical or high vulnerabilities are detected.<\/p>\n

\"Service<\/a><\/div>\n

The bottom line: The software we provide to customers is free of major known vulnerabilities at the time it’s shipped.<\/p>\n

\n
\n
\"\"<\/a><\/div>\n<\/div>\n

CRA Requirement #2: A secure default configuration<\/h2>\n

Make software as secure as possible out-of-the-box<\/p>\n

How we help you to comply<\/h3>\n

Both AlwaysUp<\/a> and Service Protector<\/a>:<\/p>\n

    \n
  1. \n

    Must be installed by an administrator<\/p>\n<\/li>\n

  2. \n

    Are installed to a protected folder in “C:\\Program Files (x86)” by default<\/p>\n<\/li>\n

  3. \n

    Must be run by an administrator<\/p>\n<\/li>\n<\/ol>\n

    There’s no way around those important, default safeguards.<\/p>\n

    Furthermore, there are no “default passwords” of any kind.<\/p>\n

    \n
    \n
    \"\"<\/a><\/div>\n<\/div>\n

    CRA Requirement #3: Regular security updates<\/h2>\n

    Establish a method of resolving vulnerabilities discovered after the software was installed<\/p>\n

    How we help you to comply<\/h3>\n

    It’s company policy to issue a patch for critical and high vulnerabilities within 30 days of their discovery. Medium and Low vulnerabilities are addressed as part of regularly scheduled quarterly or annual releases.<\/p>\n

    However, as purveyors of software that must operate 24\/7\/365, we do not support unattended, automatic updates<\/a> because they’re too dangerous. We leave it to customers to deploy updates manually — after sufficient testing and at a time of their choosing. We keep customers informed of security issues by posting security bulletins on our active blog<\/a>.<\/p>\n

    \n
    \n
    \"\"<\/a><\/div>\n<\/div>\n

    CRA Requirement #4: Protection from unauthorized access<\/h2>\n

    Ensure that the software is accessible only to those who are allowed to use it<\/p>\n

    How we help you to comply<\/h3>\n

    AlwaysUp and Service Protector are restricted to administrators only. A standard user without admin rights cannot start either of the programs on his own.<\/p>\n

    If a standard user attempts to start AlwaysUp, Windows prompts for admin credentials:<\/p>\n

    \"Windows<\/a><\/div>\n

    That important safeguard prevents untrusted (or untrained) individuals from updating your critical applications and services.<\/p>\n

    Furthermore, after you install your program as a service with AlwaysUp, you have the power to enforce who can start, stop, restart or edit the service.<\/p>\n

    That capability is available by selecting Advanced > Service Security Settings<\/b> from the Application<\/b> menu:<\/p>\n

    \"Open<\/a><\/div>\n

    From there, it’s easy for you to specify what each user can do. For example, here’s how we allow Hazel Jones to start or stop the service, but not to modify or delete it:<\/p>\n

    \"Allow<\/a><\/div>\n
    \n
    \n
    \"\"<\/a><\/div>\n<\/div>\n

    CRA Requirement #5: Data confidentiality<\/h2>\n

    Maintain the confidentiality of all data processed<\/p>\n

    How we help you to comply<\/h3>\n

    None of our products collect personal data.<\/p>\n

    And when our applications communicate with our servers — for example when checking for updates or assigning a license — all data is encrypted in transit over HTTPS.<\/p>\n

    \n
    \n
    \"\"<\/a><\/div>\n<\/div>\n

    CRA Requirement #6: Data integrity<\/h2>\n

    Protect data collected from manipulation or modification<\/p>\n

    How we help you to comply<\/h3>\n

    By design, we intentionally limit the data stored by our applications. That’s because our strong preference is to delegate all data persistence to the Windows operating system.<\/p>\n

    For example, when you set up an application with AlwaysUp:<\/p>\n