Six months until organisations face 24-hour cyber reporting deadline

“The Cyber Resilience Act (CRA) is set to change the dynamic around vulnerabilities with mandatory reporting requirements for digital products sold in the EU. Organisations that develop, distribute or sell software digital devices will face stricter requirements for monitoring and reporting vulnerabilities, including a mandatory 24-hour reporting window for any actively exploited vulnerability.  

“Its aim is to ensure that software and digital devices – from accounting software to wearable health tech – are secure when they’re made available to the EU market. The intention is also that processes are in place to ensure the product remains secure through regular testing and reviews. Manufacturers will also need to inform “in a timely manner” the users of products about any actively exploited vulnerability or severe incident. 

“This represents a significant shift in accountability. Within the new requirements organisations will need to have processes in place to ensure continuous visibility across their software supply chain so that they know which vulnerabilities will impact their product. More than this, they will need to ensure they can remediate these issues within the timelines and can demonstrate compliance through documentation.  

“This becomes a bigger challenge when you consider the scale of today’s vulnerability landscape; there are now hundreds of thousands of known vulnerabilities, with tens of thousands more disclosed every year. 

“Traditional vulnerability management has tended to be a more periodic process, with teams running scans, reviewing the results, and gradually working through remediation over days or weeks.”

“The aim of the CRA is to improve transparency and ensure faster responses to security vulnerabilities. However, in many environments, answering the important questions around identifying risks still involves work-intensive manual investigation across multiple tools and teams. 

“Security analysts must correlate scanner outputs, asset inventories and threat intelligence before they can confirm real exposure. 

“Consider also that modern software is built from complex ecosystems of components rather than a single codebase. Applications often rely on large numbers of open-source libraries, third-party packages and dependencies that sit several layers deep within the software stack. Each of these elements can introduce potential security weaknesses.  

“Organisations will need to maintain visibility across this entire dependency chain, continuously monitor for newly disclosed vulnerabilities, assess their relevance to their own products and ensure appropriate remediation actions are taken when risks are identified.

“Vulnerability teams also have to deal with an enormous amount of noise. Finding and assessing vulnerabilities often comes down to a stack of tools that generate large numbers of alerts and false positives. Analysts can end up spending significant time investigating issues that pose little real threat, while high-risk issues slip under the radar. Factor in the steadily increasing volume of vulnerabilities every year, and it’s even harder to keep track.

“As a result, you get a lot of activity without necessarily reducing exposure. A team might patch dozens of vulnerabilities in a week, but if they miss the one that is actively being exploited, the organisation is still at risk.

“This is already leaving companies unnecessarily exposed, but it’s going to be an even greater issue with the expectation that organisations will confirm exploitation and report within 24 hours.”

“One of the most common challenges is simply visibility. Vulnerability data is often scattered across multiple tools and systems. You might have scanners identifying vulnerabilities, asset management platforms tracking infrastructure, threat intelligence feeds highlighting exploits in the wild, and patch management systems handling remediation. And none of those sources is necessarily talking to each other in a meaningful way.

“Vulnerability scanners may identify affected software versions, but organisations frequently lack accurate asset inventories or software bill of materials (SBOM) data to determine where those components are deployed.

“That all means it can be slow and resource-heavy work for organisations to reliably identify vulnerabilities in their products. 

“Supply chains add another layer of complexity. As many digital products rely on third-party libraries, embedded software or external vendors, which makes it harder to know where vulnerabilities might surface. 

“This also has a knock-on effect on the ability to prioritise activities. It’s a case of not being able to see the woods for the trees, with teams focusing on individual vulnerabilities without a big picture view.”

“The CRA will require software developers and manufacturers to report actively exploited vulnerabilities and other severe incidents as soon as possible. They will have 24 hours for early warnings, 72 hours for a detailed report, and 14 days to submit a final report that includes patching and other remediation. 

“Better consolidation and automation for vulnerability data will be critical for achieving the required clarity inside the time limits. Periodic scanning and manual investigation cannot maintain a clear, real-time understanding of exposure. Instead, teams should aim to bring together detection outputs, asset information and threat intelligence into a single operational view.

“That visibility allows security teams to filter out noise and identify the vulnerabilities that are truly exploitable. This is already an increasingly important capability in the face of the rising tide of vulnerabilities, and it will also be critical for compliance with the CRA.  The organisations that can quickly determine whether a vulnerability affects them will be in the best position to respond confidently and meet the reporting demands when they come into force later this year.”