Blue Goat CyberSMMedical Device Cybersecurity
    K
    All regulatory tracker entries
    Dec 11, 2027·EU Commission · Regulation (applies)ScheduledHigh impact

    EU Cyber Resilience Act becomes fully applicable

    The CRA's core obligations - secure-by-design, SBOM, vulnerability handling, and 24-hour incident reporting - apply to products with digital elements placed on the EU market.

    What changed

    • Manufacturers must maintain an SBOM and a coordinated vulnerability disclosure policy for the product's support period.
    • Actively exploited vulnerabilities and severe incidents must be reported to ENISA/CSIRTs within 24 hours of awareness.
    • Medical devices regulated under MDR/IVDR are largely carved out, but software components shipped separately are not.

    Action for manufacturers

    Decide per product whether CRA or MDR applies, then build the 24h incident reporting playbook now - the cadence is faster than FDA postmarket and many teams are not staffed for it.

    Primary sources

    Related Blue Goat Cyber resources

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.