The Cyber Resilience Act is fully enforced in for all products "with a digital element" sold in the EU from December 2027. It has highly stringent requirements on manufacturers, such as products being “secure by design and by default” and “having no known vulnerabilities” at the point of going on sale. Discovered vulnerabilities in the product must be reported within 24 hours for critical exploits. All vulnerabilities must be patched within a short time frame, and support must be for 5 years or longer depending on the product.
As a specific example of the effect of the CRA on consumer products, the Linux kernel had 4336 reported exploits (CVEs) in 2024 (12 per day) and 5779 in 2025 (16 per day). Linux is used in an increasingly large range of consumer devices, not least a large proportion of the world’s smartphones. The able to continue to sell these products in Europe, then the industry really needs to move to a much more securely constructed systems. CHERI systems have memory safety bult-in which resolves 70% of vulnerabilities seen in weaker non-CHERI legacy systems.
Resolving such a large proportion of vulnerabilities at source will greatly reduce the support and maintenance costs, if nothing else. As a result of the CRA, there will be a large shift in the industry to make systems much more secure.
We expect that much of that shift will be towards CHERI systems as manufacturers wake up to the cost savings.