CIOs are put to the test as security regulations across borders recalibrate

we used to say airily that 'every company is a technology company now' and certainly almost every product from a car to a train ticket is at least partly digital now, so it's time we made companies do the security and support for those products better; that's what the EU Cyber Resilience Act is for

TLDR starting this September, if you sell a digital product into the EU you have to have a proper vulnerability reporting process in place and report security incidents that affect your customers: by December 2027 you have to have SBOMs and conformity declarations and 5 years support and updates

the hope is that organisations shape up their software development practices and maybe, @kat.lol says, they'll do open source better, because now it's a board responsibility that you have to care about project health, be able to contribute any fixes you create upstream and generally act responsibly

With the state of the software ecosystem and a new supply chain attack almost every week, sometimes from nation state actors, product safety has to cover the digital side of products as well as making sure they don't electrocute you or snap shut on your fingers; the CRA is a way to move that forward

As @littledan.dev points out to me, the standards to back this up are still in development and there is a push to water them down; we should resist that

usually in interviews I'm the one bringing up CRA; here at #kubecon people have been bringing it up before I do (even if they're only saying too many organisations aren't paying attention to it) and it was nice to see it show up in the keynote

It does, by design. They will try to ignore it anyway (with help from big players who would really rather not be bothered)