What Is the EU Cyber Resilience Act?
The EU Cyber Resilience Act (CRA) is a regulation that establishes mandatory cybersecurity requirements for products with digital elements sold in the European Union. It was formally adopted in late 2024 and becomes fully enforceable in December 2027.
Unlike GDPR, which focuses on personal data processing, the CRA focuses on the security of the product itself — how it's built, how vulnerabilities are disclosed, and how software updates are handled over the product's lifetime.
If you sell WordPress plugins, themes, SaaS products, or any connected digital product to EU customers, this regulation likely applies to you.
Who Does the CRA Affect?
The regulation targets "manufacturers" and "distributors" of products with digital elements. In practice, this includes:
WordPress plugin and theme developers selling paid products in the EU market. If your plugin processes data, connects to external services, or forms part of a larger software ecosystem, it falls within scope.
SaaS providers offering subscription-based tools to EU businesses or consumers.
Agencies and freelancers who develop custom software or web applications delivered to EU clients. If you hand off a WordPress-based product to a client in Germany, France, Italy, or any other EU country, you may be considered a "manufacturer" under the CRA.
E-commerce site owners who sell their own digital products to EU customers.
Notably, open-source software developed and distributed non-commercially is largely exempt. But if you monetise a WordPress plugin — even partially, even through a freemium model — you're likely in scope.
Key Requirements Under the CRA
The CRA introduces several specific obligations. Here are the most relevant ones for WordPress operators:
1. Vulnerability Disclosure Policy (VDP)
You must have a publicly accessible policy explaining how security researchers can report vulnerabilities in your product. This is called a Vulnerability Disclosure Policy or VDP.
The VDP must be available at a predictable location (your website), written in plain language, and specify:
- How to submit a vulnerability report
- What information to include
- How long you'll take to acknowledge receipt
- Whether you operate a coordinated disclosure process
2. security.txt File (RFC 9116)
The standard location for security contact information is /.well-known/security.txt on your domain. This machine-readable file points security researchers to your contact information and VDP.
The CRA effectively makes this a requirement for in-scope products. The format is defined in RFC 9116 and looks like this:
Contact: mailto:security@yoursite.com
Expires: 2027-12-31T23:59:59.000Z
Policy: https://yoursite.com/vulnerability-disclosure-policy
3. Software Bill of Materials (SBOM)
An SBOM is a formal list of all software components in your product — essentially an ingredients list for software.
For a WordPress plugin, this means documenting:
- Your plugin itself (name, version, license)
- Any third-party libraries or dependencies it uses
- WordPress core as a dependency
SBOMs must be available to competent authorities upon request and, for higher-risk products, may need to be publicly accessible.
4. Active Vulnerability Management
The CRA requires that manufacturers:
- Monitor their products for known vulnerabilities
- Issue security updates in a timely manner
- Notify users about security updates
- Provide security updates free of charge for a defined support period
For WordPress plugins, this means you can't simply release a version and abandon it. If a CVE is discovered that affects your plugin, you're obligated to release a fix.
5. Conformity Assessment and CE Marking
Most "standard" digital products (Category I under the CRA) must undergo a self-assessment against the regulation's requirements and affix the CE mark to their product. The assessment must be documented.
Higher-risk products (Category II) require third-party assessment by a notified body — similar to how medical devices or toys are tested.
Most WordPress plugins fall into Category I and can self-certify.
What About GDPR and NIS2?
The CRA doesn't replace GDPR or NIS2 — they operate alongside each other.
GDPR covers personal data processing. If your WordPress site or plugin handles EU residents' personal data, GDPR applies regardless of the CRA.
NIS2 (the Network and Information Security Directive 2) imposes security requirements on "essential" and "important" entities — primarily larger businesses in sectors like energy, health, finance, and digital infrastructure. If your business or your client's business falls into one of these categories, NIS2 obligations apply on top of the CRA.
For most small WordPress businesses and freelancers, GDPR and CRA are the primary concerns. NIS2 applies to a narrower set of larger entities.
The Timeline — What Needs to Happen When
| Date | Obligation |
|---|---|
| Now | Start gap assessment: identify what you need to do |
| September 2026 | CRA reporting obligations begin (notify authorities of actively exploited vulnerabilities within 24 hours) |
| December 2027 | Full CRA requirements apply: VDP, SBOM, security.txt, conformity assessment, CE marking |
The September 2026 reporting obligation is often overlooked. Even though full compliance isn't required until December 2027, you'll need to be able to report actively exploited vulnerabilities to ENISA within 24 hours — and that requires having monitoring processes in place before then.
How to Check Your Current Status
If you're not sure where you stand, start with these questions:
- Do you have a security contact? Is there a way for researchers or users to report a security issue in your product?
- Is there a security.txt file at
/.well-known/security.txton your domain? - Can you list all the software components in your product? Do you know what third-party libraries your plugins use and their current versions?
- Do you have a process for tracking vulnerabilities in your product's dependencies?
- Have you documented your security practices? Could you produce evidence of a conformity assessment if asked by a regulator?
If you answered no to most of these, you have work to do — but it's manageable with a clear checklist.
Using a Plugin to Automate the Checklist
Rather than working through these requirements manually, Erdo CRA Compliance automates the gap assessment and helps generate required documentation directly from your WordPress dashboard.
The plugin:
Scans your site against CRA, GDPR, and NIS2 controls and produces a colour-coded compliance dashboard — green (pass), amber (needs attention), red (failing).
Generates your security.txt file in the correct RFC 9116 format and hosts it at /.well-known/security.txt automatically. No FTP, no server configuration.
Creates a Vulnerability Disclosure Policy template based on your site details, ready to publish as a page on your site.
Produces an SBOM listing all active plugins, their versions, and their license information — the core of what a software bill of materials requires for a WordPress-based product.
Exports PDF audit reports that document your compliance status, suitable for sharing with clients, auditors, or as records for a conformity assessment.
Generates a conformity declaration template — the self-assessment document required for Category I products under the CRA.
None of this guarantees legal compliance — that depends on your specific product, how it's used, and your legal context. But it gives you a structured starting point and ensures the basic technical requirements are in place.
Practical Advice for Different Audiences
If you're a WordPress plugin developer: Start by documenting your plugin's dependencies (check your composer.json or any third-party libraries you've bundled). Set up a security contact email. Publish a simple VDP. These three steps cover most of the basic obligations and take a few hours, not weeks.
If you're a freelancer delivering WordPress projects: Check whether your clients are EU-based and whether the sites you build for them fall within scope. Consider including CRA compliance documentation as a deliverable in your contracts.
If you're an agency: Build a CRA compliance checklist into your project handoff process. Clients receiving digital products in the EU market will increasingly need documentation that you've considered these requirements.
If you run an EU-facing e-commerce site selling digital products: Treat the December 2027 deadline the same way businesses treated GDPR's May 2018 deadline — but start earlier this time.
Wrapping Up
The EU Cyber Resilience Act is the biggest change to software compliance requirements since GDPR. Unlike GDPR, which most website owners largely ignored until the last moment, the CRA has specific technical requirements that can't be addressed with a policy update alone — they require actual implementation.
The good news: if you're running WordPress, the tooling to address most CRA requirements is available now. Starting the assessment in 2026 gives you a full year to work through the checklist before the December 2027 deadline.
Download Erdo CRA Compliance free from WordPress.org and run your first compliance scan today.