Two EU Regulations, Two Different Jobs
It's easy to lump GDPR and the EU Cyber Resilience Act (CRA) together — both are EU regulations, both carry serious fines, and both get mentioned in the same "compliance checklist" conversations. But they regulate genuinely different things, and treating them as interchangeable leaves real gaps.
GDPR is about data: what personal information you collect, why, how long you keep it, and what rights the people behind that data have. The CRA is about software security: how securely a digital product is built, how vulnerabilities get disclosed, and how security updates get delivered over the product's lifetime.
A WordPress site can be fully GDPR-compliant — proper cookie consent, a clear privacy policy, data processing agreements — and have nothing in place that the CRA expects. The reverse is also true. They're not overlapping checkboxes on the same list; they're two separate lists.
What GDPR Actually Covers
The General Data Protection Regulation, in force since 2018, governs how personal data is collected, stored, processed, and shared. For a typical WordPress site, this touches:
- Cookie consent — analytics, advertising, and tracking cookies require explicit opt-in consent before they load, not just a notice banner.
- Privacy policy — a clear, accessible explanation of what data you collect (contact forms, comments, analytics, e-commerce orders) and what you do with it.
- Data subject rights — mechanisms for visitors to request their data, ask for correction, or request deletion.
- Data processing agreements — contracts with any third-party service that processes data on your behalf (email providers, analytics tools, hosting).
- Breach notification — a process for reporting data breaches to the relevant authority within 72 hours, if personal data is exposed.
None of this concerns the security of your code, your plugins, or how vulnerabilities get reported. GDPR doesn't care whether your contact form plugin has an unpatched SQL injection bug — it cares about what happens to the data that flows through it once it's collected.
What the CRA Actually Covers
The Cyber Resilience Act, which phases in enforcement through 2027, governs the security of products with digital elements sold in the EU market. It's aimed primarily at manufacturers — including software vendors, which covers WordPress plugin and theme developers — rather than at every website operator. For a developer or vendor, this means:
- Secure-by-design development — building software with security considered from the start, not bolted on afterward.
- Vulnerability disclosure policy — a documented, public process for security researchers to report vulnerabilities (this is where security.txt fits in).
- Security updates — a commitment to patch known vulnerabilities for a defined support period, and to notify users when a security update is available.
- Software Bill of Materials (SBOM) — for many products, a documented list of the software components and dependencies used, so users and regulators can assess exposure when a component has a known vulnerability.
- Incident reporting — notifying relevant authorities (ENISA) about actively exploited vulnerabilities within tight timeframes.
If you're a site operator who just installs plugins from WordPress.org rather than someone building and distributing software, the CRA's direct obligations land more on the plugin developers than on you — but if your business builds and sells a plugin, theme, or any digital product with EU customers, this applies to you directly.
A Side-by-Side Comparison
| GDPR | EU Cyber Resilience Act | |
|---|---|---|
| What it regulates | Personal data handling | Software product security |
| Who it targets | Anyone processing EU residents' data | Manufacturers of products with digital elements |
| Key documents | Privacy policy, DPAs | Vulnerability disclosure policy, SBOM |
| Core requirement | Lawful basis for data processing | Secure-by-design, ongoing security updates |
| Enforcement | Up to €20M or 4% of global turnover | Up to €15M or 2.5% of global turnover |
| In force since | 2018 | Phasing in through 2027 |
Why Both Matter for a WordPress Business
If you run a WordPress agency, develop plugins or themes, or operate a site that processes EU visitor data, both regulations are realistically relevant — just for different parts of your operation:
- Your website's data collection (contact forms, analytics, e-commerce) falls under GDPR.
- Any software you build and distribute — a plugin, a theme, a SaaS product — falls under the CRA.
Many WordPress businesses already have the GDPR side handled, since it's been enforced since 2018 and most agencies built that into their process years ago. The CRA is newer and far less commonly addressed, which is exactly where the gap usually is.
Closing the CRA Gap
If you develop and distribute a WordPress plugin or theme, the practical starting point for CRA readiness is the documentation: a vulnerability disclosure policy, a security.txt file, and ideally an SBOM listing your dependencies. Erdo CRA Compliance scans a WordPress site against CRA, GDPR, and NIS2 requirements and generates the documentation the CRA expects — vulnerability disclosure policy, SBOM, security.txt — in one pass, rather than building each piece manually.
Wrapping Up
GDPR and the CRA aren't competing regulations or two versions of the same requirement — they cover different risks entirely. Treating "we're GDPR compliant" as evidence of broader compliance leaves the software security side completely unaddressed. If your WordPress business builds or distributes software, both deserve separate attention, with separate documentation, addressing separate risks.