Volume Two - May 2025
Subject – EU Cyber Resilience Act
Welcome to the second instalment of our Source Code Conversations series. If you’re a first time reader, we sit down with experts from our team each month to talk about an important subject and the implications for organisations. This month’s discussion is with our Director of Open Source Services, Martin Callinan, who discusses the EU Cyber Resilience Act. This Act brings the potential for serious consequences, however many organisations are unsure whether they are even affected.
Matt Webb: Hi Martin, thank you for sitting down with us as part of our Source Code Conversations series! To get us underway, for anyone who doesn’t know you, please can you tell us a bit about yourself and your background?
Martin Callinan: Yep. Hi there! Great to be chatting with you. I’m one of the directors at Source Code Control, but even though I help run the business, I stay very hands-on in my work. My main focus is on our Software Supply Chain management services—that’s actually where we got the name Source Code Control from in the first place. It’s an area that’s really gaining momentum, especially with new global regulations coming in. Companies are now being pushed to build security and license compliance into their software from the ground up.
Matt: Great, thank you for the introduction. We’re here today to talk about the EU Cyber Resilience Act, so to begin on that, please can you give our readers an overview of what the act is and when it came into force?
Martin: The Cyber Resilience Act (or CRA) which was recently passed has been put in place to ensure any device which is software controlled or as the EU puts it has digital elements and any service the device communicates with are secure by design and manufacturers have security processes in place. One of the key requirements which is very much related to our software supply chain services is a requirement to be transparent about the third-party components and libraries used by developers which become part of the software supply chain.
The requirement is that there should be an available, concise and accurate software bill of materials (or SBOM) which is an inventory of software components in the code. Including name, version number, license, copyright and security vulnerability disclosure. You can think of an SBOM like the ingredients on food packaging. Just like if you have an allergy, you can check the ingredients of the food, an end user of software can check an SBOM for vulnerable components which may be exploitable.
It is not just about the EU, US have passed a similar act and individual countries have published similar guidance. The UK National Cyber Security Centre have recently published a Software Security Code of Practice which include the requirement to manage third party components, the Indian Computer Emergency Response Team have issued SBOM guidance.
Matt: Understood, thank you for that. Sounds like it may be something that people are only just getting their heads around, if they’ve heard of it at all. I imagine most readers are wondering if it applies to them…does this only impact organisations in specific industries or geographies please?
Martin: Even though the CRA is an EU regulation, it affects manufacturers all over the world. It’s not about where your company is based—it’s about whether you’re shipping digital products into the EU. Enforcement is expected to kick in by the end of 2027, so there’s a bit of time, but companies really need to start preparing now.
The scope is pretty broad. It’s going to impact a wide range of manufacturers—basically anyone making digital or smart devices. That could be anything from smart home products like meters and thermostats, to internet-connected toys, and even cars, which are packed with digital components like engine management systems and infotainment units.
Matt: It sounds like it’s quite wide reaching then! How severe are the penalties for organisations who are found to be non-compliant with the new measures?
Martin: Failure to comply could result in fines between EUR 5-15m or 1-2.5% of global turnover, which is not insignificant. Also bear in mind the reputational risk and cost of dealing with fallouts from non–conformance or even the inability to ship products into a very large market.
Matt: Thank you Martin for the comprehensive overview. If organisations want to take steps towards understanding their readiness and compliance with the Act, where would you recommend that they start please? Is there anything that you and your team can do to help?
Martin: We offer a range of services to help companies figure out if they need to comply with the CRA (Cyber Resilience Act), and where they currently stand. To start with, we’ve got a free online gap analysis tool that gives you a quick snapshot. For a more detailed look, our consultants can carry out a deep-dive assessment, which includes a report and a clear roadmap of what needs to be done to get compliant.
On top of that, we can audit your code and generate SBOMs (Software Bills of Materials) in various formats—which is a key requirement for CRA compliance.
We also offer comprehensive training programs focused on managing software supply chains and aligning with standards like OpenChain ISO 5230 and ISO 18974
Matt: Martin, thanks again for your time today and for all the information that you’ve shared. In closing, if people want to connect with you, where can they find you please?
Martin: You can find and connect with me on LinkedIn via
We also have a software supply chain company page https://www.linkedin.com/company/9219945 where we keep our audience up to speed with the lates legal and security challenges related to software supply chains and latest standards and regulations, or, if you prefer X you can find us here https://x.com/SourceCodeContr
That concludes our second instalment of Source Code Conversations, thank you for reading and we hope you’ve found the content to be informative. If you would like to talk with Martin and his team about how to get your organisation ready for the EU Cyber Resilience Act, and with no obligation, please use the button below to follow up. If you have an area that you would like us to cover on an upcoming instalment of the series, please email us at open@sourcecodecontrol.com with your suggestions – we’d love to hear from you.
You can read the previous instalments of our series, as well as other content produced by our team, at Blog – Source Code Control
Martin Callinan
Interviewee
Matt Webb
Interviewer
Aaron Wyld
Photographer
Zoe Hawkins
Editor