"The AI did it" won't save you when EU regulators come knocking

The EU Cyber Resilience Act has been on everyone's "we'll deal with it later" list since it entered into force in December 2024. Later is arriving: vulnerability reporting requirements kick in September 2026, and full compliance is mandatory by December 2027.

The timing matters because of what's happening in parallel: most engineering teams have accelerated shipping velocity by leaning hard on AI coding assistants. Copilot, Claude, Cursor — pick one. The code ships faster. The bugs ship faster too. And under the CRA, you own every line of it.

"The AI did it" won't save you when EU regulators come knocking.

That's not just a headline. It's a structural feature of the regulation.

What the CRA actually requires

"The AI did it" won't save you when EU regulators come knocking.

That's not just a headline. It's a structural feature of the regulation.

What the CRA actually requires

"The AI did it" won't save you when EU regulators come knocking

"The AI did it" won't save you when EU regulators come knocking

Other newsrooms on this story

Related reading

EU AI Act 2026: Embed Compliance in Your CI/CD or Miss the Launch Window

The EU AI Act: A Concrete Compliance Checklist

Agentic AI's governance challenges under the EU AI Act in 2026

'EU set to postpone rules on high-risk AI systems' - sources - Science &…

We open-sourced our EU AI Act compliance checklist, and most teams misread…

EU has 30 days to fix a blind spot on risky AI systems like Pegasus

Other newsrooms on this story

Related reading

EU AI Act 2026: Embed Compliance in Your CI/CD or Miss the Launch Window

The EU AI Act: A Concrete Compliance Checklist

Agentic AI's governance challenges under the EU AI Act in 2026

'EU set to postpone rules on high-risk AI systems' - sources - Science &…

We open-sourced our EU AI Act compliance checklist, and most teams misread…

EU has 30 days to fix a blind spot on risky AI systems like Pegasus