The digital landscape in Europe is shifting. With the introduction of the Cyber Resilience Act (CRA), the European Union is drawing a line in the sand regarding the cybersecurity of hardware and software products. For the local tech community in Malta—from independent open-source developers to established manufacturing firms—this regulation is not just another bureaucratic hurdle; it is a fundamental change in how we build, sell, and maintain digital products.
At Open Source Society Malta (OSS Malta), we believe in staying ahead of the curve. As an honorary member of the Open Regulatory Compliance Working Group (ORCWG), we are actively following these developments to ensure our community has the tools and knowledge to adapt.
Here is what you need to know to get inline with the new regulation.
What is the Cyber Resilience Act?
The CRA (Regulation (EU) 2024/2847) is the first EU-wide legislation that imposes mandatory cybersecurity requirements for products with digital elements (PDEs). Whether you are producing smart home devices, writing accounting software, or importing tech hardware, if it connects to a device or network, it likely falls under this law.
The goal is simple: ensure that products placed on the EU market are secure by design and remain secure throughout their lifecycle.
You can read the full legal text here: Regulation (EU) 2024/2847 – Cyber Resilience Act.
Key Enforcement Deadlines: The Clock is Ticking
While the regulation has already entered into force as of December 2024, the implementation is staggered. It is crucial for Maltese organizations to mark these dates:
- 11 September 2026 (Reporting Obligations): Manufacturers must start reporting actively exploited vulnerabilities and severe incidents to authorities (CSIRTs/ENISA). If you find a hole in your product, you need a process to report it immediately.
- 11 December 2027 (Full Enforcement): This is the big deadline. By this date, all products with digital elements placed on the EU market must fully comply with the CRA. This includes having the CE marking, a Software Bill of Materials (SBOM), and providing security support for the product’s expected lifetime (usually 5 years).
What This Means for Local Maltese Businesses
Malta’s position as a digital hub means many local entities will be affected. The impact varies depending on your role in the supply chain:
- Software Houses & Developers: If you sell software commercially, you are now a “manufacturer” under the CRA. You must implement security-by-design, document your cybersecurity risks, and provide regular updates.
- Read more on our thoughts about Malta’s Digital Autonomy to understand the broader context of local software independence.
- Importers & Distributors: Many Maltese businesses import tech from outside the EU. Under the CRA, you are responsible for ensuring those products are compliant before they hit the shelves. If the original manufacturer hasn’t done the work, you cannot legally sell the product.
- Open Source Developers: Purely non-commercial open source is largely exempt. However, if your open-source project is part of a commercial product or you accept donations that function like a commercial model, you may have obligations. This is where “Open Source Stewards” come into play.
How to Get Inline with the Regulation
Compliance isn’t achieved overnight. Here is a roadmap to get started:
- Audit Your Portfolio: Identify which of your products are “Products with Digital Elements.” Determine if they are “Default,” “Important” (Class I or II), or “Critical.”
- Secure Your Supply Chain: You need to know exactly what code is in your software. Tools that manage dependencies are vital here.
- Check out our recent article on Software Supply Chain Security for insights on securing your dependencies.
- Establish Vulnerability Handling: You cannot wait until 2027 to figure out how to handle a hack. Start building your disclosure and patching processes now to meet the 2026 reporting deadline.
- Engage with the Community: You don’t have to navigate this alone. As an honorary member of the Open Regulatory Compliance Working Group (ORCWG), OSS Malta is plugged into a network of experts developing best practices for compliance.
We strongly recommend visiting the ORCWG website to access resources, FAQs, and working groups dedicated to making compliance achievable for the open-source ecosystem.
Conclusion
The Cyber Resilience Act is raising the bar for digital security in Europe. For Maltese businesses, it presents both a challenge and an opportunity to demonstrate quality and trust. By preparing now, leveraging the resources available through OSS Malta and the ORCWG, and securing your development pipelines, you can ensure your transition is smooth.
Stay tuned to ossmalta.eu for more updates on regulatory compliance and open-source security tools.
Disclaimer
Disclaimer: Open Source Society Malta (OSS Malta) provides this information for educational and community-awareness purposes only. This article constitutes non-legal guidance and reflects our current interpretation of the Cyber Resilience Act. We are not responsible for any actions taken based on this content. For official legal compliance, please consult with a qualified legal professional.
