CRA & NIS2 · plain language

New EU rules decide whether you can still sell in Europe.

If your product contains software — firmware, an embedded system, a controller — two EU laws now require you to prove it is secure. Miss them and you face fines up to €15 million, or a product that simply can't be sold in the EU. Here's what they mean, without the jargon — and what to do about it.

Does this affect you?

Answer honestly. If both are true, the rules apply to you:

1

Your product contains software — firmware, embedded Linux, a controller, or software you sell on its own.

2

It reaches the EU market — directly, or through a customer, distributor, or importer.

Both true? Then keep reading — this is now a legal requirement for you, not an option. Even a manufacturer entirely outside the EU is bound, because the European importer is legally responsible for what it brings in.

The stakes, in four numbers

Dec 2027

CRA fully binding for every product with software.

€15M

or 2.5% of global turnover — maximum fine.

No CE = No sale

Without compliance, no EU market access at all.

5+ yrs

Mandatory security support after each release.

The two laws, in plain language

CRA — the Cyber Resilience Act

Regulates the makers of products with software. It requires you to:

  • Ship a machine-readable SBOM — a full "ingredients list" of every software component.
  • Monitor for new security holes and ship fixes for at least 5 years.
  • Report actively exploited vulnerabilities within 24 hours (from Sept 2026).
  • Keep the documentation 10 years, carry the CE mark — no CE, no EU sale.
NIS2 — why your customers are asking

Regulates the operators who run critical services (energy, water, transport, health, banking, manufacturing…). One of its duties is supply-chain security: they must ensure their suppliers are secure. So they are now asking every vendor — maybe already you — "Show us your SBOM and your vulnerability process." If you can't, you lose the contract.

The good news: the two laws ask for almost the same thing. Get it right once, and you satisfy both — the CRA and your NIS2 customers — with a single process.

What's an "SBOM"?

A Software Bill of Materials — the ingredients label, but for software. Your product is built from hundreds of third-party building blocks; the SBOM lists every one: name, version, maker, licence.

In 2021 a single flaw in one obscure component ("Log4Shell") broke millions of devices — and almost nobody could answer "am I affected?" because no one had the list. The CRA makes that list mandatory. The hard part is producing and maintaining it — which is exactly what embtrace automates.

How embtrace solves it

embtrace turns your existing build into a compliant one — automatically. It doesn't replace how you build; it adds compliance on top.

📋 Produces the SBOM

Reads your build and generates the full ingredients list — in the exact machine format the law requires.

🛡️ Watches for danger

Continuously checks your components against global vulnerability databases, so you know the moment one becomes exploitable.

📄 Writes the paperwork

Generates the compliance reports and technical documentation — with a clear "are we compliant?" status.

🔐 Ships updates safely

Builds signed, encrypted update files so you can deliver the security fixes the law requires — for years.

Built for embedded reality — Yocto, Buildroot, FPGA, multiple chips — and fully self-hosted: nothing leaves your building.

Why acting now matters

Now

NIS2 in force across the EU. Operators are already sending supplier questionnaires.

Sep 2026

24-hour vulnerability reporting duty goes live — impossible without knowing what's in your product.

Dec 2027

Full CRA compliance mandatory — or no EU sales.

Building a compliant process takes months, not days. The teams that start now will be ready; the rest will scramble.

Straight talk

embtrace won't magically fix a 20-year-old machine whose source code is lost — nothing can. What it does is make sure your new and current products are documented, traceable, and compliant from day one. And because we're a small European team, early customers get hands-on onboarding and shape the product with us.

Not sure where you stand?

Tell us what you build and where you sell. We'll tell you honestly what the CRA and NIS2 mean for you — and whether embtrace fits.

Talk to us →