Experts say software’s shrug at security is over, thanks to the EU’s Cyber Resilience Act

Software’s casual disregard for AI security in favor of adoption speed is about to hit a wall. For years, supply chain accountability was optional. The EU’s Cyber Resilience Act makes it mandatory.

Josh Bressers, VP of Security at Anchore, has spent over two decades in open source and software security. Now, he says, real accountability is finally arriving—and it’s coming from Brussels.

Showing some teeth: "For 20 years, it felt like we were always warning, 'Someday you’ll be sorry,' but with no real accountability," says Bressers. "The Cyber Resilience Act changes that—we finally have some teeth." For years, security was all talk and no follow-through. "Now the EU is saying: track vulnerabilities, publish SBoMs, take responsibility for the open source you ship—or you can’t sell in the EU. That’s a big deal," Bressers says.

Gotta catch 'em all: One of the first hurdles, Bressers explains, is reckoning with the sheer sprawl of open source components. "We’ve been collecting open source for 20 years as if they're Pokémon," he says. "Now we have to unwind it all and ask, 'Where did this even come from?'" Tools like SBoM scanners exist, but scale is the issue. "If you have 10, or 100, or 1,000 products—which isn’t unusual—you have to do this across every one. It’s going to be enormous," explains Bressers.

Breaking point: "Now we have to start asking: How old is this? How many vulnerabilities are in it? And what are we actually going to do to fix it?" says Bressers. It’s rarely as simple as upgrading a package, especially in large enterprise systems. "You break everything. Upgrades have to be planned and baked into your development process. It’s not just accepting the Dependabot PR."

Tools and teams: The task is daunting, but the industry isn’t starting from zero. "There’s a lot of tooling in this space already," Bressers says, citing Anchore’s open-source SBoM scanner, Sift, as one example. He credits the EU’s collaborative approach—consulting industry and open source foundations—as key to progress. "My hope is we lean into that open source model of working together to solve problems," he says. "No one’s going to solve this alone."

Compliance gets competitive: Compliance isn’t just a burden—it’s a business imperative. And according to Bressers, it’s catching some companies off guard. "It doesn’t matter where your company’s based. If you sell in the EU, you do this," he says, recalling surprised conversations with U.S. firms. He also sees opportunity: companies that build tools to help others meet these new standards will be in high demand.

Mystery meat to metadata: "I’m hopeful we move beyond the mindset of 'too bad, you can’t update it' and toward something more sustainable," says Bressers. He envisions a shift toward transparent, maintainable software, driven in part by regulations like the CRA. He compares it to the food industry’s reckoning after The Jungle, when transparency became non-negotiable. "If we understand what’s in our software, we can start taking open source sustainability seriously."

Will the world follow?: "I think everyone’s going to be watching what happens," says Bressers, likening the global response to the early days of GDPR. "If it works and makes an impact, I think other large countries will use it as a model." He’s optimistic, pointing to GDPR’s gradual, pragmatic rollout—something he expects from the CRA as well.