Position: How Regulation Will Change Software Security Research

TL;DR

The paper argues that the EU Cyber Resilience Act (CRA) will reshape software security research and industry practice by imposing risk-based, regulation-driven requirements that extend beyond product finalization to the entire development process. It analyzes regulatory background, specifies CRA’s essential security requirements, and delineates concrete research challenges in achieving compliant, scalable tooling and certification. Key contributions include outlining the need for standardized compliance procedures, product-level security tooling, consistent risk documentation, lightweight processes for low-risk products, integrated vulnerability detection aligned with risk models, and scalable SBOM capture. The work highlights interdisciplinary collaboration between legal and engineering communities and positions CRA as a potential blueprint for global regulation, while calling for future work on automated analysis techniques to satisfy conformity assessments and evidence requirements. Practically, this fosters alignment between legal obligations and technical best practices, enabling industry to comply without sacrificing agility.

Abstract

Software security has been an important research topic over the years. The community has proposed processes and tools for secure software development and security analysis. However, a significant number of vulnerabilities remains in real-world software-driven systems and products. To alleviate this problem, legislation is being established to oblige manufacturers, for example, to comply with essential security requirements and to establish appropriate development practices. We argue that software engineering research needs to provide better tools and support that helps industry comply with the new standards while retaining effcient processes. We argue for a stronger cooperation between legal scholars and computer scientists, and for bridging the gap between higher-level regulation and code-level engineering.