“The AI did it” won’t save you when EU regulators come knocking
The European Union's Cyber Resilience Act (CRA), effective in 2026, imposes strict security requirements on any product with digital elements sold in the EU. Manufacturers must conduct risk assessments, provide security updates for the expected product lifetime, and report actively exploited vulnerabilities to ENISA within 24 hours. The act explicitly covers AI components, meaning 'the AI did it' is not a valid defense. Penalties for non-compliance reach €15 million or 2.5% of global annual turnover, whichever is higher. The CRA applies to hardware and software, including IoT devices, operating systems, and applications. Exemptions exist for open-source software developed outside commercial activity. Companies must comply by mid-2026, with a transition period for existing products.
Developers must embed security by design and cannot shift blame to AI.