EU Cyber Resilience Act: What Container Teams Need to Know

Docker · 25 Jun 2026 · 2 min read

#docker

The EU Cyber Resilience Act (CRA) is a new regulatory framework that imposes cybersecurity requirements on software products, including containerized applications. For developers and container teams, the act introduces mandatory Software Bill of Materials (SBOM) generation, vulnerability reporting obligations, and compliance deadlines that will reshape how software is built and distributed within the EU.

Key requirements and timelines:

  • SBOM mandates: All software products must include a machine-readable SBOM listing components, versions, and dependency relationships. For Docker containers, this means capturing images and their layers (docker sbom or plugin-based tools).
  • Vulnerability reporting: Vendors must report actively exploited vulnerabilities to ENISA (the EU cybersecurity agency) within 24 hours of awareness and provide a detailed security advisory later. Docker image scanning (docker scout) can help automate this.
  • Security updates: Manufacturers must release security patches for embedded vulnerabilities (e.g., critical or high severity CVEs) within a specified timeframe – often 90 days for critical flaws.
  • Timelines: The act enters into force progressively: manufacturers have 24 months after the regulation is published (expected late 2024) to comply, with reporting obligations starting earlier (by 12 months). Grace periods exist for small companies.

Why this matters to developers: The CRA directly affects CI/CD pipelines – teams must automate SBOM generation per build (docker buildx with provenance attestations), integrate vulnerability scanning continuously, and maintain auditable records. Non-compliance risks market access in the EU and potential fines. Docker’s official blog outlines tools and best practices to meet these requirements, including using Docker Scout for policy enforcement and SBOM export. Start preparing your container lifecycle now to avoid last-minute rework.

Source: https://www.docker.com/blog/eu-cyber-resilience-act-overview/

Related

auto-curated · source linked above ← all news