Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Secure software development as a regulatory obligation: CRA, DORA, and NIS2
Software development is entering a new regulatory era in Europe. Cybersecurity, which until now was often treated as a best practice or an afterthought, is becoming a cross-cutting legal requirement. With the enforcement of regulations such as the Cyber Resilience Act (CRA), the Digital Operational Resilience Act (DORA), and the NIS2 Directive, software design, build, deploy, and maintain must undergo a profound transformation.
These regulations introduce specific obligations for manufacturers, developers, financial entities, critical infrastructure operators, and digital service providers, establishing a unified message: security must be integrated from the design stage and maintained throughout the entire software lifecycle.
Cyber Resilience Act (CRA)
- Final approval: March 2024.
- Mandatory enforcement: Mid-2025 (24 months after official publication).
CRA is the EU's first legislation focused on ensuring that all products with digital elements—both hardware and software—include cybersecurity measures by design and by default. It applies to both commercial and industrial products, including applications, firmware, routers, smart devices, and general-purpose software.
Key requirements include
- Implementation of security measures from the design phase and secure default configurations (Art. 10).
- Ongoing vulnerability management, including monitoring, response, and mandatory updates (Art. 11).
A minimum security maintenance period of 5 years is required, even for already deployed software. - Obligation to report actively exploited vulnerabilities to ENISA within 24 hours (Art. 12).
- Conformity assessments, extensive technical documentation, and full traceability throughout development.
CRA redefines modern development: security management can no longer be relegated to the outer layers or final stages of the product. It must be embedded at the core of the engineering process.
■ Running an npm audit at the end and hoping for the best is no longer enough. These regulations demand far more than dependency scans: they require active, ongoing, and demonstrable security.
Digital Operational Resilience Act (DORA)
- Approved: December 2022.
- Direct application across the EU: January 17, 2025.
The DORA Regulation focuses on ensuring the digital operational resilience of the entire European financial ecosystem, including banks, insurers, fintech companies, and especially ICT providers deemed critical. This includes cloud services, data management, software development, and other key technology subcontractors.
Key compliance areas
- ICT risk management (Chapter II): Clear policies, defined responsibilities, configuration management, updates, access controls, and protection of critical assets.
- Incident management (Chapter III): Classification, internal communication, and mandatory notification to regulators within 4 hours.
- Digital resilience testing (Chapter IV): From scans and audits to advanced Red Teaming exercises.
- ICT third-party risk (Chapter V): Specific controls for critical providers, including contracts, SLAs, and risk assessments.
- Information sharing (Chapter VI): collaboration and intelligence sharing against threats.
Implementing a formal and documented SSDLC (Secure Software Development Lifecycle) is essential to meet testing, traceability, and risk control requirements across the technological environment.
NIS2 Directive (Directive 2022/2555)
- In force since: January 2023
- Mandatory transposition by Member States: Before October 17, 2024
The new NIS2 Directive replaces its predecessor with a broader scope. It categorizes organizations into two main groups: essential and critical entities, covering sectors such as:
- Energy, transport, healthcare, drinking water, wastewater.
- Digital infrastructure, public administration, financial services.
- Hosting providers, cloud services, DNS, social networks, data centers, software development.
Highlighted security requirements include
- Cyber Security governance policies aligned with real-world risks.
- Risk assessment and mitigation across the entire supply chain.
- Incident detection, response, and notification processes.
- Ongoing training for technical and management staff.
- Security measures are applied throughout the development lifecycle (Article 21).
■ NIS2 also introduces significant penalties for non-compliance, with fines proportionate to revenue and explicit accountability for affected entities' management bodies.
Conclusion: SSDLC is now a legal requirement
These three regulations converge on a common principle: Cyber Security must be embedded from the initial design phase of the software and kept operational throughout its lifecycle.
The SSDLC framework is no longer just a recommendation—it’s now a technical and legal requirement across multiple sectors. This means:
- Embedding risk analysis and automated security testing into the development pipeline.
- Ensuring traceability of design decisions, change management, and updates.
- Establishing formal processes for code review, audits, and technical documentation.
- Preparing for mandatory notifications, inspections, and audits by the competent authorities.
■ Secure development is no longer optional: it’s a technical, operational, and legal cornerstone that shapes the present and future of software in Europe.
