The EU Cyber Resilience Act lands in 2027.
If you ship software to the EU, you'll need:
→ A signed SBOM with every release
→ Cryptographic proof your build wasn't tampered with
→ A verifiable audit trail going back years
Most teams I talk to haven't started.
The technical answer isn't complicated. ECDSA signing on every build. RFC 3161 timestamps so the signature is provably from before any incident. A hash chain so nobody can quietly rewrite history.
The hard part is doing it without slowing the build down or adding 200 lines of crypto code to every pipeline.
I built LedgerProve to handle this in one GitHub Action step. Free for one repo, forever.
If you're responsible for security or compliance at a SaaS that sells into Europe, this is worth 5 minutes of your attention now — not in 2027 when the deadline is on top of you.
What's your team's plan for CRA compliance?
