The EU Cyber Resilience Act has been on everyone's "we'll deal with it later" list since it entered into force in December 2024. Later is arriving: vulnerability reporting requirements kick in September 2026, and full compliance is mandatory by December 2027. The timing matters because of what's happening in parallel: most engineering teams have accelerated shipping velocity by leaning hard on AI coding assistants. Copilot, Claude, Cursor — pick one. The code ships faster. The bugs ship faster too. And under the CRA, you own every line of it. "The AI did it" won't save you when EU regulators come knocking. That's not just a headline. It's a structural feature of the regulation. What the CRA actually requires The CRA applies to any product with digital elements placed on the EU market — hardware, software, apps, APIs. If you have EU customers, it applies to you regardless of where you're incorporated. The core obligations: No known exploitable vulnerabilities at market.…