"The AI did it" won't save you when EU regulators come knocking

Andrew Kew Posted on May 30 "The AI did it" won't save you when EU regulators come knocking # security # devops # webdev # cloud The EU Cyber Resilience Act has been on everyone's "we'll deal with it later" list since it entered into force in December 2024. Later is arriving: vulnerability reporting requirements kick in September 2026, and full compliance is mandatory by December 2027. The timing matters because of what's happening in parallel: most engineering teams have accelerated shipping velocity by leaning hard on AI coding assistants. Copilot, Claude, Cursor — pick one. The code ships faster. The bugs ship faster too. And under the CRA, you own every line of it. "The AI did it" won't save you when EU regulators come knocking. That's not just a headline. It's a structural feature of the regulation. What the CRA actually requires The CRA applies to any product with digital elements placed on the EU market — hardware, software, apps, APIs. If you have EU customers, it applies to you regardless of where you're incorporated. The core obligations: No known exploitable vulnerabilities at market. You must ship with a clean bill of health — not "we'll patch it post-launch." Security updates for the product's supported lifetime , minimum five years. Report actively exploited vulnerabilities to ENISA within 24 hours of becoming aware. Not 72. Not "when the patch is ready." 24 hours. CE marking required for covered products — same as medical devices and industrial kit. Fines up to €15 million or 2.5% of global annual turnover , whichever is higher. The open source exemption is narrower than it sounds: if you commercialise it — bundle it in a paid product, offer it as a managed service — you're likely in scope. The AI code liability gap Here's where it gets interesting for engineering teams in 2026. AI-generated code ships with the same legal weight as hand-written code. The CRA doesn't care how a vulnerability got there — it cares that you shipped it and yo