Regulation as an Opportunity
With the Cyber Resilience Act (CRA), NIS2, DORA and the AI Act, far-reaching regulatory requirements for software development will come into force by 2027. Companies that already embrace security, quality and modern engineering practices can turn these obligations into a competitive advantage.
Good Engineering Practices Pay Off
The new regulations require, among other things:
- CRA: Software Bills of Materials (SBOMs), vulnerability management and security updates.
- NIS2 and DORA: Incident reporting obligations and documented risk management.
- AI Act: Technical documentation, data quality measures and human oversight, depending on the risk category.
These requirements are no longer limited to large enterprises or regulated industries. Through supply chains and international business relationships, they increasingly affect software companies in Switzerland and beyond.
For organisations that already integrate quality, security and maintainability into their development processes, the new regulations are less about starting from scratch and more about demonstrating existing engineering excellence. Compliance is becoming a mark of quality rather than just another cost factor.
Companies that adopt Security by Design create many of the required artefacts during the development process itself. CI/CD pipelines, automated testing and Software Bills of Materials (SBOMs) make documentation a natural outcome of modern software engineering instead of an afterthought.
Learn more in our article “Thinking Security Strategically”.
Act Now Instead of Catching Up Later
DORA already applies, the main obligations of the CRA will take effect by the end of 2027, and the AI Act is being introduced in stages. Organisations that evolve their engineering practices today will not only be better prepared for compliance but also strengthen their long-term competitiveness.
This article is based on the June edition of our column “Schlicht und einfach” published in the Swiss IT Magazine Inside IT. The original article by Markus Schlichting, CEO of Karakun, has been editorially revised and expanded with practical insights for the Karakun website
Regulation starts with good software engineering. Let’s discuss how Security by Design and modern engineering practices can be integrated into your development processes.
FAQ
What is the Cyber Resilience Act (CRA)?
The Cyber Resilience Act (CRA) introduces mandatory cybersecurity requirements for products with digital elements sold in the EU. It covers areas such as vulnerability management, security updates and Software Bills of Materials (SBOMs). The main obligations apply from the end of 2027.
Does the CRA also affect Swiss companies?
Yes. Swiss companies that sell products in the EU or develop software for customers subject to EU regulation may also need to comply. Regulatory requirements increasingly flow through supply chains and procurement processes.
What is a Software Bill of Materials (SBOM)?
A Software Bill of Materials (SBOM) lists the software components and dependencies used in an application. It improves transparency, simplifies vulnerability management and plays an important role in meeting CRA requirements.
Why is Security by Design important for regulatory compliance?
Security by Design integrates security requirements into architecture, development and operations from the beginning. As a result, many compliance-related artefacts—such as documentation, traceability and security evidence—are created as part of the engineering process.
Are CRA, NIS2, DORA and the AI Act only relevant for large enterprises?
No. Small and medium-sized software companies can also be affected, particularly when they supply regulated industries or operate in international markets. Preparing early helps reduce effort and creates a competitive advantage.


