On 13 September 2023, negotiations began between European institutions to adopt the text of the EU Cyber Resilience Act (the “CRA”). If adopted, the CRA will impose a set of software security, cybersecurity, and vulnerability management requirements on products with digital elements (i.e., software or hardware products and their remote data processing solutions) placed on

Recent high-profile cyber incidents involving exploitation of software vulnerabilities—such as the SolarWinds and MOVEit incidents—have increased scrutiny of the security of the software upon which corporate and government customers rely. Though phishing and social engineering continue to be leading causes of cyber incidents, there is growing potential legal exposure for companies from security vulnerabilities in

Software security is a critical issue for multinational businesses. Highlighted as a top priority by the Biden administration and other governments worldwide, software security is a central pillar of effective cybersecurity—and managing associated legal risk. But developing and maintaining secure software is challenging, including to the extent that companies manage complex software development lifecycles, face

On September 14, 2022, the US Office of Management and Budget (OMB) published a memorandum, M-22-18, requiring federal agencies to comply with previously announced guidelines for ensuring the integrity of third-party software on an agency’s information systems or that otherwise affects government information. Applicable to firmware, operating systems, applications, and application services (e.g., cloud-based

Software security is a critical issue for multinational businesses. Highlighted as a top priority by the Biden administration and other governments worldwide, software security is a central pillar of effective cybersecurity—and managing associated legal risk. But developing and maintaining secure software is challenging, including to the extent that companies manage complex software development lifecycles, face

On April 15, 2020, in line with its mandate to support and promote the European Union’s (“EU”) policy on cybersecurity certifications, the EU Agency for Cybersecurity (“ENISA”) released the study “Advancing Software Security in the EU – The Role of the EU Cybersecurity Certification Framework” (the “Study”).1 In the Study, ENISA stresses