The EU Cyber Resilience Act (CRA) Is Coming What LabVIEW Developers Need to Know

If you develop or distribute LabVIEW-based software, especially into European markets, an important regulatory change is approaching fast: the EU Cyber Resilience Act (CRA).

At JKI, we’ve been pushing the limits of LabVIEW for over two decades, providing tools for software engineering and building complex systems. Lately, we’ve been closely following software and systems security trends in industry and the evolving regulatory landscape.

One thing we've been watching closely is the EU Cyber Resilience Act (CRA), which introduces new cybersecurity and vulnerability management obligations for software products sold in the European Union. The CRA will impact many LabVIEW developers, systems integrators, and toolchain publishers, particularly those distributing reusable components through ecosystems like VIPM and the NI Tools Network or selling test systems into Europe.

One of the most urgent requirements begins in September 2026, when organizations will be expected to report actively exploited vulnerabilities to EU authorities within 24 hours.

This is not just a paperwork exercise — it requires real infrastructure: software bill of materials (SBOM) generation, monitoring the supply chain for upstream vulnerabilities (CVE), having official intake processes for others to report vulnerabilities in your software, and setting up coordinated downstream notification workflows.

JKI has been actively preparing for this shift, with information and tools to assist LabVIEW software and systems builders. We have been developing the JKI Security Suite for over three years and plan to launch it mid-year to help LabVIEW teams address these evolving compliance and supply-chain security needs.

We recently shared the security bulletin, below, with all package publishers on vipm.io (JKI’s distribution platform for LabVIEW tools and add-on libraries), to help ensure that tool developers in the ecosystem are ready for this change, and the community of users can rely on the security of published packages.

For details about how the CRA may affect your LabVIEW products or integration work, visit https://jki.net/cra or email us directly at security@jki.net. We’re here to help the community navigate what’s coming.

JKI security bulletin:

You are receiving this email because you are a registered publisher of a LabVIEW package or software component distributed through JKI's VI Package Manager (VIPM) for LabVIEW and/or the NI Tools Network.

Security Notice:

If you sell LabVIEW-based software products or systems in the European Union, the new EU Cyber Resilience Act (CRA) regulations require you to report and manage security vulnerabilities in your software.

Starting September 11, 2026, you are required to report vulnerabilities in your software (or its dependencies) to EU authorities within 24 hours, if they are being actively exploited.

What this means for you:

In order to achieve compliance with the CRA, you will need to have systems that track:

• which software components and dependencies are within your product, and
• whether any of those components have any known vulnerabilities.

In addition to this, you will need formal, documented processes and systems for

• receiving vulnerability reports from 3rd parties,
• addressing those vulnerabilities, and
• notifying impacted users of your product (and in some cases, EU authorities) within specific timeframes, based on severity.

What you can start doing today:

In practice, you need to have established some process and tools for doing the following:

• Generate SBOMs: Generate and keep up-to-date a Software Bill of Materials (SBOM) that lists all of the software components in your software/system.
• Monitoring CVEs: Continuously monitor your product's dependencies against known vulnerability databases of Common Vulnerabilities and Exposures (CVE)
• Accept Reports from Others: Provide a well-documented, publicly-available means for anyone in your supply chain to report vulnerabilities in your software (e.g. down-stream end users, up-stream components suppliers, etc.)
• Manage Vulnerabilities and Inform Impacted Parties: Have a process for tracking, addressing, and informing all those impacted by the vulnerabilities in your software.

JKI Security Suite and Platform Infrastructure:

The JKI Security Suite for LabVIEW helps with all of the above items, and you can find out more at https://jki.net/security.

We are actively working with many large organizations and systems security stakeholders within the LabVIEW and NI ecosystem, to provide them guidance and supply-chain infrastructure tools to address the rapidly approaching and evolving requirements of the CRA and software systems security landscape. We are committed to navigating the new security landscape with the VIPM community and look forward to sharing more of our product roadmap that supports secure LabVIEW development in 2026 and beyond.

What's Coming Next for the CRA (Dec 2027):

In December 2027, the CRA has established a deadline for meeting many more requirements, which you will also need to understand and prepare to address. JKI will be sending out a follow-up security bulletin soon, containing a more detailed breakdown of the full CRA timeline and longer-term compliance looks like.

Have Questions or Need Assistance?

If you need assistance in understanding how the CRA impacts your products, tracking security vulnerabilities in your own LabVIEW-based applications and systems, or would like to create an actionable plan to address the evolving security needs and regulations affecting you, please:

Reach out to us at security@jki.net.

This notice is informational and not legal advice. For authoritative information about the EU CRA regulations, please visit https://www.european-cyber-resilience-act.com

And, visit https://jki.net/security for the latest, up-to-date information on security for LabVIEW-based software and systems.

~The VIPM Team at JKI