EU Cyber Resilience Act (CRA) and LabVIEW Applications

The EU Cyber Resilience Act (CRA) introduces mandatory security requirements for software sold in the European Union - and LabVIEW-based products are no exception. Starting September 11, 2026, publishers must report actively exploited vulnerabilities to EU authorities within 24 hours. By December 2027, full compliance is required.

Talk to Us | Understand Your Obligations

Why this matters for LabVIEW publishers

If you sell LabVIEW-based software products or systems in the EU, the CRA applies to you. This includes commercial toolkits, reuse libraries, test and measurement systems, and any product with digital elements. The regulation covers the software you ship and its dependencies - including LabVIEW packages and third-party components your product relies on.

Key dates

September 11, 2026

Vulnerability reporting obligations begin. If a vulnerability in your software (or its dependencies) is being actively exploited, you must report it to EU authorities within 24 hours.

December 11, 2027

Full CRA compliance required. This includes maintaining SBOMs, continuous vulnerability monitoring, coordinated disclosure processes, and documented security support for your products.

What the CRA requires of you

The CRA establishes four areas of obligation for software publishers. Here's what each one looks like in practice for LabVIEW-based products.

Software Bill of Materials (SBOM)

You need to produce and maintain a machine-readable inventory of every software component in your product - LabVIEW packages, shared libraries, drivers, and third-party dependencies. This must be kept current with each release and available on request for audits and customer security reviews.

Vulnerability monitoring

You must continuously monitor your product's dependencies against known vulnerability databases (CVEs). When a vulnerability is disclosed in a component you use, you need to know about it and assess the impact on your product.

Vulnerability intake and disclosure

You must provide a publicly documented way for anyone - end users, component suppliers, security researchers - to report vulnerabilities in your software. Reports must be acknowledged and handled through a defined process.

Notification and remediation

When a vulnerability is confirmed, you must notify affected customers and, in certain cases, EU authorities - within specific timeframes based on severity. You need a process for tracking, resolving, and communicating about vulnerabilities.

Can you answer these questions today?

These four questions map directly to CRA obligations. If you can't confidently answer all of them, you have gaps to address before the deadlines.

1. Do you have a complete, up-to-date list of every software component in your product?

This includes LabVIEW packages, NI drivers, third-party libraries, and any other dependencies bundled into your built application or system. A spreadsheet maintained by hand doesn't meet the CRA's expectation of a machine-readable SBOM.

2. Would you know within 24 hours if a dependency in your product had an actively exploited vulnerability?

This requires some form of continuous monitoring - matching your dependency list against vulnerability databases and receiving alerts when there's a match. Without an SBOM, you can't even start this process.

3. If a customer or researcher found a security issue in your software today, where would they report it?

The CRA requires a documented, publicly accessible vulnerability reporting mechanism. If the answer is "they'd email our support inbox" or "there isn't one," you need to establish a formal intake process.

4. Do you have a process for notifying every affected customer when a vulnerability is confirmed?

This goes beyond "post a release note." You need to be able to identify who is affected, communicate the severity and remediation steps, and in some cases report to EU authorities - all within defined timeframes.

How JKI can help

JKI has been at the center of the LabVIEW ecosystem for over 20 years. We build and maintain VIPM, the standard package manager for LabVIEW, used by thousands of developers and organizations worldwide. We understand the toolchain, the dependency landscape, and the unique challenges that LabVIEW publishers face.

We are actively working with organizations across the LabVIEW and NI ecosystem - including large enterprises and systems security stakeholders - to navigate the CRA's requirements and build practical compliance strategies. Whether you need help understanding what applies to you, generating your first SBOM, or designing a vulnerability handling process, we can help you build a concrete plan.

Not sure where to start?

Reach out and we'll set up a conversation about your specific situation - what you publish, where you sell, and what you need to have in place.

Email: security@jki.net or talk to us