Engineering teams don't struggle to find CVEs in their container images. The harder challenge is maintaining a clean image standard without it becoming a full-time job. The EU Cyber Resilience Act is now making that challenge a legal requirement, not just a best practice.
The CRA is Europe's first mandatory cybersecurity law for digital products. It entered into force on December 10, 2024, with reporting obligations beginning September 11, 2026, and full enforcement on December 11, 2027. It sets baseline security requirements for any software or hardware product placed on the EU market, and it holds the manufacturer (the entity that builds and distributes the product) responsible for maintaining that security throughout the product's life.
For engineering and security teams building containerized software, the law's requirements land in a familiar place: the image layer.
The Cyber Resilience Act (Regulation (EU) 2024/2847) entered into force in December 2024. It addresses a specific problem: too many software products reach end users carrying known vulnerabilities, with no clear obligation on the manufacturer to fix them. The CRA changes that by making security a legal requirement, not just a best practice.
The regulation applies a lifecycle model. It does not just require security at ship time, it requires manufacturers to patch vulnerabilities, issue updates, and respond to incidents throughout a product's supported life.
The CRA has explicit extraterritorial reach. What determines scope is not where your company is incorporated - it is whether customers receive, download, or deploy your software in their own environments. If you distribute containerized software to EU customers, you're already in scope, as the regulation applies to products with digital elements that are intended for or reasonably foreseeable to have network or device connectivity and are placed on the EU market.
Your containerized products are likely in scope. When you ship software that runs on container images, the security posture of those images is part of the security posture of your product. A base image carrying known vulnerabilities is a known vulnerability in your product.
That means your CRA compliance starts at the image layer. The packages in your base images, the SBOM coverage of your dependencies, and the patching cadence of what you ship all feed directly into your obligations as a manufacturer.
Sourcing from a provider whose image maintenance model is built around these exact requirements, clean at release, patched continuously, fully documented, is the most direct way to reduce your compliance exposure at the foundation.
One of the core obligations under the EU Cyber Resilience Act SBOM requirement is the provision of a Software Bill of Materials. Manufacturers must supply a machine-readable inventory of vulnerabilities and components in a commonly used format that covers at least the top-level dependencies of the products with digital elements. This documentation must be continuously updated. It is a regulatory requirement that enables identification of vulnerabilities across the supply chain.
For containerized software, a compliant SBOM must cover at least the top-level dependencies. Minimus goes further: our SBOMs simply contain everything in your image. This comprehensive approach gives you greater visibility into your supply chain and stronger evidence of compliance than the regulation's minimum requires.
Minimus builds secure, minimal container images designed to reduce attack surface and keep CVE counts low for teams that need to move fast without compromising on security or compliance. Minimus's service model is built around the same security properties the CRA requires, so teams using Minimus images are starting from a foundation that already addresses several of those obligations by design, rather than having to build that compliance posture from scratch.
How Minimus addresses EU Cyber Resilience Act compliance obligations by design:
Every Minimus image ships with:
The CRA doesn't ask whether you have a security process. It asks whether the software your customers run is clean, and whether it stays clean. Those are questions that begin with the image.
Most of the CRA's core product requirements describe behaviors that are already built into how Minimus maintains images: clean at release, minimal by design, continuously patched, and fully documented. For teams navigating CRA compliance, starting at the image layer isn't just practical, it addresses the requirements with the highest technical specificity.
Our images are built with only what is needed, patched continuously, and maintained so that teams spend less time chasing vulnerabilities and more time shipping software. They integrate cleanly into existing CI/CD pipelines without adding operational overhead.
Explore our secure minimal images or request a demo to see how Minimus fits into your environment.
This post is for general informational purposes only and does not constitute legal advice. If you're unsure whether your specific products fall within scope, we recommend speaking with qualified legal counsel.
.svg)
.svg)
.svg)
.svg)
