Europe's Cyber Resilience Act was written for a world that no longer exists

The European Cyber Resilience Act (CRA) is one of the most ambitious cybersecurity regulations ever introduced. Rather than demanding software be free of vulnerabilities—a promise no complex software can realistically make—it requires manufacturers to follow a structured cybersecurity process: assess risk, remediate vulnerabilities, deliver updates and document security throughout a product's lifecycle.

It is a pragmatic approach. Its only problem is timing. The assumptions it relies on were formed before Cybersecurity AI fundamentally changed how vulnerabilities are discovered and exploited.

Our latest research paper, "Certifying Ghosts: How Cybersecurity AI Agents Break the EU Cyber Resilience Act," argues that the assumptions behind today's compliance model are already being challenged by AI systems capable of finding and exploiting vulnerabilities continuously, at machine speed.

Diagram illustrating how Cybersecurity AI agents cause the EU Cyber Resilience Act (CRA) to either bend or break by challenging the assumptions behind static cybersecurity certification.

When cybersecurity changes faster than compliance

Cybersecurity AI is changing the assumptions behind today's cybersecurity compliance faster than regulation can evolve. The paper introduces a simple but powerful distinction: some parts of the current compliance model bend under AI pressure, while others can no longer keep pace because they rely on assumptions that no longer reflect today's threat landscape.

When AI dramatically increases the number of discovered vulnerabilities, compliance doesn't disappear—it shifts toward evidence-based prioritization. Human teams simply cannot remediate everything, so demonstrating why certain risks were prioritized becomes increasingly important.

But other assumptions fail completely. A product can successfully pass certification today and become exploitable tomorrow without changing a single line of code. The environment changes around it. Offensive AI becomes more capable. Vulnerability discovery becomes cheaper. Exploitation becomes continuous.

The certificate remains exactly the same. Reality does not.

From static compliance to continuous conformity

The paper doesn't stop at diagnosis. It proposes a new model for cybersecurity conformity. Traditional cybersecurity certification assumes security can be evaluated at a specific point in time.

Cybersecurity AI changes faster than static certification can adapt. Instead of treating conformity as a one-time event, the paper proposes moving toward continuous, agent-operated conformity.

Rather than asking: "Was this product secure when it shipped?" the more relevant question becomes: "Is this product still secure against today's offensive AI?"

That requires defensive AI operating continuously alongside the product itself. The same technological shift accelerating attackers can also empower defenders.

Timeline comparing the evolution of the EU Cyber Resilience Act with the rapid advancement of Cybersecurity AI capabilities, showing how AI has outpaced the assumptions behind static cybersecurity compliance.

Why this matters now

This isn't a future scenario, it's already happening. Recent research across the cybersecurity industry shows that vulnerability discovery, exploit generation and offensive automation have accelerated dramatically over the last two years. This isn't a prediction about the future; it's already happening. And the paper highlights several indicators illustrating this shift:

  • vulnerability-to-exploitation windows collapsing toward zero.
  • offensive AI continuously discovering new attack paths.
  • traditional severity scoring becoming less predictive of real-world exploitation.
  • human-led compliance processes struggling to keep pace with machine-speed attackers.

By the time the CRA reaches full application in December 2027, it may be certifying products against a cybersecurity landscape that no longer exists.

"Obsolescence diagnosed in advance is a choice, not a fate.
Víctor Mayoral-Vilches, Founder & Chief Scientific Officer, Alias Robotics

From theory to practice

Unlike most discussions around cybersecurity regulation, this paper moves beyond theory. It demonstrates how continuous, agent-operated conformity can be implemented and validated on real-world systems.

Using the Robot Immune System (RIS), offensive AI attacks against two CRA-scoped robots were continuously detected, classified and contained before reaching privileged or safety-critical control.

Compared to undefended systems:

  • attacker success on the Unitree G1 humanoid dropped from 79% to 14%;
  • attacker success on the Hookii robotic lawn mower dropped from 75% to 8%;
  • intrusions were detected within seconds while both systems remained fully operational.

The same Cybersecurity AI capabilities accelerating attackers can also enable continuous, machine-speed defence. Rather than replacing the Cyber Resilience Act, the paper argues that they provide the missing capability needed to keep cybersecurity conformity continuously valid.

Comparison of offensive AI attack success on the Unitree G1 humanoid and Hookii robotic lawn mower before and after deploying the Robot Immune System (RIS), showing continuous AI-powered defence reducing successful attacks from 79% to 14% and from 75% to 8%.

The same capability that changes the economics of offensive cybersecurity is also what makes continuous, agent-operated defence possible.

Looking ahead

The Cyber Resilience Act remains one of Europe's most important cybersecurity initiatives. Our argument isn't that Europe should rethink its ambition, it's that the assumptions behind that ambition must evolve alongside the technology it is meant to regulate.

Cybersecurity AI has fundamentally changed the economics, speed and scale of vulnerability discovery and exploitation. Static certification was designed for a human-paced world. Cybersecurity AI operates continuously. Defensive conformity should too.

Europe still has time. But by December 2027 the question will no longer be whether Cybersecurity AI changes compliance. It already does. Obsolescence diagnosed in advance is a choice, not a fate. The opportunity is to act before today's conformity becomes tomorrow's ghost.


Read the research

Technologies behind this research

Research paper link
SCI PRO (Superintelligence Cybersecurity) link