Definition of Software Compliance in the EU Context
Software compliance in the EU is no longer simply a matter of following a single set of rules. It has become a layered, intersecting set of obligations that apply to any organisation designing, developing, manufacturing, or placing software products on the European market — regardless of where that organisation is based.
What Software Compliance Means in the EU
At its core, EU software compliance means demonstrating that a product with digital elements meets the mandatory technical, security, and documentation requirements set out by applicable EU regulations before it is placed on the market — and maintaining that compliance throughout the product’s lifecycle.
The key phrase is products with digital elements. The EU’s regulatory framework has progressively expanded its definition of what constitutes a regulated product to include software in almost all its forms: embedded firmware, standalone applications, software delivered as a service, AI systems, and connected hardware that processes or transmits data.
This matters because it means the compliance question is no longer just for hardware manufacturers. If your organisation writes software that is sold, licensed, or distributed in the EU — or integrated into a product that is — you are likely subject to at least one, and possibly several, EU regulatory frameworks.
The Core Frameworks
Three pieces of legislation define the current EU software compliance landscape:
The Cyber Resilience Act (CRA) — Regulation (EU) 2024/2847
The CRA is the most significant piece of software-specific legislation the EU has produced. It establishes mandatory cybersecurity requirements for all products with digital elements sold in the EU market. This includes requirements for security by design, vulnerability management, coordinated disclosure, and the provision of security updates throughout a product’s supported lifecycle. Non-compliance carries penalties of up to €15 million or 2.5% of global annual turnover. Full application begins December 2027, with vulnerability reporting obligations active from September 2026.
The Product Liability Directive (PLD) — Directive 2024/2853
The new PLD, which takes effect in December 2026, fundamentally changes how liability works for digital products. For the first time, software — whether embedded, standalone, or delivered as a service — is explicitly classified as a product under EU liability law. This means that if software causes damage through a security vulnerability or defect, the manufacturer faces strict liability. Crucially, companies cannot contractually exclude or limit their liability for software or cybersecurity defects.
The AI Act — Regulation (EU) 2024/1689
The AI Act introduces a risk-based classification system for AI systems. Prohibited practices have been enforceable since February 2025. Governance rules and obligations for general-purpose AI models became applicable in August 2025. For most operators, the Act becomes fully applicable in August 2026 — with high-risk AI systems subject to comprehensive technical documentation, conformity assessment, and registration requirements.
What Compliance Actually Requires
Across these frameworks, compliance consistently requires four things:
Technical documentation — a structured record demonstrating that the product was designed and developed with the applicable requirements in mind. This is not optional and must be maintained throughout the product lifecycle.
Conformity assessment — depending on product category, this ranges from self-assessment (permitted for default products under the CRA) to mandatory third-party assessment by an accredited Conformity Assessment Body (required for critical products and high-risk AI).
CE marking — the visible declaration that a product meets EU requirements and can be placed on the market. Under the CRA, CE marking becomes a requirement for products with digital elements from December 2027.
Ongoing obligations — compliance is not a one-time exercise. Manufacturers must monitor for vulnerabilities, issue security updates, and report actively exploited vulnerabilities to ENISA and national CSIRTs within 24 hours of discovery from September 2026 onwards.
Why This Matters Now
The window for preparation is shortening. Vulnerability reporting under the CRA begins in September 2026. The PLD takes effect in December 2026. The AI Act’s main provisions apply from August 2026. For any organisation that has not yet begun its compliance planning, the practical lead time — factoring in technical documentation, internal process changes, and any required third-party assessment — means starting immediately is not premature. It is necessary.
MVC exists to make this manageable. Our platform helps manufacturers track obligations, generate required documentation, and navigate the conformity assessment process — without the overhead of managing it all in spreadsheets.