For compliance with regulations such as the EU Cyber Resilience Act, organizations must demonstrate that their cybersecurity measures are risk-based, formally governed, and kept up to date throughout the product lifecycle.
AppSec goals define the overarching security outcomes the organization intends to achieve, while objectives translate these goals into concrete, measurable, and time-bound activities.
To support CRA compliance, AppSec goals and objectives should:
– be derived from documented cybersecurity risk assessments (Article 13(2))
– reflect management’s tolerance for cybersecurity risk
– be formally approved or endorsed by executive leadership
– be reviewed and updated when relevant regulatory developments occur (e.g., entry into force of the CRA or new reporting obligations)
– guide prioritisation of AppSec activities across development, release, and maintenance
Having defined goals and objectives that are not periodically reviewed or updated to reflect regulatory and risk changes may not be sufficient to demonstrate compliance with CRA requirements.

An AppSec policy defines the organization’s intent and expectations for managing application security and is implemented through supporting standards, processes, and procedures. Under the EU Cyber Resilience Act (CRA), manufacturers are required to establish policies and procedures to ensure compliance with essential cybersecurity requirements throughout the product lifecycle (Article 13(1), Article 6, Annex I).
In this context, AppSec policies and standards provide the foundation for consistent and repeatable implementation of secure development, vulnerability handling, and update practices. They also serve as key evidence to demonstrate compliance during conformity assessments or market surveillance activities (Annex VII). Policies should therefore be documented, communicated across the organization, and reviewed periodically to remain aligned with evolving risks and regulatory requirements.

The EU Cyber Resilience Act (CRA) requires manufacturers to perform cybersecurity risk assessments and to take the results into account throughout the product lifecycle (Article 13(2)). Risk assessment is therefore a foundational activity for determining appropriate security measures and prioritising AppSec efforts.
In this context, risk assessments should be documented, repeatable, and applied consistently across applications or products in scope. The results should directly influence security testing strategies, remediation priorities, and resource allocation, providing demonstrable evidence of risk-based decision-making aligned with CRA expectations.

Strategic Key Performance Indicators (KPIs) are measurable indicators that show how effectively the AppSec program is managing cybersecurity risk and achieving its objectives. Under the EU Cyber Resilience Act (CRA), manufacturers are required to implement policies and procedures and to manage cybersecurity risks throughout the product lifecycle (Articles 6 and 13).
In this context, strategic AppSec KPIs provide evidence that these policies and procedures are operating effectively in practice. KPIs help demonstrate that cybersecurity risk assessments are taken into account on an ongoing basis (Article 13(2)) and that compliance-relevant activities – such as vulnerability handling and reporting readiness – are monitored and controlled (Article 14).
Strategic AppSec KPIs should therefore be derived from risk-based goals and objectives, enable management oversight, and be tracked and reviewed on a regular basis. Without defined and monitored KPIs, it is difficult to demonstrate effective and sustained compliance with CRA requirements across the product lifecycle.

The CRA requires cybersecurity risks to be assessed and taken into account throughout the product lifecycle, including at an organisational level (Article 13(2)). This requires more than individual findings; it requires aggregated, risk-based visibility across applications and products.
In this context, aggregating security findings into application- and portfolio-level risk views enables management to prioritise remediation, allocate resources, and demonstrate informed oversight of cybersecurity risk. Such visibility supports proportional, risk-based decision-making aligned with CRA expectations and provides defensible evidence during audits or market surveillance.

An application inventory provides visibility into the applications developed and maintained by the organization and forms the basis for risk-based AppSec decision-making. Under the EU Cyber Resilience Act (CRA), manufacturers must assess cybersecurity risks and ensure that security measures are appropriate in relation to those risks throughout the product lifecycle (Article 13(2), Article 6, Annex I).
In addition, the CRA introduces different categories of products with digital elements, including critical products and important (class I/II) products (Article 8, Annex III). A documented application inventory with risk ratings supports the consistent identification and justification of whether applications or products may fall into these categories, and enables proportionate prioritisation of AppSec activities. An up-to-date inventory with risk ratings also serves as key evidence for conformity assessment and market surveillance (Annex VII).

Under the EU Cyber Resilience Act (CRA), manufacturers must ensure that identified vulnerabilities are addressed without undue delay and handled systematically throughout the product lifecycle (Article 6, Annex I; Article 13). Detecting vulnerabilities without consistent remediation and closure is not sufficient.
In this context, a defined vulnerability handling process should ensure that security testing results are reviewed, assigned ownership, prioritised based on risk, remediated within defined timelines, verified, and formally closed. Automation and enforcement mechanisms (e.g., release gating, “breaking builds”, or escalation) support consistent execution and reduce exposure to reportable vulnerabilities and incidents (Article 14).

Automated application security testing tools support the systematic identification of vulnerabilities and weaknesses in software. Under the EU Cyber Resilience Act (CRA), manufacturers are required to implement measures to prevent, identify, and handle vulnerabilities throughout the product lifecycle (Article 6, Annex I; Article 13).
In this context, the selection and use of appropriate types of security testing tools – such as static analysis (SAST), software composition analysis (SCA), or infrastructure-as-code (IaC) security – should be driven by application risk and security objectives. The use of automated tools enables consistent application of AppSec policies and provides input for risk-based prioritisation and remediation activities aligned with CRA expectations.

The extent to which automated application security testing is applied across the application portfolio is a key indicator of how systematically AppSec practices are implemented. Under the EU Cyber Resilience Act (CRA), manufacturers are expected to apply cybersecurity measures throughout the product lifecycle and in a manner proportionate to risk (Article 6, Annex I; Article 13).
In this context, automated security testing should be deployed consistently across applications in scope, with coverage levels informed by application risk ratings. Broad and risk-based adoption of testing tools with clearly documented governing rules supports demonstrable CRA compliance and reduces reliance on ad-hoc or selective security activities.

Automated triggering of application security scans helps ensure that security checks are applied consistently and predictably across the software development lifecycle. Under the EU Cyber Resilience Act (CRA), manufacturers are expected to implement cybersecurity measures throughout the product lifecycle and to operationalise policies and procedures in a repeatable manner (Article 6, Annex I; Article 13).
Integrating security scans into development workflows – such as source control, CI/CD pipelines, or scheduled lifecycle scans – supports systematic identification of vulnerabilities and enables risk-based enforcement of AppSec requirements. Automation reduces reliance on manual execution and provides stronger evidence of sustained CRA-aligned practices over time.

The deployment model and architecture of application security testing infrastructure determine whether security testing can be performed reliably, at scale, and in compliance with organizational and regulatory constraints. Under the EU Cyber Resilience Act (CRA), manufacturers are expected to implement cybersecurity measures that are sustainable across the product lifecycle and proportionate to risk (Article 6, Annex I; Article 13).
In this context, planning and operating suitable security testing infrastructure – including deployment model, architecture, scalability, data handling, and availability – supports consistent execution of AppSec policies and enables demonstrable, CRA-aligned security testing practices over time.

Planning is essential to ensure that AppSec practices are implemented consistently and sustained over time. Under the EU Cyber Resilience Act (CRA), manufacturers are expected to apply cybersecurity measures throughout the product lifecycle and to support these measures with effective policies, procedures, and organisational capability (Article 6, Annex I; Article 13).
In this context, roll-out, adoption, and resource plans define how AppSec practices transition into a business-as-usual state, scale across applications in scope, and are supported with sufficient capacity and clearly defined roles and responsibilities. Effective planning reduces reliance on ad-hoc execution and supports demonstrable, CRA-aligned implementation.

An AppSec enablement and communication plan defines how AppSec requirements, expectations, and practices are communicated to relevant stakeholders and how they are supported through guidance and training. Under the EU Cyber Resilience Act (CRA), manufacturers must ensure that policies and procedures supporting essential cybersecurity requirements are effectively implemented across the organisaion and throughout the product lifecycle (Article 13(1), Article 6, Annex I).
In addition, the CRA explicitly recognises the importance of cybersecurity skills and awareness as a foundation for a cyber-resilient digital environment (Article 10). In this context, education and guidance help ensure that developers, AppSec practitioners, operators, and program owners understand application-level risks, vulnerability handling expectations, and reporting obligations (Article 14). A defined and maintained strategy supports consistent application of AppSec practices and demonstrable CRA compliance over time.