From Compliance to Code: the Cyber Resilience Act (CRA), SBOMs, DevTeams and YOU!

The EU Cyber Resilience Act (CRA) is reshaping how manufacturers and developers must secure their products—but what does it mean for your Developer platforms, DevOps pipelines, and DevTeams? In this session, we’ll share a real-world implementation of the Technical Guideline TR-03183 from the Federal Office of Information Security (https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2_v2_1_0.pdf?__blob=publicationFile&v=5). We demonstrate how to technically address CRA mandates without drowning in compliance overhead. We’ll start by answering: "Why should Developer teams care about the CRA?" Then we’ll dive into our stack with cdxgen, DependencyTrack, and Central Cyclone to show how we automated SBOM generation, vulnerability tracking, and compliance reporting - all with a real application from the port of Hamburg. We dive into: - Why should your DEV-teams care about CRA? - How DevOps/SRE teams can shield developers from compliance friction with automation - Where the pain points lie, spoiler: team emotions and tooling gaps matter as much as tech - A technical blueprint you can adapt - A checklist for team readiness (because compliance isn’t just about tools—it’s about people) You will leave with ✅ Understand the CRA’s impact on your Kubernetes/Dev platform (and why ignoring it isn’t an option). ✅ See a production-ready workflow for SBOMs, vulnerability management, and compliance automation. ✅ actionable insights on integrating CRA requirements with SBOM handling into your CI/CD pipelines. ✅ A clear "why this matters" for your org, and lessons from the trenches of securing critical infrastructure with Kubernetes. ✅ Get a checklist for team adoption—because compliance is a cultural challenge, not just a technical one.