The EU Cyber Resilience Act Hits WordPress in September: What Plugin Developers Need to Know

If you develop or sell a WordPress plugin or theme to anyone in the EU, there’s a compliance deadline heading your way. The EU Cyber Resilience Act (CRA) begins enforcing vulnerability reporting obligations in September 2026, with full compliance required by December 2027. The penalties are not symbolic: up to €15 million or 2.5% of global annual turnover.

What Happened

The CRA was adopted by the European Parliament in March 2024 and approved by the Council in October 2024. It applies to all “products with digital elements” sold or distributed in the EU — and that includes WordPress plugins and themes. The law doesn’t care where you’re based. If your plugin is used in the EU (and if it’s on wordpress.org, it almost certainly is), you’re in scope.

Starting September 11, 2026, plugin developers must have:

• A documented vulnerability reporting process with a designated security contact
• The ability to respond to critical vulnerability reports within 24–72 hours
• Security fixes clearly labeled and separated from feature releases
• Dependency monitoring to catch vulnerabilities in third-party libraries
• A Software Bill of Materials (SBOM) documenting all components

By December 2027, full compliance kicks in — including CE marking requirements (yes, like on electronics), security-by-design documentation, and formal audit trails for all vulnerability handling.

Why It Matters

This is the first regulation that treats WordPress plugins like the critical software infrastructure they actually are. Consider the context: Patchstack’s 2026 security report found that 46% of WordPress vulnerabilities had no patch at the time of disclosure. The CRA is designed to make that unacceptable — at least for the EU market.

The challenge for the WordPress ecosystem is structural. Most plugin developers distribute through wordpress.org and have no way to identify which users are in the EU. A solo developer maintaining a free plugin with 50,000 installs faces the same legal requirements as a well-funded plugin company. As one analysis noted, this “requires changes at the ecosystem level: coordinated security flags, structured metadata in the plugin repository, and a shared understanding of who owns what responsibility.”

The penalty tiers are steep:

• €15M / 2.5% turnover: Failing essential security requirements
• €10M / 2% turnover: Documentation and reporting breaches
• €5M / 1% turnover: Providing false or misleading information

What You Should Do

Plugin and theme developers: Start now. Set up a security.txt file and a public vulnerability disclosure policy. Separate security patches from feature releases. Document your dependencies. If you sell a premium version, you are almost certainly classified as a “manufacturer” under the CRA. The Patchstack CRA checklist is a practical starting point.

Agencies and care-plan providers: You need to verify that the plugins you deploy meet CRA standards. Maintain documentation of your vulnerability handling and patch timelines. Treat security updates as compliance obligations, not routine maintenance.

Site owners: This will indirectly benefit you. Plugins that comply with the CRA will be better maintained, more transparent about security, and faster to patch. In the short term, some smaller plugins may be abandoned if developers decide compliance isn’t worth the effort.

Sources

• EU Cyber Resilience Act: WordPress Guide for Agencies & Developers — WP Umbrella
• Cyber Resilience Act Guide for Open-Source Vendors — Patchstack
• Cyber Resilience Act and WordPress: What to Expect — WordCamp Europe 2025