Subscribe
Share
Share
Embed
Daily analysis of AI liability, regulatory enforcement, and governance strategy for the C-Suite. Hosted by Shelton Hill, AI Governance & Litigation Preparedness Consultant. We bridge the gap between technical models and legal defense.
innovation moves at the speed of code
liability moves at the speed of law
welcome to the AI Governance Brief
we bridge the gap between technical models
and legal defense here is your host
litigation preparedness consultant Keith Hill
six months ago
I worked with a healthcare technology company
that had everything CRA compliance requires on paper
executive sponsorship
confirmed steering committee formed
product inventory complete SPOM tools
selected documentation templates created
six months of planning six months of meetings
six months of preparing to prepare
when I asked how many products had achieved conformity
ready status the answer unsurprisingly was zero
they had mistaken planning for progress
and September 2026 was now six months closer
this is the AI Governance Brief
and today
we're finishing the CRA Countdown with Episode 7
the final episode in our CRA Countdown series
over six episodes
we've covered everything you need to know
the September 2026 deadline
that matters more than the December 2027 deadline
product scope and classification
technical requirements in SBO m infrastructure
documentation that survives audit
governance structures that establish accountability
and sector specific integration
for healthcare and finance
knowledge isn't the problem
execution is today
we'll confront the challenge that derails
more compliance programs than any
technical requirement organizational change management
how do you move from planning to implementation
how do you sustain momentum
when competing priorities demand attention
how do you transform compliance
from a project with a deadline
into an operational discipline that persists
by the end of this episode
you'll have a phased implementation roadmap
specific quick wins that demonstrate early progress
strategies for overcoming the resistance
that stalls every organizational change
and the operational framework that makes compliance
sustainable beyond December 2027
let me begin by describing
the organizational failure mode
I observe most frequently
CRA compliance
requires change across multiple functions
engineering must modify development pipelines
product management must redefine support periods
it security must accelerate vulnerability response
legal must prepare conformity declarations
quality must redesign testing processes
documentation must build retention infrastructure
each function faces its own change burden
each function has competing priorities
each function has limited capacity for new initiatives
when CRA compliance
is added to every function's workload simultaneously
organizational capacity is overwhelmed
CRA compliance isn't one change
it's a dozen simultaneous changes across functions
that are already at capacity
that's not a compliance problem
that's a change management problem
the result is paralysis
functions acknowledge the requirement
they attend steering committee meetings
they agree that CRA is important
but when implementation requires displacing other work
competing priorities win feature development continues
customer commitments are met
revenue generating activities proceed
but CRA implementation stalls
this paralysis isn't resistance
it's rational resource allocation by functions
optimizing for their primary objectives
Engineering's primary objective is shipping products
product management's primary objective is market
success
when CRA compliance competes with primary objectives
for scarce resources primary objectives win
unless governance actively intervenes
the organizations that achieve CRA compliance
don't have more resources
they have better change management
phased implementation that does not overwhelm capacity
quick wins that build momentum
visible executive commitment that signals priority
and governance that resolves resource conflicts
in compliance's favor when necessary
let me show you what effective
change management looks like
CRA implementation should follow three phases
aligned with regulatory milestones
phase 1 begins now the objective is foundation building
governance establishment product inventory completion
SBO m infrastructure deployment
and documentation system implementation
this phase
creates the capabilities needed for September 2026
vulnerability reporting compliance
phase 2 runs from mid 2026 through September 2026
the objective is Vulnerability Reporting Readiness
PSIRT operationalization reporting
workflow testing
and 24 hour response capability verification
this phase ensures September 2026 compliance
phase 3 runs from late 2026 through December 2027
the objective is full conformity
completing documentation for all products
conducting conformity assessments
preparing EU declarations of conformity
and achieving CE marking readiness
this phase ensures December 2027 compliance
let me detail what each phase requires
phase 1 deliverables
governance executive sponsor confirmed
CRA program owner appointed steering committee
operational product compliance
owners assigned Raci matrix
documented inventory
complete product inventory with classification
exemption analysis
documentation prioritization for implementation
sequencing infrastructure
SBO m generation tools deployed
SBO m pipeline integration
complete for priority products
documentation management system
operational retention infrastructure established
phase 1 success metric
can you generate a compliant SBO m
for your highest priority product
if yes phase 1
infrastructure is functional
phase 2 deliverables
PSIRT product Service Incident response team
established with defined roles and escalation paths
workflows vulnerability intake assessment
remediation prioritization and notification workflows
documented and tested
reporting
ENISA reporting templates prepared
communication channels established
24 hour response
capability verified through tabletop exercise coverage
spom generation extended to all CRA scope products
phase 2 success metric
can you identify affected products
assess severity and produce a regulatory notification
within 24 hours of vulnerability disclosure
if yes Phase 2 capability is operational
phase 3 Deliverables Documentation
technical documentation
complete for all products per Annex 7
requirements testing conformative testing
complete with requirement traceability assessment
internal conformity assessment
complete for default category products notified
body assessment
complete for important class 2 and critical products
declarations
EU Declaration of conformity prepared for each product
market readiness
CE marking ready for December 2027 market requirements
phase 3 success metric
can you produce a complete conformity evidence package
for any product
upon Marcus Surveillance Authority request
if yes Phase 3 compliance is achieved
phase gates create accountability checkpoints
you either hit the milestone or you know you're behind
there's no ambiguity to hide behind
change management
research consistently shows that early
visible progress sustains organizational commitment
quick wins demonstrate that change is achievable
build confidence in leadership
and create positive momentum
that carries through
more difficult implementation phases
here are specific quick wins for CRA implementation
sequenced for maximum impact one week
quick win publish the Executive Sponsor announcement
a brief communication from the CEO or executive sponsor
confirming CRA as an organizational priority
naming the program owner
and establishing the steering committee
this signals commitment
without requiring functional change
it takes one hour to write
and creates immediate organizational awareness
Week 2 quick win
Complete product inventory for one business unit
don't attempt enterprise wide inventory immediately
complete inventory for one business unit
or product line
publish the results to the steering committee
this demonstrates that inventory is achievable
and creates a template for remaining business units
Week 3 quick win
generate first compliant SBO m
select one product preferably a newer product
with modern build infrastructure
and generate a CRA compliant SBO m
with all seven required elements
share the SBO m with the Steering Committee
this proves SBO m capability is achieving
and reveals what pipeline modifications
remaining products
require
Week 4 win
complete risk assessment for one product
using the product that generated the SBO m
conduct a CRA aligned risk assessment
documenting threats
vulnerabilities and treatment decisions
this creates a template for remaining products
and demonstrates the assessment methodology
Week 6 win
map existing controls to CRA requirements
for organizations with ISO 2
7 0 0
1 NIST
CSF or equivalent frameworks
complete the control mapping I described in Episode 6
publish the coverage percentage
this demonstrates that CRA compliance
isn't starting from zero
existing investments provide foundation
Week 8 quick win
complete documentation package for pilot product
for the product with sbom and risk assessment
assemble a complete Annex 7 documentation package
this proves the documentation framework works
and reveals gaps requiring process modification
Week 12 Quick win
conduct tabletop vulnerability exercise
simulate a vulnerability disclosure
affecting your pilot product
walk through the response process
identification assessment
remediation planning and notification
drafting time each step
identify bottlenecks
this reveals operational gaps before September 2026
when gaps become non compliance
quick wins aren't about perfect implementation
they're about proving implementation is possible
and building the confidence
to tackle harder challenges
the physiological impact of quick wins is substantial
each win creates evidence that CRA
compliance is achievable
each win builds organizational confidence
each win makes the next challenge seem smaller
organizations that sequence quick wins
strategically build momentum
that carries through 18 months of implementation
organizations that attempt comprehensive implementation
without quick wins stall
when early challenges create doubt
every organizational change encounters resistance
understanding resistance patterns
enables proactive management
resistance pattern 1 we don't have time
this is the most common resistance
and it's often legitimate
functions are at capacity
adding CRA to existing workload
without removing something
creates impossible demands
the response isn't arguing that CRA is important
everyone agrees it's important
the response is resource realocation
what work will be deprioritized to create CRA capacity
this requires executive sponsor intervention
when the executive sponsor explicitly authorizes
deprioritizing specific initiatives
to enable CR implementation
we don't have time transfers into
we have time for this not that
another solution would be to bring me in and my team
I'm Keith Hill and we can come in
and make this faster and easier for you
with less resource use
resource conflicts
aren't resolved by emphasizing importance
they're resolved by explicitly choosing
what won't get done
resistance pattern 2 this isn't my responsibility
functions resist
work they perceive is outside their scope
engineering resist documentation
legal resist technical assessment
product management resist compliance administration
the response is the R a C I matrix
clear accountability
eliminates ambiguity about who owns what when
the R a C I
matrix documents that
engineering is responsible for technical documentation
and the product compliance owner is accountable
this isn't my responsibility has a documented answer
resistance pattern 3 we already do this
function claims
existing practices satisfy CRA requirement
without rigorous verification
this is often partially true
existing practices address some requirements
but rarely completely true
the response gap is analysis with evidence
show specifically which
CRA requirements are satisfied by existing practices
and which are not we covered this in the last episode
when engineering claims
we already do secure development
respond with the specific SBO m elements
their process doesn't capture evidence
converts vague resistance
into specific gap discussion
resistance pattern 4 the deadline is far away
September 2026 and December 2027 feel distant
urgency dissipates other priorities seem more immediate
to this it's best to respond with phase gates
with accountability
when phase 1 deliverables are due in Q4 2025
and the executive sponsor reviews milestone
achievements
distant deadlines become proximate accountability
everybody wants to explain to the CEO
why their function missed the published milestone
resistance pattern 5 let's wait for regulatory clarity
organizations defer implementation
pending final guidance
harmonized standards or regulatory FAQ publication
this sounds prudent but it creates implementation delay
the response is risk based implementation
CRA essential requirements are published
Annex 1 is not changing
organizations can implement against known requirements
while monitoring guidance evolution
waiting for perfect clarity
guarantees inadequate implementation time
let me quantify what delay costs
implementation timeline comparison is expensive
organizations that begin CRA implementation now
have just a few months before 2026
vulnerability reporting obligations
these few months allow phased implementation
with reasonable resource loading
organizations that delay six months have much less time
requiring 30 40
to 50% more implementation time
to achieve the same outcome
organizations that delay 12 months have no time
requiring simply impossible standards
for achieving implementation on time
by even the December 27th, 20 deadline
faster implementation requires more resources
applied simultaneously resource cost increase
non literally with timeline compression
the organization that could achieve compliance
within two additional headcount
over 20 months might require five additional headcount
over eight months and still face execution risk
from compressed timelines
think about it as when you buy airline tickets
the closer you buy to your point of departure
the more expensive those tickets become
every month of delay doesn't cost you one month
it cost you
the resource multiplication required to compress
remaining timeline
notified body capacity is constrained
organizations with important class 2
or critical products require third party conformity
assessment notified body capacity is infinite
organizations engaging notified bodies early
secure assessment slots
organizations
waiting will find preferred assessment bodies
fully booked the longer you wait
the harder it will be to find a third party to help you
also the longer you wait
if you do find a third party
it's going to cost you a lot more money
I'm already hearing from conformity assessment bodies
that their 2026 calendars are filling
organizations that haven't initiated
notified body conversations
will face limited options
either accepting less preferred assessment bodies
accepting delayed assessment timelines
or paying premium fees for expedited assessment
none of these outcomes is desirable
talent competition is intensifying
CRA compliance requires specific expertise
death sock UPS engineers who understand SBO
m generation compliance
professionals who understand CRA requirements
technical writers
who can produce regulatory documentation
this talent pool is finite
organizations
hiring now have access to available talent
organizations hiring in 2026
will compete with every other organization
that delayed
driving up compensation and reducing availability
market surveillance authority readiness is advancing
national market surveillance
authorities are preparing for CRA enforcement
the German BSI French Anssi
and other national authorities have published
CRA guidance and conducted pilot examinations
they will be ready to enforce when deadlines arrive
organizations that assume enforcement will be delayed
or lenient are assuming risk without evidence
implementation that begins strong often stalls
mid program
sustaining momentum requires deliberate management
attention momentum killer 1
leadership attention shifts
executive sponsors have many priorities
when CRA implementation proceeds smoothly
attention shifts to other challenges
when attention shifts
resource conflicts resolve against compliance
when resource conflicts resolve against compliance
implementation slows when implementation slows
milestones slip
the countermeasure is structured executive engagement
monthly executive sponsor briefings
quarterly board updates published milestone tracking
visible to leadership
when CRA progress is regularly visible to executives
attention is sustained when CRA progress is visible
only when problems occur
attention dissipates between problems
executive attention is a finite resource
if you're not deliberately consuming it for CRA
something else will consume it instead
Momentum Killer 2 mid program fatigue
CRA implementation is an 18 month program
I'll say that again
CRA implementation is an 18 month program
this is why we have the deadline for September 2026
if you are waiting
till 2027 to start putting together your program
you are already far too late to the game
organizational energy peaks at launch and deadline
the middle months months 6 through 14
are vulnerable to fatigue
quick wins are exhausted the deadline feels distant
enthusiasm wanes
the countermeasure is intermediate celebrations
celebrate phase 1 completion
celebrate first successful SBO m generation
celebrate pilot product documentation completion
celebrate vulnerability tabletop exercise success
create occasions for recognition that sustain energy
through middle months
momentum killer 3 scope creep resistance
an implementation proceeds
additional products enter scope acquisitions
new product launches
previously unidentified legacy products
each addition increases workload
without increasing resources
teams resist
scope additions that threaten existing commitments
the countermeasure is explicit scope management
new products require explicit resource allocation
decisions
when an acquisition adds five products to CRA scope
the executive
sponsor must authorize additional resources
or accept timeline adjustment
scope increases without resource increases
create implementation failure
momentum killer 4 perfectionism paralysis
teams delay delivering work that isn't perfect
documentation drafts aren't shared
because they're incomplete
SBO m processes aren't deployed
because edge cases aren't resolved
risk assessments aren't finalized
because threat models could be more comprehensive
the countermeasure is iteration over perfection
deploy incomplete spom generation
and improve iteratively publish draft documentation
and refine based on feedback
conduct preliminary risk assessment
and deepen as products approach conformity assessment
perfect compliance evidence isn't required immediately
progress towards compliance evidence is
let me share evidence
that structured change management achieves
CRA compliance
in 2024 a consortium of German industrial manufacturers
conducted a CRA implementation pilot
twelve companies participated
ranging from midsize to large enterprises
the pilot tested phased implementation methodology
with structured change management
results after 12 months companies following structured
three phase implementation
achieved an average of 73% essential required coverage
companies attempting ad hoc implementation
achieved an average of
31% coverage
the structured approach achieved more than double
the compliance progress
with equivalent resources
structure doesn't constrain progress
it enables progress
organizations that implement without structure
don't move faster they move in circles
the pilot identified specific success factors
first executive sponsorship with regular engagement
companies with monthly executive sponsor briefings
achieve 22% higher milestone completion
than companies with quarterly briefings
attention frequency
correlated with implementation velocity
second quick wins in the first 90 days
companies that achieve three or more quick wins
in the first 90 days maintain implementation momentum
throughout the pilot
companies with fewer than three quick wins
experience mid program stalls
requiring intervention
third explicit resource allocation
companies that allocated dedicated CRA resources
even partial FTE allocation
achieved 40% higher compliance coverage
than companies relying on existing staff
absorbing additional workload
dedicated resources enabled sustained focus
that distributed responsibility couldn't achieve
fourth phase gate accountability
companies with published phase gates
and executive review
achieved milestone dates within an average of two week
variance companies without phase gates
experience average variance of 11 weeks
nearly three months of slippage
the pilot organizations
are now well positioned for September 2026
compliance
organizations that didn't participate in structure
implementation
are scrambling to compress 18 months of work
into the remaining timeline
CRA compliance isn't a project with an end date
it's an operational discipline that must persist
throughout product life cycles
December 2027 is when products
must demonstrate conformity for market placement
but CRA obligations
continue throughout the support period
minimum 5 years vulnerability handling
security updates documentation
maintenance must continue for every product
every year until support period expiration
December 2027 isn't the finish line
it's the starting line for operational compliance
that continues for years this means
CRA compliance cannot remain a program with dedicated
temporary resources
it must become embedded in operational processes
that persist after the program concludes
sbom generation must be a permanent pipeline capability
not a one time implementation
every product every release
every build must generate compliant sboms automatically
this is achieved through pipeline integration
that makes sbom generation as routine as compilation
vulnerability monitoring must be continuous
not periodic new vulnerabilities are disclosed daily
correlation to your product portfolio must happen daily
this is achieved through automated vulnerability feeds
correlated against your SBO m repository
documentation must be maintained as products evolve
feature additions require risk assessment updates
design changes require documentation updates
security patches require vulnerability handling records
this is achieved through documentation workflows
integrated with development processes
conformity must be reassessed
when products change materially
significant modifications
may require new conformity assessment
this is achieved through change management processes
that evaluate CRA impact of proposed modifications
the transition from implementation
program to operational discipline
should begin in Phase 3
as conformity is achieved for each product
operational processes should absorb
ongoing compliance activities
by December 2027 the CRA program owner role
should transition from implementation
leadership to operational oversight
steering committee meetings
should transition from implementation
tracking to operational governance
organizations
that treat December 2027 as program conclusion
will find themselves
rebuilding compliance capabilities
when ongoing obligations aren't met
organizations that build operational discipline
achieve sustainable compliance that is ongoing
let me close this series where every episode is closed
with a specific 14 day action plan
days 1 through 3 commitment formalization
obtain explicit executive sponsor commitment
not Assumption explicit commitment
document the sponsor's role
engagement cadence
the authority to resolve resource conflicts
publish the commitment to all contributing functions
this converts
implied priority to organizational mandate
days 4 through 6 resource identification
identify who will do CRA implementation work
name specific individuals
not functions clarify allocation
what percentage of their time is available for CRA
identify gaps requiring additional resources
present resource plan to executive sponsor for approval
days 7 through 9 quick win selection
from the quick wins I describe
select three achievable in the next 90 days
assign owners set completion dates
publish commitments to steering committee
create accountability for early progress
days 10 through 12 Phase 1 Milestones definition
define specific Phase 1 deliverables
with completion dates governance establishment
complete by what date product inventory
complete by what date s B o m
pilot complete by what date
documentation systems operational by what date
build the milestone schedule
Days 13 and 14 kick off communication
prepare and distribute program
kick off communication to all contributors
explain what CRA is why it matters
what the organization will do
what each function's role is
and when key milestones must be achieved
create organizational awareness that implementation
has begun
at the end of 14 days
you'll have four deliverables documented
Executive commitment with engagement cadence name
resource allocation with sponsor approval
selected quick Wins with owners and dates
and Phase 1 milestone schedule
you'll also have organizational awareness that CRA
implementation has formally launched
this is the beginning 18 months of implementation
follow
but beginning deliberately with commitment resources
quick wins and milestones
that's what creates the foundation for sustained
progress
this is the final episode of CRA Countdown
let me leave you with what matters most
the organizations that dominate EU markets in 2028
will be the ones that started preparing back in 2025
not the ones with the best technology
not the one with the largest budget
the ones that started early
September 11th, 2026 is the deadline
that determines whether you can comply with
December 11th, 2027
24 hour vulnerability reporting
requires infrastructure
that takes 12 to 18 months to build
if you haven't started you're already behind
every month of delay increases implementation cost
and execution risk
CRA compliance
touches every function that contributes to product
creation and support
without clear governance
accountability diffuses and compliance fails
without change management
organizational capacity is overwhelmed
and implementation stalls
without operational discipline
compliance becomes a program that ends
rather than a practice that persists
over seven episodes we've covered everything you need
deadlines scope
technical requirements documentation
governance
sector specific integration and change management
knowledge isn't the barrier
execution is the 14 day action plan
in each episode
provides a structured path from knowledge to action
episode 1 product Inventory
Episode 2 scope and classification
episode 3 technical assessment
episode 4 documentation evaluation
episode 5 Governance Establishment
Episode 6 Sector Integration Mapping
and Episode 7 Change Management Launch
execute these in sequence starting now
the executives who treat CRA as a 2027 problem
will discover in 2026 that they've run out
of time and runway the executives who started in 2025
will achieve compliance
maintain market access and watch competitors scramble
I'm Keith Hill I work with midsize
healthcare and finance organizations
to translate CRA requirements into actionable
implementation not selling tools
guiding transformation
if your organization sells products
with digital elements into EU markets
and you haven't started cra preparation
the time is now
the penalty for non compliance is market exclusion
no CE marking means no EU market
the penalty for delay is compressed timelines
premium cost and execution risk
the cost of inaction is watching competitors
own the market you could have dominated
start today the countdown has begun
this is Keith Hill with the AI Governance Brief
always anxious to hear from you
feel free to put some ideas down in the comments
let me know what you think
let me know if you need help
until then this is Keith have a wonderful day
that's the brief for today
remember if you can't explain your governance to a jury
in plain English you don't have governance
you have exposure don't wait for the deposition
book a first witness
stress test for your compliance team
at verbal
alchemist at Gmail dot com
this is Keith and I'll see you tomorrow