>>ahuber+(OP)
This regulation is so shitty. I'm quite sure that it is supported by big actors in the end, because the end goal is to ensure to have a regulatory barrier that will avoid small actors to be able to strive in the software field.
Also, to avoid "dangerous" not yet professional amateurs having a chance against big editors.
>>greatg+2b
Unless you sell critical products as described in Annex III[1] the requirements to fulfill CRA are quite harmless. It's mostly stuff you should be doing anyway like a risk assessment and documentation. An additionally requirement is to provide a conformity assessment, which you can do yourself for non critical software, and you must report vulnerabilities within 24 hours.