Paper · 2026
Abstract. The EU Cyber Resilience Act (CRA, Regulation (EU) 2024/2847) makes a smart bet: it does not demand that products be free of vulnerabilities, a promise no software can keep, but only that manufacturers run a process — assess risk, handle flaws, ship updates. The bet pays off only while four things about the world stay true: P1 finding vulnerabilities is slow, skilled, human work; P2 a product's exploitable flaws are knowable the day it ships; P3 exploitation is rare enough to notice; and P4 fixes keep pace with discovery. Cybersecurity AI (CAI) agents — AI put to work finding and exploiting flaws in other products — falsify all four. Against the sheer volume of flaws agents surface the regime bends (P1), re-centring compliance on defensible, documented prioritisation; but agents also collapse the speed and economics of the vulnerability lifecycle, and here it breaks (P2, P3, P4): a product that passed every check becomes exploitable without anyone touching it, so its market-entry test, its reporting trigger, and its one-and-done certificate vouch for a security that has quietly expired. Because defenders and attackers wield the same AI, the only conformity that survives is one that never stops running. We carry the remedy from proposal to proof on two CRA-scope robots — a humanoid and a lawn mower — where an agentic defender holds a line their undefended selves cannot. Static, human-paced security is finished; what replaces it must be continuous and agent-operated.
The European Union's Cyber Resilience Act (CRA), Regulation (EU) 2024/2847, is the first horizontal law to impose mandatory cybersecurity requirements on products with digital elements placed on the Union market. It entered into force on 10 December 2024; its central vulnerability- and incident-reporting obligation (Article 14) applies from 11 September 2026, and the bulk of its substantive obligations from 11 December 2027 (Article 71). The design is deliberate, and, for the world it was drafted in, astute. Rather than demand that products be free of vulnerabilities, an outcome no non-trivial software can guarantee, the CRA requires that manufacturers run a process: assess and document cybersecurity risk, handle vulnerabilities across a declared support period, ship security updates, exercise supply-chain due diligence, and report vulnerabilities under active exploitation. The regime is process-oriented, not outcome-oriented.
This paper argues that this design has already been overtaken by the vulnerability ecosystem that generative AI and Cybersecurity AI (CAI) agents are now producing, and that the failure is present, not hypothetical. The point is sharp because the CRA's foundational assumptions were fixed at a specific moment: the Commission published the proposal on 15 September 2022, and OpenAI released ChatGPT on 30 November 2022. The CRA's model of how vulnerabilities are discovered, predominantly by human researchers and conventional scanners, was therefore set before the capability shift its obligations must now govern, its threat assumptions notarised barely ten weeks before the technology that would void them went public. Put plainly, the CRA switches on its central obligations in December 2027 calibrated to a threat model the field had already abandoned years earlier. We advance this as a European organisation working on Cybersecurity AI, and we advance it constructively: the CRA is not wrong so much as early to its own obsolescence, and our purpose in diagnosing that while there is still time to act is to help Europe avert a fate that is not yet sealed.
Two questions about AI and the CRA must be kept apart. The security of AI systems treated as products, whether prompt injection or goal hijacking fits the CRA's obligations, is a real question but not ours. Our subject is the second: AI agents used as instruments of security, CAI systems that discover, weaponise, and exploit vulnerabilities in other products, and how, by transforming the adversarial landscape, they invalidate the assumptions on which the CRA's process rests. Throughout, "agent" means an offensive or defensive security agent acting on the ecosystem, not an AI product being regulated. The distinction sharpens the claim: the CRA can be defeated without any AI system ever being the regulated product. We also write "automated" rather than "autonomous," because today's leading agents operate at partial autonomy with humans in the loop, and the remedy we propose is a human-CAI partnership, not a replacement of it.
A process-oriented regime does not certify that a product is secure; it certifies that a manufacturer ran a defined process. That certification is meaningful only if four background premises about the vulnerability lifecycle hold: P1, discovery is human-scarce; P2, a product's set of known exploitable vulnerabilities is knowable at market placement; P3, exploitation is a discrete, detectable event; and P4, remediation keeps pace with discovery. CAI agents stress all four, and the CRA responds in two opposite ways. Against the sheer volume agents surface, the regime bends: P1 is strained, and a risk-based process re-centres from "did you remediate everything?" toward "did you prioritise defensibly, and document it?" Against the collapse of the lifecycle's tempo and economics, the regime breaks: agents withdraw P2, P3, and P4, so a conformant product becomes exploitable with no change to it, and a point-in-time certificate attests to a posture that no longer holds. The mismatch is with the landscape, not the product, so no amount of process quality restores validity. This is not a plea for patience: the capability that voids these premises is deployed, measured, and cheap today, while the obligations that ignore it do not fully bind until December 2027, so a regulator or a manufacturer that treats the agentic shift as a future contingency is already behind it. The consequence runs straight through the paper: security has to move from a periodic, human-run process to a continuous, agent-operated one, and that is precisely the move a credible CRA now demands of itself.
We reconstruct the CRA's process orientation and its four load-bearing premises from the enacted text; map each mechanism to the CAI-agent dynamic that stresses it, with a verdict per provision; state six falsifiable predictions through 2028; propose an agent-native remedy, continuous and agent-operated conformity, grounded in the same AI-security research that documents the threat; and validate that remedy on two CRA-scope robots, a humanoid and a robotic lawn mower, where a CAI defender (the Robot Immune System) contains attacks that fully compromise the undefended, conformant systems. The analysis joins three literatures usually kept apart. Legal scholarship characterises the CRA as hybrid, self-assessment-default governance and dissects its reporting logic, contrasting the actively exploited trigger with the US known exploited construct, while a parallel critique argues the manufacturer-centric model fits open-source software poorly. A fast-growing empirical literature documents agents discovering and exploiting vulnerabilities, and operational CAI frameworks report large speed and cost advantages while showing the attacker edge is conditional. A third strand models the vulnerability lifecycle economically, from Akerlof's market for lemons to the disclosure-to-exploit window now measured collapsing toward zero. We read the first against the second and third. To our knowledge this premise-level bends-versus-breaks decomposition, tied provision-by-provision to the enacted text, is new. Every legal claim is anchored to an article or annex of the Regulation; every capability claim to a dated primary source.
We reconstruct the CRA's process orientation from three features of the enacted text, state the four premises that orientation silently assumes, and show that the interval between assumption and obligation is exactly the interval in which the vulnerability ecosystem inverted.
Three features make the CRA process-oriented rather than outcome-oriented. First, a thin, risk-conditioned property floor. Annex I, Part I lists product properties, but the operative ones are gated on a risk assessment. Even the strongest-sounding requirement, that products be "made available on the market without known exploitable vulnerabilities" (Annex I, Part I, (2)(a)), is expressly conditioned on the Article 13(2) risk assessment. It is a floor against known exploitable flaws at market placement, not a guarantee of security, and Article 3 fixes its scope: a vulnerability can be exploited by a cyber threat (Art. 3(40)), an exploitable vulnerability one an adversary could effectively use under practical conditions (Art. 3(41)). Second, substantive obligations are handling processes. Annex I, Part II reads as a process specification: identify and document vulnerabilities, produce an SBOM, "address and remediate vulnerabilities without delay," test regularly, disclose fixed flaws, run coordinated disclosure, and distribute updates securely. Article 13 frames the duty as performing and documenting a risk assessment "updated as appropriate during a support period" and exercising due diligence over third-party components. The verbs are process verbs (assess, document, handle, disclose, update), not outcome verbs. Third, reporting is triggered by exploitation, not existence. Article 14 requires notifying only an "actively exploited vulnerability," one for which there is reliable evidence a malicious actor has exploited it (Art. 3(42)), on a 24-hour, 72-hour, 14-day cadence through the ENISA platform. A newly discovered bug is generally not reportable. One further provision fixes scope: conformity is assessed once, against the product's state at placing (Article 32), and re-triggered only by a "substantial modification" of the product (Art. 3). Conformity is thus a point-in-time gate on a static artefact, placing the CRA much closer to continuous cyber-risk management than to a zero-defect mandate.
The conditional promise of a process-oriented regime, run the process and the product is acceptably secure, holds only where the environment behaves as the process assumes. Four premises carry the weight of the whole edifice, and they are nowhere stated in the Regulation, which is exactly the point: they are the load-bearing walls no one thought to draw on the blueprint, the tacit model of the world the drafters inhabited.
P1 — Discovery is human-scarce. Finding an exploitable vulnerability takes costly, skilled human effort, so what is found is a small, slowly growing subset of what is latent. Article 14's "report only what is actively exploited" and Annex I's "handle what you find" both assume the found set is manageable because discovery is expensive.
P2 — Posture is knowable at a point in time. A product's set of known exploitable vulnerabilities can be enumerated at placement, making the Annex I, Part I, (2)(a) condition and the Article 32 assessment meaningful as attestations. The premise is that "known" at time t approximates "knowable" shortly after t.
P3 — Exploitation is a discrete, detectable event. Active exploitation is rare and distinct enough that "reliable evidence" of it (Art. 3(42)) is an informative signal worth a 24/72-hour duty. The premise is that exploitation events are countable and separable from background noise.
P4 — Remediation keeps pace with discovery. The interval between a vulnerability becoming known and its being weaponised is long enough for "remediate without delay" to be a winnable race, so a support period of scheduled updates is an adequate control.
Cybersecurity AI (CAI) agents weaken P1 quantitatively (the regime bends) and falsify P2, P3, P4 environmentally (the regime breaks). A strained premise leaves the promise intact but harder to satisfy; a withdrawn premise voids it, because the certificate now attests to a state of the world the agent-transformed landscape no longer contains.
The assumption-formation window sets the CRA legislative track against the CAI agent-capability track. The events fall into three classes: general, published capability; the Alias Robotics CAI lineage used offensively, with the open-source CAI framework itself as the flagship; and the same lineage turned to defence, the empirical basis of the remedy (agentic defenders out-patching attackers, and a self-hostable on-premise defender containing a frontier attacker). A pre-ChatGPT interval marks where the CRA's assumptions were formed, and each offensive event undermines a premise (P1–P4). By the time Article 14 binds (September 2026) and the regime fully applies (December 2027), CAI agents had already exploited real one-day CVEs (April 2024), rediscovered latent flaws on demand (November 2024), discovered vulnerabilities at population scale and commodity cost (DARPA AIxCC, August 2025), and compromised CRA-scope consumer robots (March 2026).
The CRA's obligations bind late relative to the capability shift they must govern. The gap is not a projection but a measurement: every point on the lower track is a published, dated result, and the most recent, CAI agents compromising CRA-scope consumer products, predates the Regulation's own headline obligations. A full-text reading of the enacted Regulation confirms the blind spot. It mentions "artificial intelligence" only to cross-reference the AI Act, contains no occurrence of "machine learning," and nowhere treats AI as a capability of the adversary. For a cybersecurity statute finalised in 2024, that is a loud silence: the adversary's most consequential new recruit goes entirely unnamed. The point-in-time conformity it certifies is therefore blind to the one variable, adversary tooling, that the lower track is changing fastest.
The datable inflection points, restricted to agents acting as security instruments on other products, run from PentestGPT (2023) demonstrating LLM-guided testing (P1); through a single GPT-4 agent exploiting 87% of 15 real one-day CVEs from their descriptions, versus 0% for scanners and open models (April 2024), weakening P1 and near-eliminating the disclosure-to-weaponisation gap (P4); the open Cybersecurity AI framework ranking as the top AI team against humans in global CTFs at up to two orders of magnitude lower cost (2025); planner-plus-subagent teams reaching real zero-days; Google's Big Sleep rediscovering a latent memory-safety flaw in SQLite on demand (November 2024, P2); the DARPA AIxCC final identifying 86% of synthetic flaws and 18 real zero-days across 54 million lines of code at roughly $152 per task (August 2025); agent-emulated synthetic APTs collapsing TTP-based attribution (2026, P3); a CAI agent operationalised on a production humanoid robot (Unitree G1, September 2025, P2); and an open-source agent compromising three consumer robots, finding fleet-wide flaws and showing attacks once needing deep expertise can now be run "by anyone" (March 2026), which withdraws the specialised-attacker-scarcity premise (P1) for the exact product class the Regulation governs. Crucially, the same CAI lineage also produced the defensive results that ground the remedy: in controlled Attack/Defense evaluations agentic defenders out-patch attackers, and a self-hostable on-premise defender contains a frontier-class attacker. The scarce resource in vulnerability management has moved from finding flaws to deciding which matter (the bend), while the stability of a certified posture has evaporated (the break).
Cybersecurity AI (CAI) agents stress the CRA in two ways that call for opposite responses. Volume is the quantitative face: it strains P1 but leaves the process model's internal logic intact, so the regime bends. The collapse of the lifecycle's tempo and economics is the environmental face: it withdraws P2, P3, P4, so the regime breaks. This section separates the two, maps every load-bearing mechanism to the dynamic that stresses it, and states what each response predicts.
Abundance weakens P1 (discovery is human-scarce) without withdrawing it, and it is absorbable because the process model never assumed abundance would not occur, only that attention would be scarce, which abundance intensifies rather than negates. When security agents surface many candidate vulnerabilities, the triage queue expands: the 2026 Cloud Security Alliance synthesis frames automated exploit generation as having crossed from demonstration into operational tooling, and the pressure is on throughput, more candidates per unit time than any human process was provisioned for.
The honest evidence base is more sober than the headlines, and the conservative reading strengthens the argument. The widely cited 87% one-day result holds only when the agent is handed the CVE description; the same study reports 7% without it. On harder real-world benchmarks, the best frameworks resolve up to 13% on CVE-Bench and about 20% on CyberGym across 1,507 vulnerabilities. Yet even at that rate the same CyberGym run surfaced 34 previously unknown zero-days and 18 incomplete historical patches, and Meta's CyberSecEval 3 already benchmarks offence as a first-class model capability. Abundance does not require superhuman agents, only cheap and parallel ones: a tool that finds one real flaw in five, run continuously across a dependency graph, still overruns a human handling process.
Nothing in the CRA requires zero vulnerabilities or complete remediation; Article 14's exploitation trigger and Article 13's risk-based framing were built for a world in which not every flaw can be chased. Faced with more candidates, the process runs against a larger input without contradicting itself, and in practice compliance re-centres from remediation-completeness toward defensible prioritisation. That prioritisation is itself getting harder to do well: on the ENISA European Vulnerability Database, the predictors it would lean on lose discriminating power, with EPSS ranking and CVSS severity decoupling from real exploitation tempo. The questions an authority (Article 52) will turn on are already in the model: was exploitation actually occurring (Art. 3(42)), was the flaw reachable in the shipped configuration (Art. 13(2)), was an effective mitigation available, and was the prioritisation reasonable and documented (Annex I, Part II)? This mirrors the move mature safety engineering made long ago. The Article 14 trigger, the 24/72/14 cadence, coordinated disclosure, and the risk-based handling process all bend: strained but not contradicted. Two strains bear watching, and we treat them as predictions rather than breaks: the reporting cadence may prove too slow against machine-speed weaponisation, and coordinated disclosure weakens when a single technique generalises across a whole device family at once.
The second stressor is where deference to the CRA's craftsmanship has to stop. This is not a process overwhelmed with work; it is a process whose world has ceased to exist, so that a manufacturer can run it flawlessly, fund it fully, and pass every audit, and still ship a certificate that is false the week after it is signed. CAI agents force this by changing the tempo, economics, and symmetry of the lifecycle, withdrawing P2, P3, P4. When a premise is withdrawn the conformity the CRA issues does not become harder to earn; it becomes invalid, attesting to a posture the landscape no longer sustains.
Landscape validity. A point-in-time conformity attestation is landscape-valid if the posture it certifies at placement remains a good approximation of the product's posture over the period it is relied upon. A mechanism bends when validity is strained but recoverable through prioritisation; it breaks when the agent-transformed landscape withdraws the premise that made the attestation meaningful, so that re-running the process cannot restore it.
Certified-secure becomes trivially-exploitable, product unchanged (P2). Annex I, Part I, (2)(a) requires placement "without known exploitable vulnerabilities." "Known" is a point-in-time predicate presuming posture is stable shortly after placement. CAI discovery falsifies it: a latent flaw unknown at assessment can be rediscovered on demand the next week at order $100 per attempt. The product has not changed, nor its declared conformity, yet its real exploitable set has expanded because the environment's capacity to enumerate it has. The certificate attests to a property that is technically true and practically empty, because "known" has decoupled from "findable." It has not lied so much as answered, with great precision, a question the world has stopped asking, and the next assessment is only another snapshot against a moving environment.
Exploitation stops being a discrete signal (P3). Article 14 reports only actively-exploited vulnerabilities (Art. 3(42)), a design presuming exploitation is rare and detectable enough to be an informative trigger. When offensive tooling is automated and continuous, exploitation becomes background rather than event: "reliable evidence that a malicious actor has exploited" the flaw is either everywhere (every exposed product is probed continuously) or nowhere (agent-driven exploitation leaves a fainter human signature). Either way a duty keyed to a rare discrete event does not scale to a regime where the event is ambient.
"Remediate without delay" describes an unwinnable race (P4). Annex I, Part II(2) is a control only if the disclosure-to-weaponisation window exceeds the update cycle. That window was already closing before agents arrived, which is why the break is structural, not speculative. Aggregating 3,549 CVE-exploit pairs across ten sources, the median time-to-exploit fell from 771 days in 2018 to 68 in 2021, 5.3 in 2023, and zero in 2025, an exponential-decay fit at R² = 0.98 reaching a one-day median by 2028. Over the same span the share weaponised at or before disclosure rose from 19% to 54%, and within 24 hours from 19% to 58%; peer-reviewed open-source data corroborates the direction, as does industry telemetry showing exploitation now often preceding patch availability, and Europe's own registry reproduces it: the ENISA European Vulnerability Database shows the same collapse toward a near-zero median. The same capability that let an agent weaponise a one-day CVE from its description alone pushes this trend past the point where a scheduled-update model can keep pace. Against a weaponisation window now measured in hours, a scheduled patch cadence brings a calendar to a stopwatch's fight, and running the process better does not close a gap defined by the adversary's tempo, not the manufacturer's diligence.
Point-in-time conformity certifies a vanishing instant (P2–P4 jointly). These breaks share a root: Article 32 conformity is assessed once and re-triggered only by a "substantial modification" the manufacturer makes to the product (Art. 3). But the events that invalidate the attestation now originate in the environment: a new open-source offensive agent, a drop in the cost of discovery, a technique that generalises across a device family. None is a modification of any product, so none re-triggers assessment, yet each can move a whole population of conformant products from secure to exploitable overnight. The gate has no sensor for the variable that now dominates risk.
A bend leaves the conditional promise intact but costlier, and the CRA's own flexibility supplies the remedy. A break withdraws a premise, so that even a perfectly executed process issues a certificate that is false in the world the agents create. The economic stakes are clearest in the CE mark's function. Information-security markets are a textbook case of Akerlof's market for lemons: buyers cannot observe security, so absent a credible signal the market prices every product as insecure and investment collapses. The CRA's conformity regime supplies that missing signal, a legitimate and valuable goal. But a signal helps only while it correlates with quality. When agents withdraw P2–P4, the attestation is still issued on the same terms while the property it certifies evaporates, so the signal decouples from reality, and a decoupled safety signal is worse than none: it transfers risk to the buyers and integrators least able to see it while discharging the obligation on paper. A false mark carrying the authority of Union law is not a neutral failure but an active harm: it manufactures the very market-for-lemons assurance the CRA was enacted to abolish, now underwritten by the state. A market-for-lemons regime is meant to drive the bad cars off the lot; decoupled, this one staples a certificate of freshness to every lemon it was built to expose. Crucially, this is independent of whether the regulated product contains any AI at all. A conventional IP camera, firmware frozen and fully conformant, is moved from secure to exploitable by an offensive agent operating around it. That is why the problem cannot be delegated to the AI Act: the object that changed is not the product but the adversary, and the CRA has no mechanism that takes the adversary's evolving capability as an input.
A stress map makes the split concrete, mapping each load-bearing CRA mechanism to the CAI-agent dynamic that stresses it, the premise it depends on, and a verdict, ordered from most absorbable to structural break. Read as a verdict sheet the map is unflattering: the provisions that survive are the ones that merely help the process cope, while every mechanism that makes the certificate mean something, the market-entry condition, the actively-exploited trigger, and the point-in-time gate, is scored a break. The pattern is systematic: mechanisms resting only on P1 bend, because P1 is strained but not withdrawn; mechanisms resting on P2–P4 break, because agents remove a feature of the landscape (stable posture, rare exploitation, a winnable remediation race) that the mechanism silently relies on.
The verdicts run as follows (three categories: Bends, absorbable by re-interpreting existing obligations; Bends→Breaks, currently absorbable but with the premise eroding; and Breaks, premise withdrawn and a new construct required):
Risk-based, process-oriented handling (Art. 13(2)–(3); Annex I Pt II) — agents surface more candidates, so triage becomes the scarce resource, the design's home ground. Premise P1. Verdict: Bends.
24 h / 72 h / 14-day reporting cadence (Art. 14(2)) — machine-speed weaponisation compresses time-to-impact but events remain reportable. Premise P1. Verdict: Bends.
Coordinated vulnerability disclosure (Annex I Pt II(5)) — one agent-found technique generalises across a device family, so the per-product model strains. Premises P1, P2. Verdict: Bends→Breaks.
Report only actively-exploited vulnerabilities (Art. 14; 3(42)) — automated, continuous exploitation makes the "rare discrete event" trigger uninformative. Premise P3. Verdict: Breaks.
"No known exploitable vulnerabilities" at placing (Annex I Pt I, (2)(a)) — on-demand rediscovery decouples "known" from "findable"; certified-secure becomes exploitable, product unchanged. Premise P2. Verdict: Breaks.
Patch-based "remediate without delay" (Annex I Pt II(2)) — the disclosure-to-weaponisation window closes below the fleet update cycle. Premise P4. Verdict: Breaks.
Point-in-time conformity assessment (Art. 32; Annex I Pt I) — certifies a landscape snapshot, while the risk-dominant variable now lives in the environment. Premise P2. Verdict: Breaks.
Re-conformity on "substantial modification" (Art. 3; Art. 32) — invalidating events (a new offensive agent, cheaper discovery) are not product modifications, so no trigger fires. Premise P2. Verdict: Breaks.
Support-period lifecycle obligation (Art. 13(8); Art. 3) — support is keyed to product lifetime, not to adversary-capability growth that outpaces it. Premise P4. Verdict: Bends→Breaks.
The decomposition yields falsifiable expectations about how the regime behaves as its obligations bind. Agent-driven discovery throughput rises super-linearly while human triage stays roughly flat, so prioritisation partly tracks the load in the bends regime; but once agents withdraw P2–P4 the gap becomes a validity deficit in the certificate that no throughput gain can close. We expect the bends predictions (1–3) to be absorbed quietly through guidance and the breaks predictions (4–6) to force a visible institutional reckoning.
Prediction 1 (Real-world exploitation success keeps climbing). Real-world benchmarks (today roughly 13% on CVE-Bench, 20% on CyberGym) will report materially higher unaided real-CVE success before December 2027. Falsifier: success flat or declining through 2027.
Prediction 2 (Prioritisation becomes the compliance object). CRA enforcement and guidance will, before full application, relocate the compliance object from remediation-completeness to documented, evidence-based prioritisation. Falsifier: guidance that keeps measuring conformity by patch counts with no prioritisation standard.
Prediction 3 (The reporting cadence is contested). The 24/72-hour windows (Art. 14(2)) will be argued mismatched to machine-speed exploitation, prompting proposals for machine-readable or partially automated reporting. Falsifier: the cadence operates through 2028 with no documented adequacy challenge.
Prediction 4 (The actively-exploited trigger loses discriminating power). As automated probing becomes ambient, "reliable evidence of active exploitation" (Art. 3(42)) will either over- or under-trigger, prompting official reinterpretation. Falsifier: the trigger operates through 2028 with a stable, workable standard.
Prediction 5 (Conformity is challenged as landscape-stale). The value of a point-in-time attestation (Annex I, Part I, (2)(a); Art. 32) will be publicly contested once a conformant product population is compromised by an offensive agent without any product modification. Falsifier: point-in-time conformity is treated as adequate through the first CRA review despite documented agent-driven mass exploitation.
Prediction 6 (An environment-facing construct is proposed). Because automated offensive capability is not a product property and fires no "substantial modification" trigger, an EU-level output will propose a mechanism that takes evolving adversary capability as an input to conformity or support. Falsifier: all official instruments through 2028 keep conformity a purely product-internal, point-in-time judgement.
The bends predictions concern recalibrating functioning mechanisms and can be met by guidance; the breaks predictions concern the certificate's validity and cannot be met without a construct that references the environment. If they are borne out through informal stretching of existing text rather than new instruments, that is itself evidence of the structural mismatch we argue.
If Cybersecurity AI (CAI) agents are what break the CRA, they are also, and this is the paper's one constructive claim, the only material from which a repair can be built. The same capability that kicks the door in is the only thing quick enough to hold it shut. The move is neither optional nor incremental: stop treating the defender as a human running a periodic process, and start treating conformity itself as an agent-operated, continuously re-established property.
Why a defensive remedy is possible. The pessimistic reading is that attackers now hold an unassailable advantage; the controlled evidence contradicts it. Across 23 Attack/Defense battlegrounds, CAI defensive agents led, patching 54.3% of vulnerabilities against 28.3% offensive initial access (p=0.0193), and once defence is held to operational criteria (maintaining availability, preventing every intrusion) the gap becomes statistically insignificant (p>0.05): an equilibrium, not an attacker runaway. Deployment evidence sharpens the point. LLM-driven defender agents that harden, monitor, and respond in real time cut attacker success to 0–55% with complete prevention on several configurations, and, decisively for the small manufacturers the CRA also governs, a self-hostable on-premise model (alias2-mini) matched a frontier model's defensive outcomes and detected the attacker ten times faster on a complex scenario. The structural observation is that attacker and defender draw on the same capability, so defensive capability tracks offensive capability as the frontier advances. That is exactly the property P4 needs and a human-paced process cannot supply: the remedy is not to slow the adversary but to let the defender operate at the adversary's tempo.
From a point-in-time gate to a maintained posture. This reframes what a certificate attests. Today the CRA certifies that a manufacturer ran a process and that, at the instant of assessment, the product carried no known exploitable vulnerabilities (Annex I, Part I, (2)(a); Art. 32). The agent-native alternative certifies that a product is enrolled in a continuous defensive process: a CAI agent that re-probes it against current offensive capability, re-derives its exploitable set on the cadence at which that set actually changes, and feeds remediation at machine speed. Conformity becomes a live subscription rather than a snapshot, attesting not "secure on 11 December 2027" but "under continuous, capability-current defence," the only claim that stays true in a landscape the adversary keeps moving. Each of the three structural breaks maps onto a construct the research already prototypes: the stale-certificate break (P2) onto continuous conformity, the lost-trigger break (P3) onto agent-mediated detection and reporting, and the unwinnable-race break (P4) onto agent-speed remediation.
The bends/breaks split dictates the remedy. Bends are fixable inside the current text; breaks need new constructs, because a withdrawn premise cannot be restored by running the existing process better.
For the bends (guidance-level, near-term). First, codify prioritisation as the compliance object. ENISA guidance (Article 26) should state that, under agent-driven abundance, conformity is demonstrated by evidence-based prioritisation, reachability analysis, and documented risk acceptance, not by patch counts. Second, recalibrate the reporting cadence. Assess whether the 24/72-hour windows (Art. 14(2)) survive machine-paced weaponisation, and whether machine-readable, partially automated reporting is needed to keep the trigger meaningful. Third, recognise automated defensive tooling. Since the same capability defends as well as attacks, guidance should treat continuous, agent-assisted handling as a legitimate way to satisfy the Annex I, Part II obligations at machine tempo.
For the breaks (structural, require rule development). The unifying diagnosis is that the CRA has no variable for the adversary; each construct below adds it. First, make conformity continuous. Supplement the Article 32 gate with a monitoring-based or periodically-revalidated component, so a certificate expresses a maintained posture rather than a snapshot. Second, introduce an adversary-capability baseline. Assess "without known exploitable vulnerabilities" against a stated, periodically updated model of offensive capability, not only against what a manufacturer happened to know at placement. Third, add environment-triggered re-assessment, and index support to capability. Extend the events that re-open conformity beyond "substantial modification" to material shifts in the threat environment, and tie support obligations to the adversary's trajectory rather than to a fixed period.
Honest caveats. Three cautions bound the claim. Autonomy is graded, not binary: current defenders operate with humans in the loop (Levels 3–4 of the robot cybersecurity autonomy scale), so "continuous conformity" means human-supervised agent operation, not unattended trust. An agentic defender is itself attack surface, importing an assurance problem the security of AI systems literature (outside our scope) must answer. And mandating continuous defence has a distributional cost, though the on-premise result above suggests a modest, self-hostable model can supply competent defence, the affordability a proportionate obligation would need. These are reasons to design the construct carefully, not reasons the point-in-time certificate can stand. Two open questions remain: whether "actively exploited" stays meaningful once exploitation is ambient, and whether a product-internal, process-oriented regime is the right instrument at all for a risk whose dominant driver is an external, fast-moving adversary capability, or whether that risk requires regulating the ecosystem rather than the product. The choice the first review faces is not between a perfect old regime and a risky new one; it is between certifying a landscape that has demonstrably vanished and building conformity that moves.
Robots make the argument concrete and raise its stakes. A robot with digital elements is a canonical CRA-scope product, but it fuses the security lifecycle with a safety one: a certificate that slips from secure to exploitable no longer merely mis-states a data risk; it licenses a physical one, a paperwork failure that can cause bodily harm, on a machine fielded for years, updated rarely, and often within the adversary's physical reach. Each break bites harder here. On-demand rediscovery (P2) meets fleets of long-lived embedded devices that cannot be re-flashed on the cadence the landscape now moves at; the closing disclosure-to-weaponisation window (P4) meets update cycles paced by safety re-certification rather than continuous integration; and ambient exploitation (P3) erodes the already-thin line between a safety incident and a security one. This is not hypothetical: the CAI agents this paper relies on have compromised consumer robots and a production humanoid, showing that attacks once demanding deep robotics-internals expertise "can now be run by anyone." The agent-native remedy is, fittingly, most natural here: a defensive CAI agent that continuously re-probes a robot or a fleet against current offensive capability is nearer to operational practice than to regulatory aspiration, and robotics, where product security and physical safety converge, is exactly where conformity most needs to move.
The remedy is not only argued; it is demonstrated. Two CRA-scope robots were evaluated with an offensive CAI agent, first undefended, then enrolled in the Robot Immune System (RIS), a robotics endpoint-protection platform whose current build pairs a classical defence-in-depth stack (adaptive firewall, hardening, forensic logging) with a continuously running agentic CAI defender. Undefended, both robots fall exactly as the offensive literature predicts. On a Unitree G1 humanoid the agent turns a BLE command-injection flaw, opened by hardcoded AES keys shared across the entire fleet, into root, decrypts the static-key telemetry the robot beacons every 300 seconds, and reaches teleoperation; on a Hookii robotic lawn mower it walks 38 AI-discovered vulnerabilities into a safety-and-geofence override exposed across a fleet of 267+ devices. Enrol the same robots in RIS and the same agent is contained: attacker success collapses from 79% to 14% on the humanoid and from 75% to 8% on the mower, no run reaches privileged or safety-critical control, the agentic defender flags the intrusion within seconds and runs a detect–classify–block–contain loop that closes inside the attacker's window, and the machine keeps operating, all at sub-100-microsecond inspection latency on an on-premise, self-hostable footprint a small manufacturer can actually afford. This is the paper's thesis rendered in hardware: the point-in-time certificate either robot could have carried says nothing about the week after it is signed, whereas a defender moving at the adversary's tempo keeps the posture true as the landscape shifts under it. The remedy reads less as regulatory aspiration than as a running system, and it earns its keep first exactly where a stale certificate stops being a data problem and becomes a physical one.
The two-robot comparison reads side by side. On the Unitree G1 humanoid, the undefended attack reached root via BLE command injection using fleet-wide hardcoded AES, decrypted the static-key telemetry, and reached teleoperation; enrolled in RIS, attacker success fell from 79% to 14%, privileged control was blocked (no root, no teleoperation), the intrusion was flagged in under 8 seconds, and the robot stayed operational. On the Hookii lawn mower, the undefended attack chained 38 AI-discovered vulnerabilities into a safety/geofence override with a fleet reach of 267+ devices; enrolled in RIS, attacker success fell from 75% to 8%, the safety and geofence override was blocked, the intrusion was flagged in under 12 seconds, and the mower halted safely. Attacker success is the share of attack objectives the agent completes; attack-surface findings are drawn from the cited studies, while the defensive comparison is from controlled RIS evaluations.
The defender's response also reads as a timeline. For each robot the offensive CAI agent is met by the RIS agentic CAI defender, which holds a defence-in-depth baseline (firewall and artificial-immune-system) and then detects, classifies, blocks, and contains the intrusion. On the Unitree G1 the defender flags the anomalous BLE provisioning, classifies the command-injection against the static-key crypto, and rotates the fleet-wide AES keys, containing the agent before root or teleoperation (under 8 seconds). On the Hookii mower it flags the unauthenticated ADB service, closes it, and isolates the MQTT path while restoring the geofence, before any safety-critical actuation (under 12 seconds). Attacker steps are grounded in the published assessments; the defender's actions and their timings are drawn from controlled RIS evaluations and are illustrative.
The Cyber Resilience Act is a well-constructed instrument for the world it was written in, and its process orientation is genuinely adaptive to the first thing Cybersecurity AI (CAI) agents do: flood the vulnerability-handling process with candidates. On that axis the regime bends. The premise under strain, that discovery is human-scarce, is weakened but not withdrawn, and the CRA's own risk-based flexibility supplies the remedy, re-centring compliance on demonstrable, documented prioritisation that sensible guidance can keep standing.
The second thing CAI agents do is more corrosive. By collapsing the tempo, cost, and symmetry of the vulnerability lifecycle, they withdraw the premises a point-in-time certificate depends on: that a product's exploitable set is knowable at placement, that exploitation is a discrete detectable event, and that remediation can outrun weaponisation. When those premises go, the CRA does not bend; it breaks. A perfectly executed process still issues a certificate that is false in the agent-transformed landscape, and the failure is independent of whether the regulated product contains any AI at all: a frozen, fully conformant embedded device is moved from secure to exploitable by an agent operating in the ecosystem around it. That is why the problem cannot be delegated to the AI Act, or papered over by guidance: it is a regulation certifying, at scale and with the force of law, a safety property it can no longer observe. The object that changed is not the product but the adversary, and the CRA has no mechanism that takes the adversary's evolving capability as an input.
Closing that gap requires new constructs that give the regime a variable for the adversary: continuous or capability-indexed conformity, an adversary-capability baseline, environment-triggered re-assessment. The encouraging part is that the remedy is made of the same material as the threat. Because automated defenders draw on the same capability as automated attackers, defence can track offence, and conformity can be re-cast from a snapshot into a continuously re-established, agent-operated posture. This is no longer only a proposal: on two CRA-scope robots, a humanoid and a robotic lawn mower, a CAI defender already holds a line the undefended, fully conformant product cannot.
The timing leaves little room for hedging. The CRA reaches full application in December 2027, and on the evidence already in hand the landscape it certifies against will not survive to the date its obligations bind. Even on the conservative benchmark numbers, cheap and parallel discovery is enough to withdraw the premises, because a break needs the environment to change, not the adversary to be superhuman. Europe is on course to switch on, at great cost and in good faith, a conformity machine whose certificate of health is issued for a patient the examiner can no longer see. The CRA is not wrong so much as early to its own obsolescence: a last, best artefact of the pre-agentic world, certifying ghosts.
But obsolescence diagnosed in advance is a choice, not a fate. The evidence that voids the premises is already published, dated, and cheap to reproduce; only the admission lags. The demand this paper presses is therefore blunt. Security has to stop being a periodic, human-run process and become a continuous, agent-operated one, and a credible CRA has to gain a variable for the adversary instead of certifying around its absence. Regulators should treat the first review not as a routine revision but as the moment to make conformity move; manufacturers should not wait for a mandate to put a defensive agent on their products, because attackers are not waiting for one to put an offensive agent there. We press this from inside the European Cybersecurity AI community and in support of the CRA's purpose, not against it: an instrument this well-built deserves to meet the threat model it will actually face, and diagnosing the mismatch now, rather than in 2027, is what keeps the outcome ours to change.
@article{mayoralvilches2026certifyingghos,
title = {Certifying Ghosts: How Cybersecurity AI Agents Break the EU Cyber Resilience Act},
author = {Víctor Mayoral-Vilches},
journal = {arXiv preprint arXiv:2607.07109},
year = {2026},
eprint = {2607.07109},
archivePrefix= {arXiv},
url = {https://arxiv.org/pdf/2607.07109},
}