"As with any new regulation, there will certainly be a transitionary period as organisations adjust to new requirements and standards," Sonatype's Fox told CNBC. "This is the start of a long journey toward improving software security and resilience."