Software & SaaS Products
Software is at the core of the Cyber Resilience Act: Whether desktop application, mobile app, or cloud-based platform, software products are explicitly covered as products with digital elements. For software vendors and SaaS providers, this means new obligations for vulnerability handling, SBOM creation, and security documentation that must be reconciled with agile release cycles.
CRA Relevance for Software & SaaS
Standalone software is explicitly defined as a product with digital elements under the CRA. SaaS solutions fall under the CRA when they constitute a necessary component for the function of a product with digital elements — the decisive criterion is remote data processing. Purely standalone cloud services without a functional link to a product are primarily regulated under NIS-2.
- Desktop applications, mobile apps, and libraries are directly subject to CRA requirements as standalone products with digital elements
- SaaS solutions fall under the CRA when they serve as remote data processing for a product — meaning they are developed by the manufacturer and without them the product could not fulfill one of its functions (e.g. cloud control of a smart home device)
- Purely standalone cloud services (SaaS, PaaS, IaaS) without a functional product link are primarily regulated by NIS-2, not by the CRA
- If software is distributed via a SaaS model and the cloud component is essential for core functionality, CRA requirements for vulnerability management and security by design apply
- Distribution via app stores or package registries does not exempt from CRA obligations: the manufacturer remains responsible as the entity placing the product on the market
Compliance Challenges for Software Vendors
Continuous Deployment vs. Compliance Requirements
Agile teams deliver new releases daily or weekly. CRA requirements for documentation, risk assessment, and SBOM currency must be integrated into existing CI/CD processes without slowing development velocity.
Open-Source Dependency Management
Modern software relies on hundreds of open-source libraries with transitive dependencies. Complete capture, license verification, and vulnerability monitoring of these dependency trees is not feasible without automation.
Vulnerability Disclosure for Cloud-Hosted Products
With SaaS products, the boundary between product and infrastructure becomes blurred. Coordinating vulnerability disclosures when both server-side and client-side components are affected requires clear processes.
Defining Product Boundaries for SaaS
The CRA refers to products, but for SaaS the distinction between product and service is complex. Manufacturers must clearly define which components fall under the CRA and which qualify as pure services.
How Kunnus Supports Software Vendors
Automated SBOM Generation from CI/CD Pipelines
Kunnus integrates directly into your build pipelines and automatically generates an up-to-date SBOM with every release. Changes to dependencies are immediately detected and documented.
Continuous Vulnerability Monitoring
Kunnus monitors all dependencies in your SBOMs in real time against known vulnerability databases and prioritizes required actions by severity and reachability of the affected component.
Release-Synchronized Compliance Documentation
The platform automatically keeps your CRA documentation in sync with your releases. Risk assessments, security advisories, and conformity evidence are updated with every product change.
Structured Vulnerability Disclosure Processes
Kunnus implements the entire vulnerability disclosure workflow: from receiving external reports through internal assessment to timely reporting to ENISA and notification of affected users.
Frequently Asked Questions
Common questions about CRA compliance in this industry.
Check Your Software's CRA Readiness
Determine in just a few minutes how well your software products and SaaS offerings are prepared for the Cyber Resilience Act and what steps to take next.