Does the Cyber Resilience Act apply to your SaaS product?
Does the Cyber Resilience Act apply to SaaS?
The Cyber Resilience Act may apply to SaaS services if they are an essential part of a connected digital product or its functionality. This includes cloud services that control IoT devices, industrial systems, or other network-connected devices.
The CRA is particularly relevant to SaaS when:
SaaS is essential for a device to function
SaaS controls or manages connected devices
SaaS includes software components delivered as part of a product
If your SaaS is a core part of a digital product, your company should address CRA requirements such as secure-by-design development, vulnerability management, and software component documentation.
Why the Cyber Resilience Act matters now
The EU’s Cyber Resilience Act (CRA) introduces minimum cybersecurity requirements for products with digital elements that can be connected to a device or network. Its goal is to improve the security of digital products placed on the EU market and reduce vulnerabilities already at the design stage.
The CRA entered into force in December 2024. Some obligations will start applying as early as September 2026, with full compliance required by December 2027. Now is the time to assess whether the regulation applies to your business and SaaS offering.
What does CRA require?
The Cyber Resilience Act is built around the principle of security by design, meaning cybersecurity must be considered throughout the entire product lifecycle, from development to maintenance.
Key requirements include:
risk-based product design
secure default configurations
confidential data handling
vulnerability management and reporting
The goal is to ensure that digital products are secure before they enter the market.
CRA and SaaS companies
As you read more about CRA, you might ask: does the CRA apply to SaaS companies?
The answer is not entirely straightforward. While the CRA primarily targets digital products and devices, SaaS solutions may fall within its scope if they are an essential part of a connected product or its functionality.
When does CRA apply to SaaS?
The CRA may apply to SaaS solutions in the following scenarios:
1. SaaS is a core part of a physical product
If a cloud service is essential for a product’s functionality, it may be considered part of the digital product.
Examples include:
controlling industrial robots via a SaaS platform
cloud management of smart devices
analytics services for IoT devices
If the device cannot function in practice without the SaaS service, the service may fall under CRA requirements.
2. SaaS controls or manages connected devices
The CRA focuses on the relationship between software and connected devices.
Examples include:
building automation systems
industrial IoT platforms
remote device management systems
In these cases, SaaS is not just an interface; it is part of the functional system.
3. SaaS includes software components delivered with the product
If your SaaS solution includes components delivered to the customer (such as an agent, SDK, or integration component), these may fall under the CRA scope.
The CRA also emphasizes software transparency, particularly through SBOM (Software Bill of Materials) requirements. Companies must document the software components used in their products.
What should SaaS companies do now?
Start by assessing whether your SaaS solution falls under the CRA scope. Consider questions like:
Is your SaaS part of a digital product?
Does it control connected devices?
Are software components delivered to customers?
Next, conduct a CRA gap analysis. Evaluate whether your SaaS solution meets requirements related to security updates, vulnerability management, and documentation.
Finally, update your processes. Build a vulnerability management process that defines:
How vulnerabilities are detected and assessed
How fixes are implemented
How regulatory reporting is handled when required
CRA is relevant for all software companies
Even if the CRA does not directly apply to all SaaS solutions, its requirements provide valuable guidance for improving cybersecurity across all software development. Early preparation is not just about compliance — it enables you to build products where security, updatability, and vulnerability management are embedded into development.
For many companies, the CRA serves as a benchmark for what a modern, secure software product should look like in the EU market.
Still have questions about CRA?
We’ve compiled a practical CRA guide (in Finnish) that covers the fundamentals of the legislation, includes expert insights from our cybersecurity specialist, and provides a real-world case example to support your preparation. You’ll also get a clear roadmap for CRA compliance.
