Cyber Resilience Act: the fine line between SaaS and digital products
Summary
The EU's Cyber Resilience Act (CRA), effective December 10, 2024, with full application from December 11, 2027, introduces uniform cybersecurity requirements for "products with digital elements" sold in the EU market. It mandates secure-by-design principles, risk assessments, technical documentation, conformity assessments, CE markings, and vulnerability/incident reporting throughout a product's lifecycle. A key challenge for technology providers is distinguishing between software as a product (SaaP), which is generally in scope, and pure cloud-native Software as a Service (SaaS), which is typically excluded unless essential to a product's core functionality. The CRA broadly interprets "digital element" and "connection," encompassing hardware and software products with direct or indirect data connections. Critical products face stricter assessments, and enforcement includes market surveillance and penalties. Transitional periods apply, with vulnerability handling obligations starting September 11, 2026.
Key takeaway
For CTOs and product strategists designing new offerings or assessing existing portfolios, carefully delineate between software as a product and SaaS. Your design choices, go-to-market models, and contractual allocations will be directly impacted by the CRA's scope. Document your assessments of what constitutes "essential" remote functionality to ensure compliance and mitigate risks, especially given the interplay with other EU digital laws like NIS2 and DORA.
Key insights
The CRA distinguishes between software as a product and SaaS based on market presentation and essentiality to core product functionality.
Principles
- Secure-by-design is a lifecycle requirement.
- Scope hinges on "product with digital elements."
- Remote processing can bring SaaS into scope.
Method
Assess whether remote components are essential for a product's intended functionality, considering architecture, packaging, and commercial presentation, especially for "software plus cloud" bundles or feature-gated SaaS.
In practice
- Map core offerings against CRA application.
- Document CRA scoping assessments.
- Review assessments as guidance evolves.
Topics
- Cyber Resilience Act
- Product Cybersecurity
- SaaS vs. SaaP
- EU Digital Regulation
- Secure-by-Design
Best for: CTO, Executive, VP of Engineering/Data, Software Engineer, Product Manager, Legal Professional
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by Technology's Legal Edge.