Is my SaaS concerned by the CRA?

If your product is made available on the European market and contains digital elements (software, firmware, connected service), yes. Pure hosted SaaS may be out of 'product' scope, but their components embedded at the client (agent, plugin, SDK) are concerned.

What are the key CRA milestones?

Two structuring milestones. September 11, 2026: incident reporting to ENISA within 24h + operational vulnerability disclosure program (VDP). December 11, 2027: full application — CE-Cyber marking, SBOM, Annex I technical requirements.

How much does CRA compliance cost?

For a B2B SaaS publisher with a standard product: €60-150K over 12 months (audit + roadmap + implementation + documentation). For a multi-product publisher or 'important'/'critical' category: €150-400K. CRA audit alone (mapping + action plan) costs €15-35K.

Does ISO 27001 exempt from CRA compliance?

No. ISO 27001 is an information security management system of the organization. CRA covers the technical characteristics of the product itself: SBOM, signing, updates, vulnerability management over support duration. Complementary but different. ISO 27001 facilitates CRA by about 30-40%.

EU Cyber Resilience Act (CRA) · Comprehensive guide

TL;DR — the essentials in 5 points

CRA = EU Regulation 2024/2847: cybersecurity requirements for products with digital elements placed on the European market.
First milestone: September 11, 2026 — incident reporting to ENISA within 24h + operational vulnerability disclosure program (VDP).
Full application: December 11, 2027 — mandatory CE-Cyber marking, SBOM, Annex I technical requirements.
Sanctions: up to €15M or 2.5% of worldwide turnover.
ISO 27001 covers ~30-40% of CRA — necessary but not sufficient. CRA covers the product itself, ISO 27001 covers the organization.

Are you concerned by the CRA?

Very probably yes, with very specific exceptions:

Included: B2B SaaS, commercial mobile apps, IoT, firmware, redistributed libraries, drivers, commercial plugins.
Partially excluded: non-commercial open source (but new obligations apply to paid contributors and "open source stewards").
Excluded: pure services without embedded software component (rare).

If you sell software directly or indirectly, you are very probably in scope.

Milestone 1 — September 11, 2026: Active reporting

By that date, you must be able to:

Detect a security incident on your product (active exploitation of a vulnerability) and qualify it.
Notify ENISA within 24 hours via the EU single reporting platform.
Operate a Vulnerability Disclosure Program (VDP) with documented intake channel (security.txt RFC 9116), triage procedure, response SLAs.
Trace your patch deployment: who has the patch, in what version, with what timeline.

The 24h deadline is structuring: it implies the existence of detection capability, escalation procedure, and pre-trained team.

Milestone 2 — December 11, 2027: Full application

Full obligations of Annex I, with three product categories:

Default category: ~90% of products. Self-assessment, CE marking, basic technical documentation.
"Important" category (Annex III): authentication, password managers, SIEM, antivirus, identity management, BIOS, etc. Notified body assessment for class II.
"Critical" category (Annex IV): chip cards, hardware security modules. Highest assessment level.

Annex I requirements include: SBOM (mandatory for "important" and "critical"), security by design, security by default, automated patching capability, signed updates, support duration declaration, end-of-life notification, secure configuration.

The SBOM — Software Bill of Materials

Mandatory machine-readable list of components: name, version, supplier, hash, license, transitive dependencies. Standards: SPDX or CycloneDX.

Generated automatically at every build (Syft, cdxgen), signed (cosign), traceable, accessible to authorities and clients on request, maintained over the entire support duration.

Vulnerability Disclosure Program (VDP)

Five mandatory elements:

Identified intake channel (security.txt RFC 9116, dedicated email).
Triage procedure with SLAs (typically 5 business days for qualification).
Communication policy (transparency, coordination with the researcher).
Remediation commitment by criticality.
No-harm policy for good-faith researchers.

VDP is different from a Bug Bounty (which financially rewards findings). The CRA requires the VDP minimum.

Who is the French CRA authority?

In France: ANSSI serves as notifying authority responsible for evaluating, controlling and notifying conformity assessment bodies (CABs) operating in this framework. ENISA is the centralizing European authority for incident reports.

Strategy — start now

12 months to build the operational layer is short. Notified bodies will be saturated in 2027. Three priority chantiers in 2026:

Operational VDP before September 11, 2026.
Industrialized SBOM in CI/CD.
Sigstore-signed builds with traceable provenance (SLSA L2+).

Dedicated services on this topic

Beyond the guide above, here are the WeeSec engagements that directly address this perimeter.

Dedicated service

Cybersecurity Audit for SaaS

Independent CRA-ready audit

Dedicated service

Fractional CISO / vCISO

Drive your CRA compliance roadmap

Want to discuss?

A 20-minute scope call to frame your situation. No commitment.

Book on Calendly →