Cyber Resilience Act: SerNet prepares verinice and SAMBA+ for CRA obligations at an early stage

The Cyber Resilience Act (CRA) will come into full effect in December 2027. SerNet GmbH is affected by this in several areas: with the open source products verinice and SAMBA+ – and also with other “products with digital elements” used by SerNet as a service provider for secure infrastructure.

Preparations at SerNet began as early as January 2025. Over the course of the year, lawyer Tilbe Tuğanlı drew up two guidelines for implementing the CRA. The case was relatively clear for verinice because this software is not subject to any special risk class and is developed entirely in-house at SerNet. There was significantly more work to be done with SAMBA+: The software is classified as an identity and access management (IAM) tool and is developed in close cooperation with a steward – the international Samba team currently based in the USA. Both guides were completed in 2025 and are available under the Creative Commons license CC BY-SA.

At the same time, our working student Leander Sange from PFH Private University Göttingen gave several presentations for the internal training of colleagues at SerNet. In addition to internal use, the presentation materials and guidelines were also used for information events at the Measurement Valley e.V. measurement technology association and other institutions in the course of 2025.

Starting in January 2026, SerNet will begin gradually implementing the guidelines so that it can submit all declarations of conformity on time and display the CE logo on its product websites. This work is made particularly difficult by the fact that European legislators have not yet finalized key aspects: important specifications are still missing in the “harmonized standards” for the concrete implementation of the CRA. The last of these are not expected to be available until 2027 – anything but timely.

Interested in the SerNet documents on the CRA?
Please feel free to contact us by email at ospo@sernet.de.