Loading...
Flexera has assessed the applicability of Regulation (EU) 2024/2847 (the Cyber Resilience Act) to its product and service portfolio. The CRA introduces mandatory cybersecurity requirements for products with digital elements placed on the EU market, including obligations around secure design, vulnerability handling, and transparency throughout the product lifecycle.
Flexera's products are designed and developed with security as a foundational principle, consistent with our ISO 27001 certification and SOC 2 Type II attestation. Our existing secure software development lifecycle, vulnerability management programme, and responsible disclosure practices align with the CRA's core requirements. Revenera's Software Composition Analysis (SCA) and Software Vulnerability Manager (powered by Secunia Research) are specifically designed to help software producers manage open source risk and meet the CRA's SBOM and vulnerability transparency obligations — both for their own compliance and on behalf of their customers.
Flexera will continue to monitor CRA implementing acts and guidance from ENISA to ensure our products and processes remain aligned as the regulatory framework matures.
Flexera has assessed the applicability of Regulation (EU) 2022/2554 (DORA) to its products and services. Where Flexera provides software or SaaS solutions to financial entities within scope of DORA, those services may qualify as ICT services, with Flexera acting as an ICT third-party service provider. Based on the nature and criticality of those services, Flexera does not consider them to support critical or important functions within the meaning of DORA and has not been designated as a critical ICT third-party service provider.
Flexera has reviewed the DORA requirements applicable to non-critical ICT third-party service providers and implemented appropriate contractual, technical, and organisational measures in response. Flexera offers a dedicated DORA Schedule to address key DORA topics where required and maintains an established information security and risk management programme underpinned by ISO 27001 certification and SOC 2 Type II attestation. Flexera will continue to monitor regulatory developments and engage transparently with customers and competent authorities as required.
Flexera has assessed the requirements of Regulation (EU) 2023/2854 (the EU Data Act) as they apply to its business model and product offerings. As a provider of enterprise SaaS and on-premise software solutions, Flexera has considered the Act's provisions on data access, data portability, switching between cloud service providers, contractual transparency, and international data transfer safeguards, and has implemented appropriate measures where obligations apply.
Where Flexera's products or services fall within scope, we support customers in meeting their own obligations under the EU Data Act and maintain data handling practices aligned with the GDPR and applicable EU data frameworks. We work with our channel partners to ensure clarity on responsibilities across our distribution models. Flexera will continue to monitor regulatory guidance and enforcement developments and adjust our approach accordingly.