SPS Digital Tech, founded by Stephan Smuts, provides Danish enterprises with the specialized expertise needed to secure critical operations. Access is provided to practical, high-integrity security solutions and elite technical oversight tailored to the unique requirements of the Danish market.

The EU Cyber Resilience Act is no longer a distant proposal — it is in force, with hard deadlines and significant penalties. These are the numbers every manufacturer of connected products should plan around.
It is determined whether your products fall under the CRA, and a forensic gap analysis maps exactly where you fall short of its requirements.
Secure-by-default engineering and a complete Software Bill of Materials are established, with third-party and supply-chain components verified and tracked.
Coordinated vulnerability disclosure, secure update mechanisms, and 24-hour incident reporting are put in place to meet CRA obligations through 2027 and beyond.
Technical documentation and conformity assessment are prepared so your digital products achieve CRA-compliant CE marking and stay sellable in the EU.
A forensic audit is performed on the existing infrastructure to identify security gaps and CRA misalignments.
A custom security blueprint is developed to translate complex technical needs into clear business certainty.
A fully compliant state is achieved through the surgical integration of autonomous tools, ensuring active resilience.
High-impact diagnostic sessions are conducted to identify immediate CRA gaps and architectural misalignments.
Strategic oversight is provided for secure-by-design controls and SBOM tooling, ensuring CRA requirements are met without disrupting your release schedule.
Acts as your fractional compliance lead, steering the CRA programme from scoping through to CE marking and certification.
On-demand help with technical documentation, conformity assessment, and 24-hour vulnerability and incident reporting readiness.
Elite international expertise is combined with a deep understanding of local business values. Security architectures are ensured to be both world-class and practically applicable.
Will your connected products still be sellable in the EU after December 2027?
CRA obligations are translated into a pragmatic, prioritised roadmap — from scoping and SBOMs to CE marking — so you reach conformity without stalling your product teams or your release schedule.
Both are EU cybersecurity regulations, but they target different things. The CRA governs the security of products with digital elements, while NIS2 governs the cybersecurity of organisations that operate essential and important services. Many Danish businesses fall under both.
| Aspect | Cyber Resilience Act (CRA) | NIS2 Directive |
|---|---|---|
| Primary focus | Security of products with digital elements | Cybersecurity of essential & important entities |
| Who it applies to | Manufacturers, importers & distributors of digital products | Operators of essential and important services |
| Core obligation | Secure-by-design, SBOM, 5 years of updates, CE marking | Risk management, governance & incident reporting |
| Reporting deadline | 24h early warning for exploited vulnerabilities | 24h early warning for significant incidents |
| Key date | Full application from 11 Dec 2027 | National transposition due since 17 Oct 2024 |
| Maximum penalty | €15M or 2.5% of global turnover | €10M or 2% of global turnover |
The Cyber Resilience Act (CRA) is EU regulation that mandates cybersecurity requirements for products with digital elements. It covers software, firmware, and connected hardware sold in the EU, requiring measures such as a Software Bill of Materials (SBOM), at least five years of security updates, coordinated vulnerability disclosure, secure-by-default design, and CRA-compliant CE marking.
The CRA generally applies if your product connects to another device or network (Wi-Fi, Bluetooth, USB, or API), is software or firmware sold commercially, is a hardware component used inside a connected product, or connects indirectly as part of a larger connected system. Products already regulated as medical devices, vehicles, aviation, or marine equipment are typically out of scope.
SPS Digital Tech helps Danish companies navigate CRA compliance from scoping to certification. This includes a discovery audit to identify security gaps and CRA misalignments, a custom security blueprint, and deployment oversight to reach a fully compliant, CE-markable state.
SPS Digital Tech focuses on EU Cyber Resilience Act (CRA) compliance: scoping and gap analysis to determine whether your products are in scope, secure-by-design engineering and Software Bill of Materials (SBOM) management, coordinated vulnerability handling with 24-hour incident reporting, and technical documentation and conformity assessment for CRA-compliant CE marking. Engagement models range from a complimentary strategic discovery session to deployment oversight, an ongoing compliance programme lead, and ad-hoc audit and reporting support.
SPS Digital Tech was founded by Stephan Smuts, a Strategic Security Architect who combines elite international expertise with a deep understanding of the Danish market to deliver practical, high-integrity security solutions.
Our guidance is grounded in official EU and Danish regulatory sources. Verify any claim directly against the primary legislation and authorities below.
Facilitating the implementation of secure and compliant business operations.