SPS Digital Tech LogoSPS Digital Tech

SPS Digital Tech

Strategic Security Architect

SPS Digital Tech, founded by Stephan Smuts, provides Danish enterprises with the specialized expertise needed to secure critical operations. Access is provided to practical, high-integrity security solutions and elite technical oversight tailored to the unique requirements of the Danish market.

Global Expertise, Local Focus
Stephan Smuts - Founder of SPS Digital Tech
Do you maintain a Software Bill of Materials (SBOM) for all products?
Can you provide security updates for at least 5 years post-sale?
Is a coordinated vulnerability disclosure process established?
Are products designed to be secure by default out of the box?
Are digital products ready for CRA-compliant CE marking?
Is technical documentation maintained for security assessments?
Can security incidents be reported to authorities within 24 hours?
Is a cybersecurity risk assessment performed for each product?
Are secure update mechanisms implemented for all connected products?
Is the security of third-party components verified and tracked?
Do you maintain a Software Bill of Materials (SBOM) for all products?
Can you provide security updates for at least 5 years post-sale?
Is a coordinated vulnerability disclosure process established?
Are products designed to be secure by default out of the box?
Are digital products ready for CRA-compliant CE marking?
Is technical documentation maintained for security assessments?
Can security incidents be reported to authorities within 24 hours?
Is a cybersecurity risk assessment performed for each product?
Are secure update mechanisms implemented for all connected products?
Is the security of third-party components verified and tracked?
CRA By The Numbers

Why does CRA compliance matter now?

The EU Cyber Resilience Act is no longer a distant proposal — it is in force, with hard deadlines and significant penalties. These are the numbers every manufacturer of connected products should plan around.

10 Dec 2024
The CRA officially entered into force
11 Dec 2027
Main obligations apply to all in-scope products
24 hours
Deadline to report an actively exploited vulnerability, from 11 Sep 2026
€15M / 2.5%
Maximum fine, or of global annual turnover — whichever is higher
CRA Compliance

How do we get your products CRA-ready?

Scoping & Gap Analysis

It is determined whether your products fall under the CRA, and a forensic gap analysis maps exactly where you fall short of its requirements.

Secure-by-Design & SBOM

Secure-by-default engineering and a complete Software Bill of Materials are established, with third-party and supply-chain components verified and tracked.

Vulnerability & Incident Handling

Coordinated vulnerability disclosure, secure update mechanisms, and 24-hour incident reporting are put in place to meet CRA obligations through 2027 and beyond.

CE Marking & Conformity

Technical documentation and conformity assessment are prepared so your digital products achieve CRA-compliant CE marking and stay sellable in the EU.

The Methodology

How do we move you from chaos to architecture?

Phase 01

Discovery

A forensic audit is performed on the existing infrastructure to identify security gaps and CRA misalignments.

Phase 02

Design

A custom security blueprint is developed to translate complex technical needs into clear business certainty.

Phase 03

Deployment

A fully compliant state is achieved through the surgical integration of autonomous tools, ensuring active resilience.

Engagement Models

How can you work with SPS Digital Tech?

Complimentary

Strategic Discovery

High-impact diagnostic sessions are conducted to identify immediate CRA gaps and architectural misalignments.

Implementation

Deployment Oversight

Strategic oversight is provided for secure-by-design controls and SBOM tooling, ensuring CRA requirements are met without disrupting your release schedule.

Ongoing

Compliance Program Lead

Acts as your fractional compliance lead, steering the CRA programme from scoping through to CE marking and certification.

Ad-hoc Support

Audit & Reporting Support

On-demand help with technical documentation, conformity assessment, and 24-hour vulnerability and incident reporting readiness.

Global Network, Local Trust

Elite international expertise is combined with a deep understanding of local business values. Security architectures are ensured to be both world-class and practically applicable.

CRA-Ready, Not Just Compliant

Will your connected products still be sellable in the EU after December 2027?

CRA obligations are translated into a pragmatic, prioritised roadmap — from scoping and SBOMs to CE marking — so you reach conformity without stalling your product teams or your release schedule.

CRA vs NIS2

CRA or NIS2 — which regulation applies to you?

Both are EU cybersecurity regulations, but they target different things. The CRA governs the security of products with digital elements, while NIS2 governs the cybersecurity of organisations that operate essential and important services. Many Danish businesses fall under both.

CRA or NIS2 — which regulation applies to you?
AspectCyber Resilience Act (CRA)NIS2 Directive
Primary focusSecurity of products with digital elementsCybersecurity of essential & important entities
Who it applies toManufacturers, importers & distributors of digital productsOperators of essential and important services
Core obligationSecure-by-design, SBOM, 5 years of updates, CE markingRisk management, governance & incident reporting
Reporting deadline24h early warning for exploited vulnerabilities24h early warning for significant incidents
Key dateFull application from 11 Dec 2027National transposition due since 17 Oct 2024
Maximum penalty€15M or 2.5% of global turnover€10M or 2% of global turnover
FAQ

Frequently Asked Questions

What is the EU Cyber Resilience Act (CRA)?

The Cyber Resilience Act (CRA) is EU regulation that mandates cybersecurity requirements for products with digital elements. It covers software, firmware, and connected hardware sold in the EU, requiring measures such as a Software Bill of Materials (SBOM), at least five years of security updates, coordinated vulnerability disclosure, secure-by-default design, and CRA-compliant CE marking.

Does the CRA apply to my product?

The CRA generally applies if your product connects to another device or network (Wi-Fi, Bluetooth, USB, or API), is software or firmware sold commercially, is a hardware component used inside a connected product, or connects indirectly as part of a larger connected system. Products already regulated as medical devices, vehicles, aviation, or marine equipment are typically out of scope.

How does SPS Digital Tech help Danish companies with CRA compliance?

SPS Digital Tech helps Danish companies navigate CRA compliance from scoping to certification. This includes a discovery audit to identify security gaps and CRA misalignments, a custom security blueprint, and deployment oversight to reach a fully compliant, CE-markable state.

What services does SPS Digital Tech offer?

SPS Digital Tech focuses on EU Cyber Resilience Act (CRA) compliance: scoping and gap analysis to determine whether your products are in scope, secure-by-design engineering and Software Bill of Materials (SBOM) management, coordinated vulnerability handling with 24-hour incident reporting, and technical documentation and conformity assessment for CRA-compliant CE marking. Engagement models range from a complimentary strategic discovery session to deployment oversight, an ongoing compliance programme lead, and ad-hoc audit and reporting support.

Who founded SPS Digital Tech?

SPS Digital Tech was founded by Stephan Smuts, a Strategic Security Architect who combines elite international expertise with a deep understanding of the Danish market to deliver practical, high-integrity security solutions.

Verified Sources

Authoritative references

Our guidance is grounded in official EU and Danish regulatory sources. Verify any claim directly against the primary legislation and authorities below.

Ready to secure your 2026 roadmap?

Facilitating the implementation of secure and compliant business operations.