EU Cyber Resilience Act Guide for Managed Service Providers with On-Premises Software

MSPs who develop and commercially distribute software installed on customer systems — including RMM agents, backup clients, security monitoring sensors, patch management agents, and PSA integrations — are manufacturers of products with digital elements under Article 3(1). The CRA applies to each distinct software product placed on the EU market, regardless of whether it is sold as a standalone licence or bundled within a managed service offering. Classification for MSP tooling requires particular attention: RMM agents with broad administrative access to customer systems — including the ability to execute commands, deploy software, and access configuration data across managed endpoints — are strong candidates for Class II Important Products under Annex III, given the systemic risk they present. The 2021 Kaseya VSA attack, which compromised MSP tooling to deploy ransomware across thousands of customer organisations, illustrates exactly the risk profile that Annex III captures.

MSP software agents installed on customer endpoints represent one of the highest-privilege, most widely-deployed software categories in enterprise IT. Annex I requirements for MSP software manufacturers include: implementing authenticated and encrypted communications between agents and management consoles, with certificate validation preventing man-in-the-middle interception; eliminating shared agent authentication credentials — each managed device should authenticate individually; enforcing code signing on all software components and updates deployed through the MSP platform; implementing least-privilege principles for agent operation, requesting only the permissions required for each specific function; providing comprehensive audit logging of all agent actions on managed endpoints; and supporting a mechanism for customers to verify the integrity of the software installed on their endpoints. The SBOM must cover the agent software, its update mechanism, and all third-party libraries embedded in the agent.

Article 13 requires a published CVD policy. For MSP software vendors, the CVD programme carries amplified importance because a single vulnerability in RMM or backup software can be exploited across thousands of customer environments simultaneously. The CVD policy must: establish a dedicated security reporting channel monitored continuously; specify accelerated response timelines for vulnerabilities that could enable supply chain attacks (authentication bypass, remote code execution, privilege escalation); define the process for coordinating with national CSIRTs when a vulnerability has multi-customer impact; and establish how customers are notified of available security updates with appropriate urgency. Because MSP customers are themselves IT service providers with their own security obligations to end clients, the CVD policy's customer notification obligations cascade through multiple layers. MSPs providing NIS2-regulated services must also align their CVD programme with their NIS2 incident reporting obligations.

For MSP software vendors, Article 14's 24-hour notification obligation takes on particular urgency when a vulnerability is exploited because exploitation typically affects not one customer but potentially thousands. The notification to the relevant national CSIRT must communicate the potential scale of impact — the number of MSPs using the software and the number of end-customer environments potentially exposed. This scale information is critical for the CSIRT to make appropriate decisions about broadcasting alerts and activating coordinated response. Vendors must have mechanisms to rapidly identify the number and location of active deployments to support this notification. The 24-hour window for an MSP supply chain incident is extremely tight given the response coordination required — pre-positioned incident response resources and pre-written notification templates are essential.

RMM tools and other MSP software qualifying as Class II Important Products require notified body assessment. For MSP vendors developing software distributed to EU MSP partners who then deploy to end customers, the original software developer is the manufacturer for CRA purposes. The notified body assessment must cover the full software development lifecycle, including: secure coding practices; build pipeline integrity controls preventing supply chain compromise; software signing and update delivery security; vulnerability management procedures; and incident response capability. Class I MSP software may use self-declaration, but the technical file requirements are identical in scope to Class II, differing only in who performs the assessment. ISO 27001 and SOC 2 Type II certifications provide supporting evidence but do not substitute for CRA-specific conformity documentation.