CRACI has raised 1.4M€ in pre-seed funding to automate compliance for the EU’s new era of cybersecurity. Led by Lifeline Ventures, with participation from First Fellow Partners, Wave Ventures, and Lucas Käldström, this capital will accelerate our mission to help businesses meet the Cyber Resilience Act (CRA) head-on.
Why we built CRACI
The Cyber Resilience Act comes into force in September 2026. From that date, every product with digital elements sold in the EU has to meet a new baseline of cybersecurity, documentation, and lifecycle management. More than 600,000 companies worldwide are in scope, and the EU’s position is unambiguous: comply or lose market access. It’s one of the broadest cybersecurity regulations passed anywhere with global impact.
We’ve been having the same conversation, over and over, with CISOs, CTOs, and compliance leads. They know the deadline. They’ve read the regulation. They know supply chain attacks are an everyday occurrence. What they don’t have is the right tooling.
Vulnerabilities are hard to catch before they affect the entire fleet of products. Nobody has full visibility into the actual software versions in them.
Existing solutions stop at development-time scanning. The vulnerabilities that matter emerge later, in transitive dependencies that were clean at build but aren’t anymore. And dev-time scanners don’t know what’s actually deployed across your fleet: which version of which component is in which product, in production, today.
Meanwhile, the CRA gives businesses 24 hours to report an actively exploited vulnerability after becoming aware of it, with penalties for non-compliance. Technical documentation has to be maintained for at least ten years after a product is placed on the market. It also requires proactive, ongoing vulnerability handling: every product, every dependency, for the lifetime of each one.
Yet compliance today is often an afterthought that runs on spreadsheets, Confluence pages, and one-off scripts in periodic cycles, the kind of setup that works until it doesn’t.
What we’re building
CRACI gives you provably complete SBOMs across your software supply chain (every component, every dependency, every transitive risk) and automates the tracking, documentation, and lifecycle management the CRA requires. The point isn’t to bolt compliance onto your engineering team’s existing work. With CRACI as your CI, compliance ships with every build.
At the core is the SBOM graph: a continuously-updated model of what’s deployed across your product portfolio, mapping which components are in which versions of which products in production right now. We generate it from your build, keep it current as releases ship, and watch for new vulnerabilities against any version still in the field. When a CVE drops, the graph traces it upward to whichever products are affected, in whichever release lines.
Around the graph, we automate the work the CRA actually requires. SBOMs stay current with every build, and full history is archived for as long as you need it, covering the ten-year retention the regulation expects, or longer. Vulnerability handling lives where engineers already do their work (in pull requests and issue trackers), not in a parallel compliance queue. And when an actively exploited vulnerability surfaces in something you’ve shipped, CRACI files the required report to ENISA before the 24-hour clock runs out.
Here’s how Juho, our CEO, puts it:
“Supply chain security is now business-critical for software organizations. Under the CRA, companies are fully accountable for every product they ship — and the transitive attack surface is expanding faster than most can currently manage. Those relying on manual approaches risk delays and higher costs.”
— Juho Niemi, co-founder and CEO, CRACI
Companies like Hamina Wireless are already building with CRACI to keep their software supply chains continuously secure and CRA-ready as their code ships.
Why now, and why fast
Two things are converging. The first is the calendar: September 2026 isn’t a future-state requirement. It’s the new operating reality. From that date, ENISA (the European Union Agency for Cybersecurity) starts taking the reports, and the rest of the CRA’s obligations go live across the EU market.
The second is how software is being built today. AI has compressed the time from idea to shipping code, but it’s also expanded the attack surface in ways most teams haven’t fully accounted for. Modern applications lean on third-party components, open-source libraries, and AI-generated code, and visibility into all of it has gotten harder, not easier.
Why these investors
The round was led by Lifeline Ventures, early backers of Wolt and Supercell, with participation from First Fellow Partners, Wave Ventures, and angel investor Lucas Käldström.
We picked them because they got the thesis from the first call. The CRA is a category-creating moment, and Lifeline has helped founders navigate exactly these kinds of moments before. First Fellow brings deep tech experience. Wave’s conviction in early-stage Nordic founders has shaped how we’re building the company.
From Juha Lindfors, Partner at Lifeline Ventures:
“CRACI’s founders combine rare technical expertise with a deep understanding of how developers actually work. The CRA is rewriting the rules for software in Europe, and CRACI is building what this new era demands: a comprehensive compliance automation solution that fits into existing workflows. We’re excited to back the team.”
— Juha Lindfors, Partner, Lifeline Ventures
About CRACI
CRACI is a Helsinki-based technology company automating software supply chain security under the EU Cyber Resilience Act. The platform is the CI your engineering team’s code ships through, continuously managing vulnerabilities, archiving SBOM history, and keeping you compliant, without parallel workflows for your engineers to maintain.
Founded in 2025 by Juho Niemi, Dennis Marttinen, Jaakko Sirén, and Petteri Pulkkinen, CRACI empowers teams of all sizes to secure and manage their software supply chains with confidence.
If you're shipping products with software into the EU and the CRA is on your roadmap, we'd love to compare notes on what your prep looks like today. Reach our team.