Web, Digital, and Creative Agencies

You build websites, mobile apps, online shops, customer portals, CRM solutions, and campaign platforms. Your clients are brands, mid-sized companies, corporations. You deliver creative concepts plus technical implementation and often maintain projects for years.

From a regulatory perspective, you are in a remarkable position: you develop and deliver software products across the full spectrum from simple corporate websites to highly critical financial and healthcare applications. The legal classification of these works differs considerably — and most agencies do not know this.

Typical projects and their regulatory classification #

Corporate websites #

A purely informational website without login, without form processing, without data processing tends not to fall under the CRA. But as soon as contact forms process personal data, newsletter tools are integrated, or a login area exists, the website becomes a "product with digital elements" under Art. 3 No. 1 CRA.

Product liability applies regardless for any commissioned development, as soon as the software is delivered commercially.

Mobile apps #

Mobile apps are clearly products with digital elements within the meaning of the CRA. Once they are published in an app store — regardless of whether under your name or the client's name — they are considered "placed on the market". The CRA obligations therefore apply directly.

Typical examples: event apps, loyalty apps, service apps, ordering apps, education apps. Apps that process payments or pass data to core systems are subject to heightened due diligence requirements.

Online shops and e-commerce #

Shops process personal data, payments, and often health or age information. They clearly fall under the CRA. Product liability covers them comprehensively — in cases of data leaks or faulty ordering processes, Art. 6(1)(c) of the new Product Liability Directive (data loss as ground for liability) applies.

Customer portals and service platforms #

Login-protected portals — dealer portals, investor relations areas, customer self-service platforms — are almost always CRA-relevant because they combine authentication and data processing.

Online leasing, loan calculators, insurance underwriting #

When you build such platforms for financial service providers, you are working on a critical ICT system within the meaning of DORA. Your client falls under DORA, you become an ICT third-party service provider, and the entire supplier management regime under Art. 28 DORA applies. This is the most stringent scenario an agency can encounter.

CRM systems and marketing automation #

CRM integrations process customer and often financial data. Depending on the implementation, they are products with digital elements. As lead agency for a CRM project, you are at a central position in the client's supply chain — and will be prominently assessed in NIS2 clients' supplier evaluations.

Which laws apply for which clients #

Two laws always apply — regardless of which sector your clients operate in:

• Product Liability Directive (Directive 2024/2853) covers any commissioned development, once software is delivered commercially. The Directive expressly names developers as manufacturers (Art. 8), data loss is an independent ground for liability (Art. 6(1)(c)), there is no liability cap (Art. 12). This affects you in every project — from corporate websites to banking apps.
• Cyber Resilience Act (Regulation (EU) 2024/2847) applies once your delivery is a "product with digital elements" (Art. 3 No. 1) — meaning practically every app, every shop, every customer portal, and every website with data processing. Art. 13(5) requires "due diligence" for FOSS integration, Art. 14 regulates reporting obligations for vulnerabilities.

Two further laws come into play once your clients operate in regulated sectors:

• Financial clients (banks, insurance companies, leasing companies, FinTechs) bring DORA requirements from the client relationship. These are the most stringent requirements — information register, due diligence, exit strategy, TLPT involvement.
• Energy and utility companies (municipal utilities, grid operators, gas suppliers) bring NIS2 requirements from the client relationship as essential entities.
• Health, hospitals, pharmaceuticals bring NIS2 requirements from the client relationship plus particularly high data protection requirements.
• Automotive, semiconductors, industry bring NIS2 requirements from the client relationship as important entities.
• Public administration, federal and state agencies bring NIS2 requirements from the client relationship as public administration.
• Logistics and transport are NIS2 sectors.
• Schools and educational institutions are not directly NIS2 sectors, but data protection for minors heightens liability under the Product Liability Directive.

Even a single reference from one of these sectors is enough to draw your entire agency into the compliance consideration of your clients.

Concrete consequences #

Legally at stake:

• Unlimited liability under the Product Liability Directive, particularly for data loss (Art. 6(1)(c), Art. 12)
• Fines of up to EUR 15 million or 2.5% of annual turnover under CRA (Art. 64)
• Loss of EU market access for affected products if the CRA is not met (Art. 52, 53 CRA)
• Reporting obligations within 24 hours for actively exploited vulnerabilities (Art. 14 CRA)
• Loss of the entire financial client segment if you cannot meet DORA requirements towards a banking or insurance client
• Personal liability of management in cases of gross negligence

Contractually, your clients will demand:

• Documented security strategy (written, verifiable)
• SBOM for every delivered project
• Vulnerability reporting within contractually agreed deadlines
• Incident response availability, often 24/7
• Exit scenario and handover documentation
• Liability insurance of relevant amount

Operationally, you must establish:

• A responsible disclosure channel (security.txt, documented process)
• Continuous monitoring of open source components used in projects
• Patch management for ongoing projects, even years after project completion
• Responsiveness to vulnerability reports from the community

Financially, you face:

• Costs for documented processes and certifications
• Ongoing maintenance capacity that you could previously bill per project and now carry as a baseline cost
• Liability risk under the Product Liability Directive without cap

Security is a competitive advantage even without obligation #

Even if none of your clients worked in a regulated sector, it would be wise to build these processes. Agencies compete fiercely — responsibility and professionalism set you apart. Those who can demonstrate in a pitch that they know their supply chain, actively fix vulnerabilities, and respond to reports appear not like a creative shop but like a partner at eye level.

Concretely, this brings: better close rates with demanding clients, higher day rates, less friction in projects, more favourable insurance premiums, and brand protection against incidents. The same processes you need for regulation also make you better in the market.

How OTTRIA helps agencies #

OTTRIA does not replace your development work. We take over the part that is added by the new laws — and that is not your core business:

• SBOM analysis and maintenance for every project you deliver, including all transitive dependencies
• Continuous vulnerability monitoring of all deployed open source components — even years after project completion
• Silent fix detection through active code analysis in the projects you use
• Responsible disclosure channel and coordinated disclosure as a service
• Audit-ready documentation for your clients — presentable during supplier assessments, DORA due diligence, and NIS2 supplier audits
• Bug fixing directly in the open source project when vulnerabilities arise that you cannot fix yourself
• Early warning through OTTRIA's role as Open Source Steward — you learn about vulnerabilities before they become public

You remain the point of contact for your client. OTTRIA delivers the evidence that your clients must demand under CRA, DORA, and NIS2.

Schedule initial consultation

Back to overview for software service providers

Further reading

• CRA for Companies
• DORA for Companies
• NIS2 for Companies
• Product Liability for Companies
• What is an SBOM?
• Silent fixes — the invisible majority
• Glossary