Platform Partners

You build on established third-party platforms: SAP, Salesforce, Microsoft Dynamics, ServiceNow, Adobe Experience Manager, TYPO3, Drupal, Shopware, Magento, commercetools, Pimcore, and dozens more. Your clients come from all sectors, and your value creation lies in custom extensions, integrations, templates, workflows, and industry solutions on these platforms.

A widespread misconception reads: "The platform is certified, so we are covered too." This is wrong. The security of the platform does not cover your extensions. Your custom extensions are legally independent products.

Typical work and its regulatory classification #

Custom extensions and plug-ins #

When you develop modules, plug-ins, extensions, or custom components for a platform, these are independent "products with digital elements" or parts thereof under the CRA (Art. 3 No. 1). Even if they only function in connection with the platform, you developed and placed them on the market. The Product Liability Directive (Art. 8) makes you the manufacturer of these components.

Vulnerabilities in your extensions are your vulnerabilities — not the platform manufacturer's.

Integrations between platforms #

When you connect Salesforce to an SAP system, link Shopware to an ERP, or develop cross-platform data flows, you deliver integration code that processes personal and often business-critical data. Errors here lead to data leaks or operational disruptions — both are grounds for liability under the new Product Liability Directive.

Templates, themes, storefronts #

Shop themes, CMS templates, and storefront implementations do not consist only of design: they contain JavaScript, server-side logic, tracking, often third-party bundles. These are products with digital elements. Vulnerabilities in frontend code affect end customers directly — and lead to GDPR and product liability cases where the client holds you responsible.

Customising vs. standard configuration #

Pure configuration without code is less critical from a regulatory perspective. But as soon as you write scripts, workflows, triggers, custom objects, Apex code, ABAP extensions, or similar, you deliver software — and are a manufacturer within the meaning of the CRA and the Product Liability Directive.

Migration and roll-out projects #

In large migrations — such as SAP S/4HANA transitions, Salesforce implementations, CMS relaunches — your role is particularly exposed. You are the direct supplier for a critical system change. Your clients expect and need DORA-/NIS2-compliant documentation.

Which laws apply for which clients #

Two laws always apply, regardless of the platform or client sector:

• Product Liability Directive (Directive 2024/2853) makes you as the developer of the extension the manufacturer of that extension (Art. 8). The platform certification does not help you — your custom components are legally independent products. No liability cap (Art. 12), data loss as ground for liability (Art. 6(1)(c)).
• Cyber Resilience Act (Regulation (EU) 2024/2847) covers your extensions, modules, integrations, and templates as independent "products with digital elements" or parts thereof (Art. 3 No. 1). Art. 13(5) requires due diligence for FOSS integration in your extensions — regardless of which open source libraries the platform itself brings.

Additionally — depending on the client side — DORA and NIS2:

• Financial sector: DORA. Salesforce partners in banking or insurance environments become ICT third-party service providers. SAP partners in banks likewise. DORA supplier management applies directly (Art. 28 DORA).
• Health, pharmaceuticals: NIS2 plus MDR plus GDPR intensification. Custom extensions for hospital CRM or patient portals are highly regulated.
• Energy and utilities: NIS2 as essential entities. CMS and portal partners building customer portals for energy companies are suppliers under Art. 21(3) NIS2.
• Public administration: NIS2 plus BSI requirements. TYPO3 and Drupal partners in public administration deliver directly into the critical sector.
• Automotive, industry: NIS2 as important entities. SAP partners and MES partners are core suppliers here.
• E-commerce retail: NIS2 applies for large retail organisations, product liability and GDPR always apply.

Special note for platform partners: the platform manufacturers themselves increasingly expect their partners to comply with the new laws — among other things because platforms also appear in their clients' DORA information registers.

Concrete consequences #

Legally at stake:

• Unlimited liability under the Product Liability Directive for your extensions, modules, and integrations — regardless of the platform's certification
• Fines of up to EUR 15 million or 2.5% of annual turnover under CRA (Art. 64), if your extension is not CRA-compliant when delivered
• Loss of EU market access for extensions that do not meet the CRA — including recall of already delivered versions (Art. 52, 53 CRA)
• Exclusion from partner programmes (SAP Partner Center, Salesforce AppExchange, Microsoft Partner Network): platform manufacturers will themselves be compelled to comply and will pass these requirements to their partners. Those who fail the audits lose partner status and thus market access to the platform
• 24/72-hour reporting obligations under Art. 14 CRA
• Loss of regulated client segments for DORA and NIS2 clients

Contractually, your clients — and the platform manufacturers — will demand:

• Documented security of your custom extensions and integrations
• SBOM for your extensions, separate from the platform SBOM
• Vulnerability management with response times
• Patch processes for platform updates that affect your extensions
• Compatibility with CRA obligations of the platform manufacturer
• Evidence for partner programmes (SAP Partner Center, Salesforce AppExchange, Microsoft Partner Network)

Operationally, you must establish:

• Separation between platform and extension SBOM
• Monitoring of all third-party libraries used in your extensions
• Responsible disclosure process for reported vulnerabilities
• Coordination with the platform manufacturer on shared security topics
• Documentation per client, per extension version, per deployed platform version

Financially, you face:

• Certification costs for partner programmes that increasingly require CRA evidence
• Maintenance costs for delivered extensions over at least five years
• Insurance requirements as manufacturer under the Product Liability Directive
• Hidden effort for platform updates that require your extensions to be made compatible again

Security is a competitive advantage even without obligation #

Platform partners compete with hundreds of other service providers working on the same platforms. The differentiator lies in the evidence: those who deliver their extensions with SBOM, documented vulnerability management, and a responsible disclosure process better meet the requirements of the platform manufacturers, gain faster review cycles in their marketplaces, and achieve certification levels more easily.

Concretely, this means: higher visibility in partner catalogues, better positioning in tenders, stronger client retention, and a clear quality signal to procurement departments comparing different partners. Compliance thus shifts from a cost factor to a sales argument.

How OTTRIA supports platform partners #

Platform partners have a specific situation: they combine third-party code (the platform) with their own code (the extensions) with third-party libraries (NPM, Composer, Maven, NuGet, PyPI). OTTRIA takes over the open source part of this mix:

• SBOM analysis for your extensions separate from the platform, including all transitive dependencies
• Vulnerability monitoring of the open source libraries you use
• Silent fix detection in third-party libraries, before platform manufacturers or scanners react
• Bug fixing directly in the open source project for components you use in extensions
• Audit-ready documentation per extension and per client, suitable for SAP, Salesforce, Microsoft, and similar partner audits
• Early warning for vulnerabilities affecting your extension or platform ecosystems
• Coordinated disclosure for security topics that concern you and the platform manufacturer jointly

Platform manufacturers are looking increasingly closely at what due diligence their partners exercise with their own code and third-party libraries. OTTRIA delivers the evidence you need to present both to your clients and to your platform manufacturers.

Schedule initial consultation

Back to overview for software service providers

Further reading

• CRA for Companies
• DORA for Companies
• NIS2 for Companies
• Product Liability for Companies
• What is an SBOM?
• Why your SBOM decays
• Glossary