One Platform. Hundreds of Product Variants. CRA-Compliant.
When your portfolio has 50, 100 or 500 product variants, EU CRA compliance breaks every spreadsheet. Kunnus is the platform that keeps multi-product manufacturers compliant without exponential overhead.
Why Per-Product CRA Effort Does Not Scale Linearly
Conformity assessment under the CRA is per-product. On paper, ten products mean ten times the work. In practice, the relationship is super-linear — for three structural reasons.
Shared software, multiplied effort
60–80% of software components are shared across variants. Without a platform, the same SBOM update is repeated 500 times. With a platform, one upgrade flows automatically to all affected variants.
CVE fan-out without coordination
A vulnerability in OpenSSL 3.0.x affects every variant using that version. Without cross-product CVE-to-SBOM matching, the triage effort multiplies per variant — and ENISA's 24-hour notification clock keeps ticking.
Substantial-modification cascades
Changing a shared component re-triggers conformity assessment for every product using it. Without a dependency graph, identifying the cascade scope is a manual cross-reference exercise.
What Kunnus Delivers for Multi-Product Portfolios
Six capabilities, built for portfolios where one product update needs to flow to dozens or hundreds of variants — without losing per-product traceability.
Product catalog with variant inheritance
Product families with shared baselines. Variants inherit the family's SBOM base, vulnerability handling process, and support-period policy — and add only what is variant-specific. Adding the 51st variant takes hours, not weeks.
Cross-variant SBOM aggregation
Generate SBOMs per build artifact (CycloneDX or SPDX). Aggregate components across the portfolio to identify shared dependencies, version drift, and end-of-life risks. Answer 'which products contain log4j 2.14.x' in seconds.
Centralized vulnerability triage with product-aware routing
New CVEs are matched to every affected variant automatically. Severity is computed in product context. Tickets route to the responsible product owner. Per-product traceability is preserved without per-product manual labor.
Substantial-modification impact analysis
Before a developer commits a change to a shared component, see the cascade: which variants are affected, which conformity assessments will need re-validation, and what the cumulative re-assessment effort looks like.
Per-product risk classification
Annex III risk classes vary by product. A connected industrial controller may be Class II while its accessory falls into the default category. The platform supports per-variant risk classes and conformity-assessment-module mapping.
Audit-ready evidence assembly
Generate complete technical documentation, EU declaration of conformity, SBOM, test reports and vulnerability handling logs for any variant on demand. Retained for ten years. Ready when market surveillance asks.
Frequently Asked Questions
How many product variants does a multi-product platform make sense for?+
Manual tooling (spreadsheets and shared drives) typically holds up to about 10 variants. Between 10 and 50, the manual approach becomes a constant maintenance burden. Beyond 50, the per-variant overhead grows super-linearly and a platform becomes the only sustainable option.
Can we migrate from spreadsheets to a platform without losing our compliance history?+
Yes, with a five-phase migration: snapshot the current state, map the data model, migrate the active portfolio first, run in parallel for 30 days, and lock in the platform-level audit trail. The full audit history is preserved and retained for the ten-year CRA documentation period.
Do shared components mean shared liability across all variants?+
Liability under the CRA is per-product, but evidence is shared. A vulnerability in a shared component must be addressed in every product that contains it. The platform's role is to enforce the per-product traceability while making the shared work efficient.
How does variant inheritance handle products with different risk classes?+
Variant inheritance applies to shared attributes (SBOM base, vulnerability handling process, support period policy). Risk class is set per-variant because Annex III classification depends on product-specific factors like connectivity, intended use, and criticality. The platform supports any combination of inherited and per-variant attributes.
What's the relationship between this multi-product approach and the Kunnus Enterprise plan?+
The multi-product capabilities described here are available across plans. The Kunnus Enterprise plan adds role-based access tiers, multi-team workflows, integration into PLM and CI/CD systems, and dedicated implementation support — for portfolios with hundreds of variants and multiple engineering teams.
Ready to See It on Your Own Portfolio?
Talk to our team about a walkthrough sized to your variant count. We'll model your portfolio, map the shared components, and show the compliance cascade in real time.
No demo call required — we can start with your product list.