- CRACI, based in Helsinki, has raised €1.4 million from Lifeline Ventures, which previously backed Wolt and Supercell
- The startup helps software companies meet the new legal requirements by automating vulnerability tracking and documentation
- The EU’s Cyber Resilience Act will start in September 2026. It will affect more than 600,000 companies worldwide and could lead to fines of up to €15 million for non-compliance
CRACI, based in Helsinki, has secured €1.4 million in pre-seed funding led by Lifeline Ventures, with support from First Fellow Partners and Wave Ventures.
Finnish-based startup, founded in 2025 by Juho Niemi, Dennis Marttinen, Jaakko Sirén, and Petteri Pulkkinen, builds software that works with existing development pipelines to track vulnerabilities, generate security documentation, and manage software components throughout their lifecycle.
The Cyber Resilience Act, starting in September 2026, requires any company selling digital products in the EU to meet strict standards for security, documentation, and ongoing vulnerability management. About 600,000 companies worldwide, including those outside Europe selling into the EU, will be affected, the company claims.
“Supply chain security is now business-critical for software organisations. Companies that invest early will gain a competitive edge through faster market access and stronger trust. Those relying on manual approaches risk delays and higher costs. We enable fast and reliable security and compliance without slowing growth,” says Niemi.
CRACI’s platform connects directly to CI/CD pipelines, so compliance checks run alongside regular development instead of as a separate audit. For example, when a team adds a new open-source library, CRACI tracks it, flags any known vulnerabilities, and automatically updates the product’s security documentation.
The platform is built for software engineering and security teams at companies that sell software to the EU and need to demonstrate CRA compliance without slowing development.
“Under the CRA, this lack of transparency is unacceptable. Companies are fully accountable for every product they ship and must ensure it is secure and free from vulnerabilities. As a result, the direct and transitive attack surface is expanding faster than most organisations can currently manage,” Niemi adds.
Tools like Snyk, Mend.io, and Black Duck have long offered vulnerability scanning of open-source dependencies and are now preparing to meet CRA requirements. CRACI stands out by covering the full compliance workflow, including documentation, traceability records, and incident reporting, not just vulnerability detection.
“CRACI’s founders combine rare technical expertise with a deep understanding of how developers actually work. The CRA is rewriting the rules for software in Europe, and CRACI is building what this new era demands: a comprehensive compliance automation solution that fits into existing workflows,” says Juha Lindfors, partner at Lifeline Ventures.
The new funding will help CRACI accelerate product delivery ahead of the September 2026 CRA deadline, when companies must begin reporting exploited vulnerabilities and serious incidents to ENISA, the EU’s cybersecurity agency.
