Software distribution built for resilience on European infrastructure.
A sovereign update server for security-critical software delivery. Distribute binaries, verify signatures, and track the EU Cyber Resilience Act as it crystallises — hosted on European infrastructure, audited end to end.
Request a demo
Fleet is an on-premises platform for EU Cyber Resilience Act readiness. Deployed on your own infrastructure, it distributes signed binaries, ingests software bills of materials, tracks vulnerabilities across your dependency tree, and prepares the evidence you will need when actively exploited vulnerabilities must be reported to ENISA and national CSIRTs.
A single platform for signed delivery and provable compliance.
Most update servers solve one problem: getting bytes to a device. Fleet solves the second problem too — proving, on demand and to a regulator, that the bytes were the right ones.
Signed binary distribution
Upload, sign, and deliver binaries through a CDN you control. Cryptographic verification on every install and update, with full audit trails for every release.
SBOM viewer & ingestion
Ingest SPDX and CycloneDX software bills of materials at release time. Surface known vulnerabilities, track dependency drift, and export evidence packs on demand.
CRA requirement tracking
Map every Annex I obligation to evidence inside your platform: secure-by-design controls, vulnerability handling, and the documentation a notified body or market surveillance authority will ask for.
Observability built-in
Grafana-backed dashboards for system logs, delivery metrics, and alerting. Runtime visibility for the operations team, not just the compliance team.
Terminal-first distribution
A TUI-driven management interface for engineers who never wanted a dashboard in the first place. Scriptable, auditable, and at home in a CI pipeline.
European hosting & data residency
Hosted on EU infrastructure. Data stays in the EEA. Suitable for organisations subject to NIS2, sector-specific resilience regimes, or public procurement sovereignty requirements.
From build artefact to compliant delivery, in four steps.
- Step 01
Publish
Push your release artefact to Fleet from your CI pipeline. Attach the SBOM and signing keys. Fleet records the release, the operator, and the moment.
- Step 02
Verify
Every binary is signed, hashed, and recorded against a tamper-evident manifest. Verification runs at upload, at download, and at install.
- Step 03
Distribute
Devices and endpoints pull updates from a sovereign update server. Roll-out controls, channel separation, and instant rollback are built in, not bolted on.
- Step 04
Evidence
Generate the documentation auditors and notified bodies actually ask for: vulnerability handling logs, update history, declaration-of-conformity attachments — in one click.
Built against the CRA as the standards take shape.
The Cyber Resilience Act — Regulation (EU) 2024/2847 — has been in force since December 2024. Its vulnerability-reporting duties apply from September 2026 and full conformity from December 2027. What's still being written are the harmonised standards that operationalise it. Fleet tracks the obligations in Annex I and the conformity-assessment routes in Article 32, and adjusts as those standards crystallise.
-
Secure-by-default delivery (Annex I §1)
Signed binaries, integrity verification, and update authenticity enforced at the protocol level.
-
Vulnerability handling (Annex I §2)
Coordinated disclosure workflow, SBOM-driven advisory tracking, and a documented patching path tied to release records.
-
Technical documentation (Annex VII)
Documentation packs generated from real release data, mapped to the structure regulators expect to see.
-
NIS2 operational alignment
Audit logs and access controls structured to support reporting obligations for essential and important entities.
-
PLD evidentiary support
Tamper-evident records that hold up as a chain of custody if a defect or harm claim ever needs to be reconstructed.
- Sep 2026
Vulnerability reporting
First CRA obligations apply — manufacturers must report exploited vulnerabilities and severe incidents.
- Dec 2026
PLD transposition
Member States transpose the revised Product Liability Directive — strict liability for defective software in scope.
- Dec 2027
CRA full application
All products with digital elements on the EU market must comply with Annex I and carry CE marking.
See Fleet against your own CRA exposure.
Fleet is in early access, with demo instances opening for organisations that have concrete CRA obligations or sovereign-distribution needs. Tell us about your product portfolio and we will set up a scoped walkthrough.
Request a demo