A new EU Council’s text puts Software-as-a-Service outside of the scope of the Cyber Resilience Act, while the European Commission clarified the legal basis would not allow for it.