COMPLIANCE · CYBER RESILIENCE ACT
The CRA putssecurity testinginto the product itself.
Regulation (EU) 2024/2847 makes manufacturers of products with digital elements responsible for security across the entire product lifecycle. From December 2027, no CE-marked product reaches the EU market without it. Vulnerability reporting kicks in already in September 2026.
01 · SCOPE
Who is affected – and why the timelines are shorter than they look.
The CRA covers products with digital elements (PDEs) – hardware and software placed on the EU market – with limited exceptions for products already covered by sector regulation. Risk is graded into default, important and critical classes; the higher the class, the stricter the conformity assessment route. Most obligations apply from 11 December 2027; the vulnerability reporting obligations under Article 14 apply already from 11 September 2026. That makes 2026 the year manufacturers must have reporting workflows operational.
02 · OBLIGATIONS
The four blocks where evidence becomes regulatory.
- BLOCK · 01
Essential cybersecurity requirements (Annex I)
Products must be designed, developed and produced to ensure an appropriate level of cybersecurity. Annex I sets out properties such as secure-by-default configuration, protection of confidentiality and integrity, attack-surface reduction and update capability. We translate these into testable controls.
- BLOCK · 02
Vulnerability handling (Annex II)
Manufacturers must identify, document and remediate vulnerabilities throughout the support period – including a coordinated disclosure policy and a software bill of materials. We assess the maturity of the handling process and pressure-test it with realistic findings.
- BLOCK · 03
Conformity assessment and CE marking
Default-class products may use self-assessment; important and critical classes require third-party conformity assessment. Test reports and technical documentation become regulatory artefacts – we deliver evidence in a form notified bodies and market surveillance can rely on.
- BLOCK · 04
Reporting obligations (from September 2026)
Actively exploited vulnerabilities and severe incidents must be reported to ENISA and the relevant CSIRT within tight timelines. We help build and validate the technical baseline that makes accurate, timely reporting possible.
03 · OUR CONTRIBUTION
How offensive testing closes the CRA evidence gap.
The CRA is unusual in that it ties cybersecurity directly to product market access. Penetration testing is not named in the text, but conformity assessment, technical documentation and the duty to handle vulnerabilities throughout the support period only carry weight when backed by evidence of testing. We exercise the product against the Annex I properties, document vulnerabilities for the Annex II workflow and validate fixes through retests – contributing the evidence layer that conformity assessment routes need.
CRA PREPARATION
December 2027 sounds far. The reporting clock starts in 2026.
We review with you whether your products are in scope, which risk class applies and what evidence your conformity assessment route will require – before the timelines tighten.