Cyber Resilience Act Penetration Testing Providers
EU Cyber Resilience Act (Regulation (EU) 2024/2847) · Europe
The EU Cyber Resilience Act (CRA) is the first EU-wide regulation setting mandatory cybersecurity requirements for products with digital elements — covering hardware, software, and connected devices placed on the EU market. Manufacturers must design, develop, and maintain products to meet essential cybersecurity requirements including vulnerability handling, secure-by-default configuration, and software bill of materials (SBOM) transparency.
The CRA entered into force on 11 December 2024, with reporting obligations applying from 11 September 2026 and the full regulation applying from 11 December 2027. Non-compliance can trigger fines of up to €15 million or 2.5% of global annual turnover. Manufacturers must use conformity assessment procedures proportionate to product risk classification: most products self-assess, while 'important' and 'critical' categories face third-party assessment or EU certification schemes.
Penetration testing is a practical vehicle for demonstrating conformity with the CRA's risk management and security testing obligations under Annex I. Manufacturers typically need testing of the product itself, its update mechanisms, associated back-end services, and documentation of the vulnerability handling process.
No providers match your filters.
Cyber Resilience Act FAQs
When does the Cyber Resilience Act apply?+
The CRA entered into force on 11 December 2024. Reporting obligations for actively exploited vulnerabilities and incidents apply from 11 September 2026. The full regulation — including conformity assessment and all product requirements — applies from 11 December 2027.
Who does the CRA apply to?+
Manufacturers, importers, and distributors of 'products with digital elements' (PDEs) placed on the EU market. This includes hardware, software, and connected devices — from consumer IoT to industrial controllers to desktop applications. Open source software developed in a non-commercial context is largely out of scope, but commercial open source stewards face obligations.
Is penetration testing mandatory under the CRA?+
The CRA does not use the phrase 'penetration testing' explicitly, but Annex I requires manufacturers to 'test and review the security' of products and demonstrate that essential cybersecurity requirements are met. In practice, pen testing is the primary method to satisfy these obligations, particularly for 'important' Class I and Class II products.
What product categories exist under the CRA?+
Three categories. Default (most products, ~90%): self-assessment against harmonised standards. Important — Class I (password managers, VPNs, network management): self-assessment with harmonised standards allowed. Important — Class II (firewalls, intrusion detection, operating systems, secure elements): third-party conformity assessment required. Critical (smart meter gateways, secure hardware, certain industrial controllers): EU certification scheme.
What are the fines for non-compliance?+
Up to €15 million or 2.5% of global annual turnover, whichever is higher, for non-compliance with essential cybersecurity requirements. Lower tiers for procedural breaches (up to €10 million or 2% of turnover) and provision of incorrect information (up to €5 million or 1% of turnover).
How does the CRA differ from NIS 2?+
NIS 2 regulates operators — how organisations manage cybersecurity of their networks and information systems. The CRA regulates products — the cybersecurity properties of hardware and software placed on the EU market. They are complementary: a regulated NIS 2 operator (e.g. a hospital) may buy products that fall under the CRA (e.g. medical devices, network equipment).