What Is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act (Regulation (EU) 2024/2847) introduces EU-wide cybersecurity requirements for "products with digital elements" — essentially any hardware or software that connects to a device or network. Enforced from December 2027 (some obligations earlier). For pentesting: Article 13 + Annex I require manufacturers to deliver products free from known exploitable vulnerabilities and to maintain a vulnerability handling process across the support period.

Any manufacturer, importer, or distributor placing a product with digital elements on the EU market. Includes: connected consumer products (smart watches, baby monitors), industrial IoT, embedded firmware in vehicles or appliances, software libraries (free + open-source software is exempt UNLESS commercially supplied), and SaaS products that act as integral parts of a digital product.

• Secure-by-design — risk-appropriate cybersecurity
• No known exploitable vulnerabilities at delivery
• Documented vulnerability-handling process
• Security updates throughout the support period (min. 5 years by default)
• Authentication, encryption, access controls "appropriate to the product"
• Resilience to denial-of-service and information-disclosure attacks
• Minimisation of attack surfaces

Article 13(8)(a): manufacturers conduct "an appropriate cybersecurity risk assessment" documented in technical documentation. Article 13(8)(d): "effective and regular tests and reviews of the cybersecurity" of the product. Pentesting is the canonical evidence form for both. For consumer connected products this means before market placement; for "Class I" important products (per Annex III) a third-party conformity-assessment body verifies the assessment.

Related terms

Try SQUR

60-second free attack-surface scan. No signup, no credit card.