Best Companies for Cyber Resilience Act (CRA) Compliance (2026)
The EU Cyber Resilience Act (Regulation (EU) 2024/2847) sets mandatory cybersecurity requirements for products with digital elements placed on the EU market, covering hardware, software, and connected devices. Reporting obligations apply from 11 September 2026 and the full regulation from 11 December 2027, with non-compliance fines reaching the higher of EUR 15 million or 2.5% of global turnover. Manufacturers must demonstrate secure-by-default configuration, a documented vulnerability handling process, and software bill of materials (SBOM) transparency, with conformity assessment scaled to product risk class.
Supporting CRA compliance is a mix of disciplines: gap analysis against Annex I, secure engineering or re-engineering of the product and its update mechanism, SBOM and vulnerability-handling process design, security testing of the product and its back-end services, and, for higher-risk classes, conformity assessment and certification. These are not all the same job. pi3g is the directory's only dedicated end-to-end CRA compliance specialist, taking a product from gap analysis through secure engineering to conformity. The pen testing firms listed below it contribute one specific and important piece of the picture, the security testing that evidences the CRA's essential requirements, rather than full compliance engineering. If your need is the regulatory programme itself, start with the specialist; if you already have a compliance lead and need the testing, the firms below can deliver that component.
Related: Cyber Resilience Act overview · Automotive pen testing companies
pi3g
German Cyber Resilience Act compliance and embedded security specialist. 16+ years in IoT and embedded Linux, delivering CRA readiness, compliance engineering, and legal certification for products with digital elements.
NCC Group
Global cybersecurity consultancy with CREST, CHECK, and CBEST accreditation, renowned for deep technical research and comprehensive penetration testing services.
Pen Test Partners
The UK's largest independent security testing firm, renowned for IoT/OT research, CBEST red teaming, and CHECK/CREST-accredited penetration testing across all sectors.
Thales Cyber Solutions
Cybersecurity division of the Thales Group, with ANSSI, CREST, FedRAMP 3PAO, and NATO-cleared personnel. Defence, government, and critical infrastructure penetration testing worldwide.
usd AG
Frankfurt-based European payment security specialist holding the full set of PCI credentials (QSA, PFI, ASV, P2PE). Manual-first penetration testing for fintechs, acquirers, and regulated enterprises.
SEC Consult
Vienna-headquartered Austrian cybersecurity consultancy with a prolific Vulnerability Lab research program and deep expertise in IoT and embedded systems security across the DACH region.
HiSolutions
Berlin-headquartered German cybersecurity consultancy with 30+ years of BSI IT-Grundschutz experience. Trusted by federal agencies, DAX corporations, and critical infrastructure operators.
PCA Cybersecurity
Vilnius-based automotive cybersecurity specialist focused on UN R155, ISO/SAE 21434, and vehicle research. Pwn2Own Automotive participant with a dedicated ECU and vehicle test lab.
Best Companies for Cyber Resilience Act (CRA) Compliance (2026), FAQs
What is the EU Cyber Resilience Act (CRA)?+
The CRA (Regulation (EU) 2024/2847) is the first EU-wide regulation setting mandatory cybersecurity requirements for products with digital elements. It applies to manufacturers, importers, and distributors placing hardware or software on the EU market, requiring secure-by-default design, a vulnerability handling process across the product lifecycle, SBOM transparency, and conformity assessment proportionate to the product's risk classification.
When does the Cyber Resilience Act take effect?+
The CRA entered into force on 11 December 2024. Vulnerability and incident reporting obligations apply from 11 September 2026, and the full set of requirements applies from 11 December 2027. Manufacturers are using the window before those dates to run gap assessments, re-engineer products, and build the documentation needed to demonstrate conformity.
How do these companies help with CRA compliance?+
Support ranges from CRA readiness and gap analysis against Annex I, through secure-by-default engineering, SBOM generation, and vulnerability-handling process design, to security testing of the product, its update mechanism, and its back-end services. For 'important' and 'critical' product classes that need third-party assessment, some firms also coordinate conformity assessment and certification, often with legal partners.
Does the CRA require penetration testing?+
The CRA does not name penetration testing explicitly, but security testing is the practical way to demonstrate that a product meets the essential requirements in Annex I, particularly risk management and the absence of known exploitable vulnerabilities. Manufacturers typically test the product itself, its update mechanism, and associated back-end services, and document the results as part of the technical file.