Cyber Resilience Act Penetration Testing Providers
EU Cyber Resilience Act (Regulation (EU) 2024/2847) · Europe
The EU Cyber Resilience Act (CRA) is the first EU-wide regulation setting mandatory cybersecurity requirements for products with digital elements, covering hardware, software, and connected devices placed on the EU market. Manufacturers must design, develop, and maintain products to meet essential cybersecurity requirements including vulnerability handling, secure-by-default configuration, and software bill of materials (SBOM) transparency.
The CRA entered into force on 11 December 2024, with reporting obligations applying from 11 September 2026 and the full regulation applying from 11 December 2027. Non-compliance can trigger fines of up to €15 million or 2.5% of global annual turnover. Manufacturers must use conformity assessment procedures proportionate to product risk classification: most products self-assess, while 'important' and 'critical' categories face third-party assessment or EU certification schemes.
Penetration testing is a practical vehicle for demonstrating conformity with the CRA's risk management and security testing obligations under Annex I. Manufacturers typically need testing of the product itself, its update mechanisms, associated back-end services, and documentation of the vulnerability handling process.
Particularly relevant for Manufacturing pen testing providers.
NCC Group
Global cybersecurity consultancy with CREST, CHECK, and CBEST accreditation, renowned for deep technical research and comprehensive penetration testing services.
Dionach
Global enterprise cybersecurity consultancy founded in 1999 in Oxford, holding rare CREST STAR-FS accreditation and delivering penetration testing, red and purple teaming, and PCI QSA services across five international offices.
Pen Test Partners
The UK's largest independent security testing firm, renowned for IoT/OT research, CBEST red teaming, and CHECK/CREST-accredited penetration testing across all sectors.
Thales Cyber Solutions
Cybersecurity division of the Thales Group, with ANSSI, CREST, FedRAMP 3PAO, and NATO-cleared personnel. Defence, government, and critical infrastructure penetration testing worldwide.
WithSecure
Helsinki-headquartered Finnish cybersecurity firm with roots dating to 1988, offering CREST-accredited penetration testing and deep expertise in EU regulatory compliance including GDPR, NIS 2, and TIBER-EU.
SECFORCE
Canary Wharf-based adversary simulation and CBEST-aligned penetration testing consultancy, delivering CREST-accredited offensive security to UK financial services and other organisations with the most demanding requirements.
usd AG
Frankfurt-based European payment security specialist holding the full set of PCI credentials (QSA, PFI, ASV, P2PE). Manual-first penetration testing for fintechs, acquirers, and regulated enterprises.
SEC Consult
Vienna-headquartered Austrian cybersecurity consultancy with a prolific Vulnerability Lab research program and deep expertise in IoT and embedded systems security across the DACH region.
HiSolutions
Berlin-headquartered German cybersecurity consultancy with 30+ years of BSI IT-Grundschutz experience. Trusted by federal agencies, DAX corporations, and critical infrastructure operators.
Airbus Protect
Airbus group cybersecurity consultancy with ANSSI PASSI qualification. Aerospace, defence, and critical infrastructure penetration testing across Europe.
Securing (SecuRing)
Poland's longest-running independent pen testing firm with 50+ consultants. Specialises in application security, cloud testing, and red teaming.
Cyber Resilience Act FAQs
When does the Cyber Resilience Act apply?+
The CRA entered into force on 11 December 2024. Reporting obligations for actively exploited vulnerabilities and incidents apply from 11 September 2026. The full regulation, including conformity assessment and all product requirements, applies from 11 December 2027.
Who does the CRA apply to?+
Manufacturers, importers, and distributors of 'products with digital elements' (PDEs) placed on the EU market. This includes hardware, software, and connected devices, from consumer IoT to industrial controllers to desktop applications. Open source software developed in a non-commercial context is largely out of scope, but commercial open source stewards face obligations.
Is penetration testing mandatory under the CRA?+
The CRA does not use the phrase 'penetration testing' explicitly, but Annex I requires manufacturers to 'test and review the security' of products and demonstrate that essential cybersecurity requirements are met. In practice, pen testing is the primary method to satisfy these obligations, particularly for 'important' Class I and Class II products.
What product categories exist under the CRA?+
Three categories. Default (most products, ~90%): self-assessment against harmonised standards. Important, Class I (password managers, VPNs, network management): self-assessment with harmonised standards allowed. Important, Class II (firewalls, intrusion detection, operating systems, secure elements): third-party conformity assessment required. Critical (smart meter gateways, secure hardware, certain industrial controllers): EU certification scheme.
What are the fines for non-compliance?+
Up to €15 million or 2.5% of global annual turnover, whichever is higher, for non-compliance with essential cybersecurity requirements. Lower tiers for procedural breaches (up to €10 million or 2% of turnover) and provision of incorrect information (up to €5 million or 1% of turnover).
How does the CRA differ from NIS 2?+
NIS 2 regulates operators, how organisations manage cybersecurity of their networks and information systems. The CRA regulates products, the cybersecurity properties of hardware and software placed on the EU market. They are complementary: a regulated NIS 2 operator (e.g. a hospital) may buy products that fall under the CRA (e.g. medical devices, network equipment).