The Cyber Resilience Act (Regulation (EU) 2024/2847) never uses the words "penetration test." But Annex I, Part II, point 3 obliges every manufacturer of a product with digital elements to "apply effective and regular tests and reviews of the security" of that product. For anything above the lowest-risk tier, penetration testing is the recognised way to show those tests were effective. The clause lives in Annex I, so failing it is a top-tier offence: up to €15 million or 2.5% of worldwide annual turnover. The reporting obligations bite from 11 September 2026; the essential requirements from 11 December 2027. A focused DeepMantis pentest, with a proof of concept per finding, starts at €890.
What is the Cyber Resilience Act and when does it apply?
The Cyber Resilience Act is Regulation (EU) 2024/2847, published in the Official Journal on 20 November 2024 and in force since 10 December 2024. It is horizontal: it covers virtually all connected hardware and software placed on the EU market. Article 3(1) defines its subject as a "product with digital elements": "a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately." If you sell software or a connected device in the EU, assume you are in scope until you have checked otherwise.
The European Commission is explicit about the intent:
"It aims to set the conditions for the development of secure hardware and software in the Union, in order to strengthen the EU approach to cybersecurity and improve the functioning of the internal market."
— European Commission, CRA summary
Three application dates matter, and they are staggered under Article 71(2):
| Date | What starts applying |
|---|---|
| 11 June 2026 | Notified-body provisions (Chapter IV, Arts 35–51) |
| 11 September 2026 | Reporting obligations (Article 14): actively exploited vulnerabilities and severe incidents |
| 11 December 2027 | Main body: essential requirements, conformity assessment, CE marking, support-period obligations |
From 11 September 2026 you already owe the Article 14 reporting cadence: a 24-hour early warning, a 72-hour notification, and a 14-day final report for actively exploited vulnerabilities. The security engineering itself becomes enforceable on 11 December 2027, but building it takes longer than the calendar between here and there.
Does the CRA require penetration testing?
No, not by name. The CRA does not use the words "penetration test" anywhere binding, and any vendor telling you it does is overstating the regulation. The honest reading is narrower and more useful. The operative clause is Annex I, Part II, point 3: manufacturers must "apply effective and regular tests and reviews of the security of the product with digital elements."
That word, effective, is where penetration testing enters. A vulnerability scan lists what might be wrong; it does not demonstrate that your testing actually worked. For anything above the lowest-risk products, penetration testing is the recognised way to show a test was effective, because it proves exploitability rather than flagging a possibility. The CRA does not prescribe the method. It sets the bar the method has to clear.
Germany's Federal Office for Information Security frames the regulation's significance directly: the BSI describes the CRA as the first European regulation to set a minimum level of cyber security for all connected products on the EU market, and is developing Technical Guideline TR-03183 to interpret its requirements. If you sell into the German market, TR-03183 is the document to track as it matures.
What do the essential requirements actually demand?
Annex I is the heart of the CRA, and it reads like a security-engineering checklist with legal teeth. Part I sets the product properties; Part II sets the vulnerability-handling process. Both are precise enough to quote.
Part I, point (1) states the design principle:
"Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks."
— Regulation (EU) 2024/2847, Annex I, Part I, point (1)
That is security by design as a legal obligation, not a slogan. Two further Part I requirements are the ones a pentest speaks to most directly: products must "be made available on the market without known exploitable vulnerabilities" (point (2)(a)), and must ship with a "secure by default configuration" (point (2)(b)). "Known exploitable" is the operative phrase. You cannot claim you did not know if you never looked, and the way you look for exploitable vulnerabilities is by testing for them.
Part II turns process obligations into requirements. Point (1) requires you to identify and document vulnerabilities, including drawing up a software bill of materials (SBOM) in a machine-readable format. Point (2) requires you to "address and remediate vulnerabilities without delay." Point (5) requires a policy on coordinated vulnerability disclosure. And point (3), the testing clause, sits right in the middle of that process. Reading Annex I as a whole, testing is not a bolt-on; it is how you generate the evidence that the other points were met.
What happens if you fail? The penalty tiers
The CRA's enforcement teeth are in Article 64, and the structure matters because it tells you which failures are treated as most serious. There are three tiers.
The top tier, Article 64(2), covers breaches of the Annex I essential requirements and of the Articles 13 and 14 obligations:
"up to EUR 15 000 000 or, if the offender is an undertaking, up to 2,5 % of ... its total worldwide annual turnover for the preceding financial year, whichever is higher."
— Regulation (EU) 2024/2847, Article 64(2)
Read that against Annex I: the security-testing clause (Part II, point 3), the "no known exploitable vulnerabilities" requirement (Part I, point (2)(a)), and the vulnerability-handling process all live in Annex I. Failing your security testing is therefore a top-tier, €15M-class offence, not a middling paperwork slip. The middle tier (Article 64(3)) is €10M or 2% for other obligations; the lowest (Article 64(4)) is €5M or 1% for supplying incorrect information to authorities.
The Commission grounds this severity in scale. It cites an estimated global annual cost of cybercrime of €5.5 trillion by 2021 as part of the justification for the regulation. The fine ceiling is not arbitrary; it is calibrated to a threat the EU treats as systemic.
How does the support period change your testing cadence?
The CRA does not stop at the point of sale. Article 3(20) defines a "support period," and Article 13(8) fixes its floor: "the support period shall be at least five years," unless the product's expected use is shorter. Across that period you owe vulnerability handling and remediation, which means the "effective and regular tests" of Annex I are not a one-time gate at launch.
This is the structural break with the old model. A single pre-release pentest is a snapshot; a five-year support obligation is a process. Every patch, every dependency bump, every new feature shipped during those five years can introduce an exploitable vulnerability that did not exist at conformity assessment, and Annex I Part I still requires the product to be free of known exploitable vulnerabilities throughout.
That is where recurring, autonomous testing changes the economics. Manual person-day pentests make a per-release cadence prohibitive; four tests a year at €10,000 each is €40,000 per product before you have covered a single quarter of a five-year window. DeepMantis runs autonomous web-application and API pentests with a reproducible proof of exploit per finding: the practical way to satisfy Annex I, Part II, point 3 for the software and web surfaces of a product, run continuously rather than once. Monthly pentests start at €99 per month (billed annually), and the audit-ready PDF report documents the attack path and reproduction steps per finding.
One honest caveat: the CRA also covers hardware, embedded firmware, and non-web surfaces that DeepMantis does not test. Autonomous web and API testing is the right tool for the software and web-facing surface of a product with digital elements, not for the whole of Annex I. Buy the right tool for each surface.
Frequently asked questions
Does the Cyber Resilience Act require a penetration test?
Not by name. The CRA never uses the words "penetration test." Annex I, Part II, point 3 requires manufacturers to "apply effective and regular tests and reviews of the security" of their products. For anything above the lowest-risk tier, penetration testing is the recognised way to demonstrate that testing was effective, because it proves exploitability rather than merely listing possible issues. The regulation sets the bar; the method is yours to choose.
When do CRA obligations start to apply?
There are three staggered dates under Article 71(2). Notified-body provisions apply from 11 June 2026. The Article 14 reporting obligations (24-hour early warning, 72-hour notification, 14-day final report for actively exploited vulnerabilities) apply from 11 September 2026. The main body, including the Annex I essential requirements, conformity assessment, and CE marking, applies from 11 December 2027.
What is the fine for breaching the CRA's security requirements?
Breaching the Annex I essential requirements, which include the security-testing obligation and the "no known exploitable vulnerabilities" requirement, falls under the top penalty tier of Article 64(2): up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher. Because the testing clause sits in Annex I, a security-testing failure is treated as one of the most serious CRA breaches.
How long do I have to keep testing after a product ships?
At least five years. Article 13(8) fixes the support period at a minimum of five years, or the product's shorter expected use. Across that period you owe vulnerability handling and remediation, and Annex I still requires the product to stay free of known exploitable vulnerabilities, so the "effective and regular tests" obligation runs for the whole support period, not just at launch.
Further reading
- NIS2 and penetration testing: required or not?: the parallel question for operators of essential and important entities.
- Penetration testing cost 2026: the real numbers: market rates, day-rate math, and why autonomous tests start at €890.
As of July 2026. The cited provisions are from Regulation (EU) 2024/2847 (eur-lex.europa.eu). This page is not legal advice; verify the specific classification of your product and its conformity path with qualified counsel. DeepMantis methodology and scope limits are documented on the security page.


