← CRA Glossary
Technical Security

Penetration Testing

Penetration testing is a structured, authorised security assessment in which testers simulate real-world attack techniques to identify exploitable vulnerabilities in a product, system, or network before malicious actors discover them. The EU Cyber Resilience Act implicitly requires manufacturers to test their products' security prior to market placement.

Penetration testing is a structured, authorised security assessment in which testers simulate real-world attack techniques to identify exploitable vulnerabilities in a product, system, or network before malicious actors discover them. The EU Cyber Resilience Act implicitly requires manufacturers to test their products' security prior to market placement.

Technical Security
Free CVD portal →

What Is Penetration Testing?

Penetration testing (pen testing) is a controlled security exercise in which a qualified tester — internal or external — attempts to compromise a target system using the same techniques and tools a real attacker would use. The scope, rules of engagement, and target environment are agreed in advance. Pen testing goes beyond automated vulnerability scanning: it involves manual analysis, exploit chaining, and attacker-perspective reasoning to uncover vulnerabilities that automated tools miss. Outputs include a report of confirmed vulnerabilities, exploitation paths, and remediation recommendations. Common methodologies include OWASP, PTES, and OSSTMM.

CRA reference:Annex I Part I, Article 13(1)

Why Penetration Testing Matters Under the CRA

The CRA's essential cybersecurity requirements in Annex I require manufacturers to ensure their products are designed, developed, and produced to achieve an appropriate level of cybersecurity. Conducting penetration testing before market placement is the most credible demonstration that a manufacturer has proactively searched for exploitable weaknesses — not merely assumed their product is secure. For Important Class I and Class II products, conformity assessment bodies and notified bodies will expect evidence of pre-release security testing as part of the technical documentation. Pen test reports form a core part of the technical file maintained under Article 23.

CRA reference:Annex I Part I, Article 23, Article 24

How Manufacturers Implement Penetration Testing

Manufacturers should embed penetration testing into their secure development lifecycle (SDLC), not treat it as a one-time pre-release activity. Best practice includes: (1) threat modelling early in design to focus testing on the highest-risk attack surfaces; (2) automated vulnerability scanning during CI/CD pipelines; (3) manual penetration testing of release candidates against defined scope before market placement; (4) re-testing after significant architectural changes or when critical third-party components are updated. Test reports, including findings, risk ratings (CVSS), and remediation evidence, should be retained as part of technical documentation for the duration of the product's support period.

CRA reference:Annex I Part I(1)(2), Article 13

Common Mistakes

A frequent error is treating a single pre-launch pen test as a permanent proof of security. Threat landscapes evolve and new attack techniques emerge, so periodic re-testing is essential. Manufacturers also commonly scope tests too narrowly — for example, testing only the web interface while leaving firmware, update mechanisms, and cloud APIs untested. Another mistake is failing to remediate and retest: a pen test report that documents critical findings not fixed before market placement provides evidence of non-compliance rather than compliance. Finally, using unqualified internal staff for complex embedded system assessments often yields incomplete coverage.

CRA reference:Annex I Part I

CVD Portal makes Penetration Testing compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Is penetration testing mandatory under the EU Cyber Resilience Act?+

The CRA does not mandate penetration testing by name, but Annex I requires manufacturers to ensure their products achieve an appropriate level of cybersecurity. For Important Class I and Class II products, conformity assessment involves demonstrating that security has been actively verified. In practice, penetration testing is the primary method of providing this evidence, and conformity assessment bodies will expect to see documented test results in the technical file.

How often should a manufacturer conduct penetration testing?+

At minimum, manufacturers should conduct a penetration test before the initial market placement of any product and after any major update that changes the attack surface — for example, adding a new network interface, API endpoint, or authentication mechanism. Industry best practice recommends annual testing for products with active internet connectivity. Manufacturers must also respond to newly discovered vulnerabilities in components, which may require targeted retesting.

What should be included in penetration test scope for a CRA-compliant assessment?+

A CRA-relevant penetration test should cover the full attack surface of the product: hardware interfaces (USB, JTAG, UART), firmware and bootloader security, wireless communications (Wi-Fi, BLE, Zigbee), cloud back-end APIs, the software update mechanism, authentication and session management, and network-facing services. Testing only the user-facing web interface while ignoring firmware and hardware attack vectors is a common compliance gap that market surveillance authorities are increasingly scrutinising.

Related terms

Attack SurfaceThe attack surface of a product is the totality of different points — interfaces, APIs, protocols, hardware ports, and user inputs — through which an attacker could attempt to enter or extract data from a system. Reducing attack surface is a core principle of the CRA's essential cybersecurity requirements.Vulnerability ScanningVulnerability scanning is the automated process of probing systems, networks, or applications to identify known security weaknesses by comparing observed configurations and software versions against databases of known vulnerabilities. It provides continuous visibility into a product's security posture and supports the CRA's requirement that manufacturers monitor and address vulnerabilities throughout a product's lifecycle.Cybersecurity Risk AssessmentA cybersecurity risk assessment is a systematic process of identifying, analysing, and evaluating security threats and vulnerabilities that could affect a product or system, then determining appropriate mitigations. The EU Cyber Resilience Act requires manufacturers to conduct and document a cybersecurity risk assessment as a precondition for market placement.Threat ModelingThreat modeling is a structured technique for identifying, prioritising, and mitigating security threats to a system during its design phase by systematically analysing what could go wrong, who might cause it, and what the impact would be. It is the foundational practice that enables manufacturers to meet the CRA's requirement for risk-informed, secure-by-design product development.

CRA articles using this term

Annex IEssential Cybersecurity Requirements for Products with Digital ElementsArticle 13Coordinated Vulnerability Disclosure Obligations for ManufacturersArticle 10Obligations of Manufacturers — Product Security by Design

Browse the full CRA Compliance Checklist

See how Penetration Testing fits into your complete CRA compliance programme.

View checklists →