EU Cyber Resilience Act — Guide for Quality Assurance & Test Engineer

CRA conformity is not self-asserted — it must be demonstrated through documented evidence. The technical file required under Annex VII must include test reports that show the product meets the Annex I security requirements. QA engineers are responsible for producing this evidence. This requires a shift from defect-focused testing to conformity-focused testing: each Annex I requirement becomes a test objective, and each test execution produces a traceable record that maps test outcomes to specific regulatory obligations. For Default-class products undergoing self-assessment, well-documented QA test evidence is the primary conformity record. For Class I Important Products relying on harmonised standards, test evidence must demonstrate compliance with the relevant standard's security test requirements.

Annex I Part I identifies the security properties that products must satisfy. QA must design test coverage for each one: authentication control testing (verifying default credential policies, brute-force resistance, and session management), data protection testing (verifying encryption of data at rest and in transit), update integrity testing (verifying that only signed updates can be applied), attack surface testing (verifying that unnecessary services and ports are disabled in default configuration), and resilience testing (verifying that the product degrades gracefully under denial-of-service conditions). Static application security testing, dynamic application security testing, and software composition analysis should all contribute to security test evidence. Fuzz testing is increasingly expected for network-facing interfaces and file parsing components. All test findings — including those that passed — must be documented.

When a vulnerability is discovered and remediated, QA must create a regression test that verifies the fix is effective and that the vulnerability cannot be reproduced. This regression test must be retained in the test suite permanently — a recurrence of a previously patched vulnerability is a serious CRA non-conformity because it indicates that the vulnerability management process failed. QA should maintain a dedicated security regression suite, labelled with the CVE or internal vulnerability identifier and the release in which the fix was first applied. When a security patch is shipped, the regression test should be executed automatically in the CI/CD pipeline before the release is approved. The test pass record forms part of the technical file evidence for that release.

Annex VII specifies that the technical file must contain a general description of the product, design and development documentation, and — critically — test reports. QA is responsible for producing these reports in a structured format that a market surveillance authority can interpret without additional context. Each test report should include: the test objective mapped to a specific Annex I requirement or harmonised standard clause, the test environment configuration, the test methodology, the pass/fail outcome, and the tester's identity and sign-off date. Reports should be version-controlled and linked to the specific product release they cover. When the product is updated, new test reports covering any changed functionality must be added to the technical file and the Declaration of Conformity reviewed to confirm it remains accurate.

Begin by mapping the existing QA test plan to Annex I Part I requirements and identifying gaps in security coverage. For each gap, design and document a test case with a clear pass criterion linked to the regulatory requirement. Integrate SAST and SCA tools into the CI/CD pipeline as automated quality gates that block release on critical findings. Create a security regression test suite covering all vulnerabilities patched in the past 24 months. Establish a test report template that includes the mandatory fields for technical file inclusion. Confirm with the product manager and compliance team what standard the product will self-assess against, so test coverage can be calibrated to that standard's requirements. Review the CRA readiness score on CVD Portal to benchmark current test coverage completeness.