EU Cyber Resilience Act Compliance
The EU Cyber Resilience Act sets binding cybersecurity requirements for products with digital elements.
Learn how ImmuniWeb supports its secure-by-design and vulnerability-handling obligations.
EU Cyber Resilience Act Compliance
What Is the EU Cyber Resilience Act?
The CRA is the first horizontal EU regulation on product cybersecurity. It applies to 'products with digital elements' - software and hardware, and their remote data processing solutions - placed on the EU market, regardless of where the manufacturer is based.
Manufacturers must meet the essential cybersecurity requirements in Annex I, run a conformity assessment, affix the CE marking, provide a machine-readable Software Bill of Materials (SBOM), operate coordinated vulnerability disclosure, and supply security updates throughout the support period.
See how ImmuniWeb supports CRA secure-by-design and vulnerability handling- testing your products with digital elements for exploitable vulnerabilities. Request a demoor run a free Community Edition test.
Who Must Comply with EU CRA?
The CRA applies to:
- Manufacturers of products with digital elements (software and hardware) placed on the EU market.
- Importers and distributors placing such products on the EU market.
- Non-EU manufacturers whose products reach the EU market (extraterritorial reach).
Software products and web/mobile components in scope must be developed securely and tested for vulnerabilities.
Key CRA Requirements for Application Security
The Annex I essential requirements drive application-security work:
- No known exploitable vulnerabilities: products must be placed on the market without known exploitable vulnerabilities.
- Secure by design:design, develop and produce products to ensure an appropriate level of cybersecurity.
- Vulnerability handling: identify and document vulnerabilities, address them without delay, and perform regular tests and reviews of product security.
- Security updates & reporting:provide security updates over the support period; report actively exploited vulnerabilities and severe incidents (from 11 September 2026).
CRA Security Requirements in Depth
No Known Exploitable Vulnerabilities & Secure by Design
Products with digital elements must be placed on the market free of known exploitable vulnerabilities and engineered to be secure by design. Penetration testing and vulnerability scanning of the software and its web and mobile components identify the exploitable issues that must be removed before release.
Vulnerability Handling and Regular Testing
Annex I requires manufacturers to identify and document vulnerabilities and to perform regular tests and reviews of product security. Continuous scanning and periodic penetration testing - with tracked remediation - operationalise this requirement throughout the support period.
Common Web & Mobile Application Risks to Address
The vulnerabilities the CRA expects you to remove from products map closely to the OWASP Top 10 for web and mobile components:
- Broken Access Control — users reaching data or actions they should not.
- Cryptographic Failures — weak or missing encryption exposing sensitive data.
- Injection — SQL, command or other injection via unvalidated input.
- Insecure Design — missing security controls by design, not just by bug.
- Security Misconfiguration — default, incomplete or unsafe configuration.
- Vulnerable & Outdated Components — unpatched libraries and frameworks.
- Identification & Authentication Failures — weak login, session or credential handling.
- Software & Data Integrity Failures — untrusted updates, insecure CI/CD pipelines.
- Security Logging & Monitoring Failures — attacks going undetected.
- Server-Side Request Forgery (SSRF) — the server tricked into making malicious requests.
For mobile apps, the OWASP Mobile Top 10 is the equivalent reference (insecure data storage, insecure communication, weak cryptography, and so on). Reliably finding these issues requires testing the running application, not just a documentation review.
How to Approach CRA Compliance with ImmuniWeb
- Inventory products & components. Map internet-facing products, apps and APIs with ImmuniWeb Discovery.
- Test for exploitable vulnerabilities with On-Demand and Neuron before release.
- Test mobile components with MobileSuite and Neuron Mobile.
- Handle vulnerabilities with regular scanning and tracked remediation.
- Secure development with Continuous in CI/CD across the support period.
- Re-test after updates and on a recurring basis.
How ImmuniWeb Helps You Achieve EU CRA Compliance
ImmuniWeb supports the CRA's secure-by-design and vulnerability-handling requirements with testing that produces conformity-ready evidence.
| Requirement | What it requires | ImmuniWeb products |
|---|---|---|
| No known exploitable vulnerabilities | Remove exploitable vulnerabilities before release. | On-Demand, Neuron |
| Vulnerability handling | Identify, document and regularly test product security. | Neuron, On-Demand, Discovery |
| Secure development / support period | Secure the SDLC; test across the support period. | Continuous, MobileSuite |
ImmuniWeb On-Demand and MobileSuite deliver web and mobile penetration testing; Neuron and Neuron Mobile provide automated scanning; Continuous embeds testing into CI/CD; and Discovery maps the attack surface of your products and components - together producing evidence for CRA conformity.
EU CRA vs International Frameworks
If you already work to international standards, the same ImmuniWeb testing supports all of them:
| Framework | Application-security angle | How ImmuniWeb maps |
|---|---|---|
| EU CRA | Secure-by-design + vulnerability handling for products | Web/mobile pentest + scanning + ASM |
| EU NIS 2 | Organisational risk-management measures | Same testing supports both |
| EU AI Act | Cybersecurity of high-risk AI | Securing apps and components around AI |
| ISO/IEC 27001 | Annex A technical controls | Testing as control evidence |
Penetration Testing vs Security Scanning
Both are needed. Automated scanning (DAST) gives broad, frequent coverage and is ideal for continuous testing in CI/CD; manual penetration testing finds business-logic and complex vulnerabilities that scanners miss and produces the depth auditors and regulators expect. Combine continuous scanning with periodic manual penetration testing, and re-test after significant changes.
Compliance Checklist (Application Security)
- Products with digital elements and their components inventoried
- Products tested and free of known exploitable vulnerabilities
- Secure-by-design practices documented
- Vulnerability handling process with regular testing in place
- Security updates provided across the support period
- Reporting workflow ready for the 11 September 2026 obligations
- Conformity evidence and SBOM maintained
Why EU CRA Compliance Matters
After 11 December 2027, products that fail CRA conformity cannot legally be placed on the EU market, and non-compliance can attract fines of up to EUR 15 million or 2.5% of global annual turnover. From 11 September 2026, manufacturers must already report actively exploited vulnerabilities and severe incidents on tight deadlines.
Because exploitable vulnerabilities in software and its web and mobile components are exactly what the CRA targets, demonstrable testing is one of the most direct ways to meet the essential requirements and protect EU market access.