The Cyber Resilience Act (CRA) is introducing a new standard of accountability for all products with digital elements entering the EU market. It requires manufacturers, importers, and distributors to follow defined cybersecurity obligations on a phased timeline: conformity assessment body notification begins June 11, 2026, mandatory vulnerability reporting starts September 11, 2026, and full compliance with all CRA requirements becomes enforceable on December 11, 2027. These obligations include secure design requirements, staged vulnerability reporting timelines, and lifecycle documentation for software and hardware products.
For organizations that produce or distribute connected systems, the CRA is not a minimal paperwork exercise. It is a comprehensive regulatory framework that demands proof that security is part of product architecture, testing, and maintenance. This includes mandatory vulnerability management, secure default configurations, risk-based development processes, and rapid reporting of actively exploited vulnerabilities.
Many penetration testing vendors continue to operate with traditional methodologies that do not map cleanly to CRA requirements. These approaches typically focus on testing a single build or a single release cycle without demonstrating how vulnerabilities are identified, retested, documented, and validated through the entire product lifecycle. Under the CRA, this is no longer enough.
How CRA aligned penetration testing differs
CRA aligned penetration testing is more than a compliance checkbox. Winmill conducts traditional scoped penetration tests structured and executed through a CRA lens, so that a single engagement serves two purposes simultaneously: vulnerability discovery and gap analysis. Our testers evaluate not only the presence of exploitable flaws, but also the processes and documentation practices that CRA conformity depends on. The result is a set of findings, reports, and artifacts including SBOM outputs that clients can use directly as inputs to their CRA self-attestation or notified body certification.
Testing is also scoped to surface CRA-specific gaps, including vulnerability handling documentation and readiness for the reporting obligations that take effect September 11, 2026. These obligations require manufacturers to submit an early warning to their designated CSIRT and ENISA within 24 hours of becoming aware of an actively exploited vulnerability, followed by a detailed vulnerability notification within 72 hours, and a final report no later than 14 days after a corrective or mitigating measure becomes available. By identifying gaps before a client self-attests or approaches a notified body, Winmill’s testing ensures those deadlines and documentation standards don’t become certification obstacles.
Why organizations choose Winmill for CRA readiness
Winmill’s Penetration Testing Stream is purpose-built for environments where compliance and ongoing security maturity must work together. The program provides recurring testing that aligns with product development cycles and lifecycle expectations defined by the CRA.
Unlike snapshot testing models, our approach provides evidence that cybersecurity practices are maintained over time. This helps organizations demonstrate conformity with the CRA requirement for ongoing vulnerability management and lifecycle security updates. Our testing aligns to the CRA goal of reducing design stage vulnerabilities and increasing transparency of security risks throughout the lifespan of digital products.
Our consultants also support teams that must prepare for conformity assessments. The framework for notifying conformity assessment bodies takes effect on June 11, 2026, meaning these bodies can begin operating under CRA rules from that date. Products classified as higher risk will require evaluation by notified bodies before they can be placed on the EU market after December 11, 2027. Organizations that begin preparing internal processes and technical documentation now will be better positioned when those assessments are required.
