Cyber Resilience Act Compliance Testing

Element helps you prepare your connected products for Cyber Resilience Act (EU Regulation 2024/2847) compliance. Element tests against product cybersecurity standards under ISO/IEC 17025 accreditation and supports EU and UK manufacturers ahead of the December 2027 deadline.

Engineer testing a connected device against Cyber Resilience Act requirements

What is Cyber Resilience Act Compliance Testing at Element?

The Cyber Resilience Act is EU Regulation 2024/2847. It sets mandatory cybersecurity requirements for hardware and software products with digital elements sold in the EU market, with full enforcement from December 2027. At Element, we test connected products against product cybersecurity standards such as the EN 18031 standards under ISO/IEC 17025 accreditation, assess conformity readiness, and support manufacturers across both EU and UK compliance requirements.

What Can Element Offer You For Cyber Resilience Act Compliance Testing?

Element testing technician holding SAR head phantom for mobile phone radiation testing and certification

Methods and solutions offered

Element tests connected products against EN 18031-1, EN 18031-2, and EN 18031-3 under ISO/IEC 17025 accreditation, producing the technical evidence manufacturers need for CRA conformity assessment. Element's team also carries out gap analysis against CRA essential requirements, reviews your existing technical documentation, and identifies what additional testing or process changes your product needs before the December 2027 deadline. 

Key tests offered

Element tests products against the specific EN 18031 clauses applicable to your product category, so your test report directly maps to the CRA conformity assessment requirements regulators and Notified Bodies will expect.

Which Element labs offer this service

Element's Hull laboratory is the only UKAS-accredited facility in the UK for Cyber Resilience Act compliance testing and EN 18031 testing. The lab works directly with manufacturers to produce test evidence that maps to CRA essential requirements, supporting both self-declaration and third-party assessment routes. 

Find your nearest connected technologies lab 

Regulatory expertise

Mustanir AliElement's Head of Cyber Product Assurance, participated in developing the EN 18031 standards and is leading Element's preparation for CRA Notified Body designation. Manufacturers who start work with Element now build a compliance program ahead of Notified Body queues forming. Element also participates in the CRA standardization work througMustanir as a member of the UK committee for CRA standards, and ETSI.

Article 14 reporting obligations apply from 11 September 2026

If your product is on the EU market, you have weeks, not months, to implement vulnerability reporting processes. From 11 September 2026, manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours of awareness, submit a fuller notification within 72 hours, and file a final report within 14 days. Element's advisory services can help you build the processes and documentation you need before the deadline.

Standards we test to and Products we test

These are our most prevalent requests. Don't see what you're looking for? Contact us!
  • EU Cyber Resilience Act (Regulation 2024/2847)

  • EN 18031-1: Common security requirements for radio equipment

  • EN 18031-2: Requirements for radio equipment processing personal data

  • EN 18031-3: Requirements for radio equipment processing financial transactions

  • ETSI EN 303 645: Cyber security for consumer IoT  

     

     

     

Your Challenges, Our Solutions

Unclear conformity route

You don’t know whether your product can self-declare or needs third-party assessment under the CRA. Element maps your product classification and identifies the applicable conformity paths, so you don’t spend time and budget on the wrong route.

December 2027 is closer than it looks

Full CRA enforcement begins December 2027. Testing backlogs will grow as the deadline approaches. Element’s ISO/IEC 17025 accredited labs test against EN 18031 now, so your technical documentation is ready before Notified Body queues form. We will provide additional testing to CRA standards once they are available.

Duplicating work you’ve already paid for

You completed RED Article 3.3 testing and need to know what the CRA adds. Element assesses your existing EN 18031 evidence against CRA requirements and identifies the gaps, so you only test what you haven’t already covered.

Post-market security obligations

The CRA requires manufacturers to manage vulnerabilities and report incidents under Article 14 throughout the product lifecycle. Element’s advisory services help you build the vulnerability management and incident reporting processes your product needs to stay compliant after it ships.
Element testing engineer in anechoic chamber for electromagnetic compatibility and wireless device testing

EN 18031 expertise from the inside

Element participated in writing EN 18031 and is actively involved in drafting the CRA standards.

CRA Notified Body

Element is on track to have full CRA Notified Body designation well before December 2027. Start your compliance program ahead of the formal services opening.

RED-to-CRA transition, without duplicating effort

Element delivers RED Article 3.3(d/e/f) certification. Manufacturers with existing EN 18031 work can assess CRA gaps without duplicating effort.

ISO/IEC 17025 accredited testing

Element's ISO/IEC 17025 test results are accepted across jurisdictions and carry the evidentiary weight regulators expect.

15+
Years of product cybersecurity expertise

1
Only UKAS-accredited lab in the UK for EN 18031 and ETSI EN 303 645 cybersecurity testing

100%
of testing delivered in-house

2027
CRA full enforcement deadline in December

Element engineer monitoring SAR equipment during technology testing

Frequently asked questions

Does my product fall within the scope of the CRA?

The CRA applies to any product with digital elements intended for the EU market that can connect directly or indirectly to a network or another device. Certain categories are excluded, including products already covered by sector-specific regulations such as automotive and medical devices. Element can help you determine whether your product is in scope, and which conformity route applies.

What is the difference between Class I and Class II products, and does my product need a Notified Body?

Class II important products face stricter conformity assessment requirements than Class I. Class I products cover higher-risk categories such as identity management software, browsers, and password managers. Class II covers products considered critical to infrastructure, such as operating systems, industrial control systems, and firewalls. The classification affects which conformity assessment route applies. Element can help you determine where your product sits based on its functions and intended use.

Does my product need a Notified Body assessment, or can I self-declare?

Most products fall into the default category and can follow a self-assessment route, provided you apply harmonized standards or common specifications. Class I important products can also self-declare in most cases. Class II important products require a Notified Body for conformity assessment, and Critical products listed in Annex IV must use a European Cybersecurity Certification Scheme. Element can confirm which route applies to your product based on its functions and intended use.

How does CRA relate to the RED Article 3.3 cybersecurity requirements?

RED Articles 3.3(d), (e), and (f), now implemented through EN 18031, apply to radio equipment and have been mandatory since August 2025. The CRA extends similar requirements to all products with digital elements, including non-radio products. Testing completed for RED EN 18031 compliance can contribute toward CRA conformity assessment evidence, but additional requirements apply. Element can help you identify which CRA requirements can be met with existing RED test evidence and which additional requirements apply.

When will Element be a CRA Notified Body?

The Notified Body application window first opened in June 2026, and Element is in the process of its application for CRA Notified Body designation. Manufacturers can begin  CRA compliance testing with Element now, ahead of formal Notified Body designation, to build their technical documentation and close compliance gaps early. 

What are the Article 14 reporting obligations under the CRA?

Reporting obligations for actively exploited vulnerabilities apply from 11 September 2026, ahead of full CRA enforcement. From that date, manufacturers must submit a 24-hour early warning on first awareness of an actively exploited vulnerability, a 72-hour notification including corrective measures taken, and a 14-day final report once the vulnerability is resolved. Element's advisory services can help you build the internal processes needed to meet these windows. 

Related Services

Mobile and Cellular Devices

Product Cybersecurity Testing & Certification Services

Element offers end-to-end product Cybersecurity testing and certification services to ensure your IoT product is safe, secure and compliant with PSTI, RED, and CRA.

Radio

RED Directive Testing for CE Marking

Element's Radio Equipment Directive (RED) services provide testing, certification, and expert guidance to help manufacturers meet EU compliance requirements and secure CE marking for wireless products.

Wireless Network

Wireless Device Testing & Certification

Get your wireless devices to market faster with Element's accredited testing services. Expert guidance through compliance, certification and global approvals for all wireless technologies.

electromagnetic compatibility testing

Electromagnetic Compatibility (EMC) Testing & Electromagnetic Interference (EMI) Testing & Certification

Element provides accredited EMC and EMI testing and certification services, helping businesses meet regulatory requirements, reduce costly redesigns, and bring products to market faster through expert compliance support.

CE Mark Testing

CE Marking Services

Accelerate EU market access with Element's CE Marking services. Expert testing, documentation & compliance support for electrical products. Get certified faster.

Global Market Access (GMA) Services

Global Market Access (GMA) Services

Accelerate international product certification with Element's Global Market Access Services. Navigate complex regulations, reduce testing time & get to market faster.

Related Resources

Understanding the Cybersecurity requirements for RED PSTI and CRA

Understand the regulatory changes and mandatory compliance requirements for cybersecurity in the RED, PSTI, & CRA from 1st August 2025—read now.

Mar 18, 2025

Cyber Resilience Act Reporting Obligations: What Manufacturers Must Know Before September 2026 – On-Demand Webinar

From 11 September 2026, manufacturers must report exploited vulnerabilities and severe incidents under the Cyber Resilience Act. Watch the webinar.

Jun 24, 2026

EU CRA Compliance Requirements and Key Deadlines for Manufacturers Webinar

CRA compliance is mandatory by December 2027, with Article 14 reporting obligations taking effect September 2026. Learn what products are in scope, what the requirements are, and how to prepare.

Jun 9, 2026

Speak to our team of experts

AMERICAS

Toll free from US lines

+1 888 786 7555

EUROPE

Contact our Central Team
UK

Freephone from UK

+44 808 234 1667

Germany

Freephone from Germany 

+49 800 000 5137

MIDDLE EAST

Toll free from UAE

+971 800 353 6368