Cyber Resilience Act Compliance Testing
Element helps you prepare your connected products for Cyber Resilience Act (EU Regulation 2024/2847) compliance. Element tests against product cybersecurity standards under ISO/IEC 17025 accreditation and supports EU and UK manufacturers ahead of the December 2027 deadline.

What is Cyber Resilience Act Compliance Testing at Element?
The Cyber Resilience Act is EU Regulation 2024/2847. It sets mandatory cybersecurity requirements for hardware and software products with digital elements sold in the EU market, with full enforcement from December 2027. At Element, we test connected products against product cybersecurity standards such as the EN 18031 standards under ISO/IEC 17025 accreditation, assess conformity readiness, and support manufacturers across both EU and UK compliance requirements.
What Can Element Offer You For Cyber Resilience Act Compliance Testing?

Methods and solutions offered
Methods and solutions offered
Element tests connected products against EN 18031-1, EN 18031-2, and EN 18031-3 under ISO/IEC 17025 accreditation, producing the technical evidence manufacturers need for CRA conformity assessment. Element's team also carries out gap analysis against CRA essential requirements, reviews your existing technical documentation, and identifies what additional testing or process changes your product needs before the December 2027 deadline.
Key tests offered
Key tests offered
Element tests products against the specific EN 18031 clauses applicable to your product category, so your test report directly maps to the CRA conformity assessment requirements regulators and Notified Bodies will expect.
Which Element labs offer this service
Which Element labs offer this service
Element's Hull laboratory is the only UKAS-accredited facility in the UK for Cyber Resilience Act compliance testing and EN 18031 testing. The lab works directly with manufacturers to produce test evidence that maps to CRA essential requirements, supporting both self-declaration and third-party assessment routes.
Regulatory expertise
Regulatory expertise
Mustanir Ali, Element's Head of Cyber Product Assurance, participated in developing the EN 18031 standards and is leading Element's preparation for CRA Notified Body designation. Manufacturers who start work with Element now build a compliance program ahead of Notified Body queues forming. Element also participates in the CRA standardization work through Mustanir as a member of the UK committee for CRA standards, and ETSI.
Article 14 reporting obligations apply from 11 September 2026
If your product is on the EU market, you have weeks, not months, to implement vulnerability reporting processes. From 11 September 2026, manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours of awareness, submit a fuller notification within 72 hours, and file a final report within 14 days. Element's advisory services can help you build the processes and documentation you need before the deadline.
Standards we test to and Products we test
-
EU Cyber Resilience Act (Regulation 2024/2847)
-
EN 18031-1: Common security requirements for radio equipment
-
EN 18031-2: Requirements for radio equipment processing personal data
-
EN 18031-3: Requirements for radio equipment processing financial transactions
-
ETSI EN 303 645: Cyber security for consumer IoT
- Connected consumer electronics
- IoT devices
- Smart home products including home automation and home security products
- Industrial control systems with network connectivity
- Routers and networking equipment
- Healthcare devices with digital elements such as smart wearables (note: medical devices are not covered by the CRA)
Your Challenges, Our Solutions
Unclear conformity route
December 2027 is closer than it looks
Duplicating work you’ve already paid for
Post-market security obligations
Element Experts at your Service

EN 18031 expertise from the inside
CRA Notified Body
RED-to-CRA transition, without duplicating effort
ISO/IEC 17025 accredited testing
15+Years of product cybersecurity expertise
1Only UKAS-accredited lab in the UK for EN 18031 and ETSI EN 303 645 cybersecurity testing
100%of testing delivered in-house
2027CRA full enforcement deadline in December

Frequently asked questions
Does my product fall within the scope of the CRA?
The CRA applies to any product with digital elements intended for the EU market that can connect directly or indirectly to a network or another device. Certain categories are excluded, including products already covered by sector-specific regulations such as automotive and medical devices. Element can help you determine whether your product is in scope, and which conformity route applies.
What is the difference between Class I and Class II products, and does my product need a Notified Body?
Class II important products face stricter conformity assessment requirements than Class I. Class I products cover higher-risk categories such as identity management software, browsers, and password managers. Class II covers products considered critical to infrastructure, such as operating systems, industrial control systems, and firewalls. The classification affects which conformity assessment route applies. Element can help you determine where your product sits based on its functions and intended use.
Does my product need a Notified Body assessment, or can I self-declare?
Most products fall into the default category and can follow a self-assessment route, provided you apply harmonized standards or common specifications. Class I important products can also self-declare in most cases. Class II important products require a Notified Body for conformity assessment, and Critical products listed in Annex IV must use a European Cybersecurity Certification Scheme. Element can confirm which route applies to your product based on its functions and intended use.
How does CRA relate to the RED Article 3.3 cybersecurity requirements?
RED Articles 3.3(d), (e), and (f), now implemented through EN 18031, apply to radio equipment and have been mandatory since August 2025. The CRA extends similar requirements to all products with digital elements, including non-radio products. Testing completed for RED EN 18031 compliance can contribute toward CRA conformity assessment evidence, but additional requirements apply. Element can help you identify which CRA requirements can be met with existing RED test evidence and which additional requirements apply.
When will Element be a CRA Notified Body?
The Notified Body application window first opened in June 2026, and Element is in the process of its application for CRA Notified Body designation. Manufacturers can begin CRA compliance testing with Element now, ahead of formal Notified Body designation, to build their technical documentation and close compliance gaps early.
What are the Article 14 reporting obligations under the CRA?
Reporting obligations for actively exploited vulnerabilities apply from 11 September 2026, ahead of full CRA enforcement. From that date, manufacturers must submit a 24-hour early warning on first awareness of an actively exploited vulnerability, a 72-hour notification including corrective measures taken, and a 14-day final report once the vulnerability is resolved. Element's advisory services can help you build the internal processes needed to meet these windows.
Related Services

Product Cybersecurity Testing & Certification Services
Element offers end-to-end product Cybersecurity testing and certification services to ensure your IoT product is safe, secure and compliant with PSTI, RED, and CRA.

RED Directive Testing for CE Marking
Element's Radio Equipment Directive (RED) services provide testing, certification, and expert guidance to help manufacturers meet EU compliance requirements and secure CE marking for wireless products.

Wireless Device Testing & Certification
Get your wireless devices to market faster with Element's accredited testing services. Expert guidance through compliance, certification and global approvals for all wireless technologies.

Electromagnetic Compatibility (EMC) Testing & Electromagnetic Interference (EMI) Testing & Certification
Element provides accredited EMC and EMI testing and certification services, helping businesses meet regulatory requirements, reduce costly redesigns, and bring products to market faster through expert compliance support.

CE Marking Services
Accelerate EU market access with Element's CE Marking services. Expert testing, documentation & compliance support for electrical products. Get certified faster.

Global Market Access (GMA) Services
Accelerate international product certification with Element's Global Market Access Services. Navigate complex regulations, reduce testing time & get to market faster.



