Cyber Resilience Act: which deadline applies when?
Adopted 2026-06-14 ยท ≈ 2 min read ยท 
edited by Dirk Baaijen
The CRA (Regulation (EU) 2024/2847) entered into force on 12 November 2024. Key dates: notification of conformity bodies 11 June 2026, reporting obligation 11 September 2026, full application 11 December 2027.
Short answer: The Cyber Resilience Act entered into force on 12 November 2024, but its obligations apply in phases: notification of conformity assessment bodies from 11 June 2026, the reporting obligation from 11 September 2026, and full application from 11 December 2027.
The three dates that matter
The Cyber Resilience Act, formally Regulation (EU) 2024/2847, entered into force on 12 November 2024. Its obligations do not all take effect at once, however, but in three steps.
The first deadline is 11 June 2026: from that point the regime for the notification of conformity assessment bodies applies. This is the infrastructure through which products will later be assessed.
The second deadline is 11 September 2026: from then the obligation to report actively exploited vulnerabilities and severe incidents applies. Manufacturers must report these to ENISA and the relevant CSIRT.
The third and decisive deadline is 11 December 2027: from that moment the regulation applies in full and all security requirements for products with digital elements take effect.
What this means for transport and logistics
The CRA affects products with digital elements, and in this sector that covers a great deal: telematics systems, trackers and a wide range of IoT devices. Vehicle tracking systems, cargo monitoring and connected peripherals all fall within scope.
The obligations rest with manufacturers, importers and distributors. They concern secure-by-default settings, the provision of security updates, CE marking and completing a conformity assessment. Anyone who purchases or resells connected hardware therefore also takes on a role in the chain.
How to act now
Use the period up to December 2027 to map which connected products you place on the market or distribute, and which suppliers can demonstrably meet the CRA. Bear in mind that the reporting obligation starts well over a year earlier, on 11 September 2026. Start agreeing on vulnerability reporting and update policy with your suppliers in good time.
Read the main file: Cyber Resilience Act and connected products. Or take the Transport & Logistics scan.
Sources
- https://eur-lex.europa.eu/eli/reg/2024/2847/oj
Regulation (EU) 2024/2847 (Cyber Resilience Act); full application 11 December 2027.
Read next
Does my telematics hardware fall under the Cyber Resilience Act?
Yes. Telematics, trackers and IoT devices are products with digital elements and fall under the Cyber Resilience Act (Regulation (EU) 2024/2847). Full application applies from 11 December 2027.
Cyber Resilience Act: what must I require from my suppliers?
Require suppliers of trackers, telematics and IoT to provide proof of CE marking, conformity assessment, secure-by-default configuration and update guarantees. Fix reporting duties and liability in your contracts before full application on 11 December 2027.
Cyber Resilience Act: security requirements for connected products
The Cyber Resilience Act (Regulation (EU) 2024/2847) sets EU-wide security requirements for products with digital elements โ from telematics to IoT sensors. Full application on 11 December 2027, reporting duties already from September 2026. What it means for transport and logistics.