Deadline

Cyber Resilience Act reporting obligations apply from 11 September 2026

Deadlineupcoming · 11 Sep 2026✓ verified 4 Jul 2026

What changed

Regulation (EU) 2024/2847 (the Cyber Resilience Act) entered into force on 10 December 2024. Its reporting obligations apply from 11 September 2026, ahead of the main obligations from 11 December 2027. The CRA sets cybersecurity requirements for products with digital elements placed on the EU market, including vulnerability handling and CE-marking conformity.

Why it matters

The first CRA obligation to bite is reporting: from 11 September 2026 manufacturers must be able to report actively exploited vulnerabilities and severe incidents. That capability takes process and tooling work — it cannot be stood up in the final week.

Who is affected

Manufacturers, importers and distributors of hardware and software products with digital elements sold in the EU.

What to check next

Stand up the internal process to detect, triage and report actively exploited vulnerabilities and severe incidents from 11 September 2026; confirm the exact triggers, channels and timelines in the regulation text.

Key dates

  • 2024-12-10Entry into force
  • 2026-09-11Reporting obligations apply
  • 2027-12-11Main obligations apply
Source. EUR-Lex — Regulation (EU) 2024/2847 (Cyber Resilience Act) ↗
Document: Regulation (EU) 2024/2847 — CELEX 32024R2847
Verified by Trusq against this source on 4 Jul 2026. Trusq publishes only what it can trace to an official source; the source text prevails. Not legal advice.
← All updates