EU Cyber Resilience Act

CRA deadlines: 11 September 2026 and 11 December 2027

The Cyber Resilience Act is in force with two key dates: the reporting obligations apply from 11 September 2026, and the full set of obligations — including SBOM, technical documentation, conformity assessment and CE marking — applies by 11 December 2027.

What changes on each date

From 11 September 2026, manufacturers must report actively exploited vulnerabilities and severe incidents through the EU single-reporting platform, on a strict timeline: an early warning within 24 hours, a notification within 72 hours, and a final report within 14 days.

By 11 December 2027, products placed on the EU market must meet the Annex I essential requirements and ship with technical documentation and a signed EU Declaration of Conformity, carrying the CE marking.

Key points

  • 11 Sep 2026 — vulnerability/incident reporting obligations apply.
  • 11 Dec 2027 — full obligations incl. CE marking apply.
  • Reporting timeline: 24h early warning, 72h notification, 14-day final report.
  • The 15-month lead time means buyers act in 2026 — preparation is the work.

Frequently asked questions

What are the CRA deadlines?
Reporting obligations apply from 11 September 2026; full obligations, including SBOM, technical documentation and CE marking, apply by 11 December 2027.
What is the CRA 24/72-hour reporting rule?
For an actively exploited vulnerability or a severe incident, manufacturers must submit an early warning within 24 hours, a notification within 72 hours, and a final report within 14 days.

Related

General information about the EU Cyber Resilience Act — not legal advice. Normproof provides tooling and audit-ready evidence; the manufacturer self-declares conformity. For your specific product, run the free readiness check or consult a qualified advisor.

See exactly what the CRA requires for your product.

Run the free readiness check — your category, obligations, and deadlines in 60 seconds.