EU Cyber Resilience Act
CRA deadlines: 11 September 2026 and 11 December 2027
The Cyber Resilience Act is in force with two key dates: the reporting obligations apply from 11 September 2026, and the full set of obligations — including SBOM, technical documentation, conformity assessment and CE marking — applies by 11 December 2027.
What changes on each date
From 11 September 2026, manufacturers must report actively exploited vulnerabilities and severe incidents through the EU single-reporting platform, on a strict timeline: an early warning within 24 hours, a notification within 72 hours, and a final report within 14 days.
By 11 December 2027, products placed on the EU market must meet the Annex I essential requirements and ship with technical documentation and a signed EU Declaration of Conformity, carrying the CE marking.
Key points
- 11 Sep 2026 — vulnerability/incident reporting obligations apply.
- 11 Dec 2027 — full obligations incl. CE marking apply.
- Reporting timeline: 24h early warning, 72h notification, 14-day final report.
- The 15-month lead time means buyers act in 2026 — preparation is the work.
Frequently asked questions
- What are the CRA deadlines?
- Reporting obligations apply from 11 September 2026; full obligations, including SBOM, technical documentation and CE marking, apply by 11 December 2027.
- What is the CRA 24/72-hour reporting rule?
- For an actively exploited vulnerability or a severe incident, manufacturers must submit an early warning within 24 hours, a notification within 72 hours, and a final report within 14 days.
Related
General information about the EU Cyber Resilience Act — not legal advice. Normproof provides tooling and audit-ready evidence; the manufacturer self-declares conformity. For your specific product, run the free readiness check or consult a qualified advisor.