EU Cyber Resilience Act's Strict Reporting Obligations for Connected Products to Begin in September 2026

Executive Summary

The European Union's ambitious Cyber Resilience Act (CRA) is moving towards enforcement, with a critical deadline approaching. Starting September 11, 2026, the act's stringent reporting obligations will come into effect. This will legally mandate that manufacturers of any 'product with digital elements' sold within the EU report actively exploited vulnerabilities to the EU's cybersecurity agency, ENISA, and the relevant national Computer Security Incident Response Team (CSIRT) within 24 hours. The CRA represents a fundamental shift in product security liability, moving the onus from end-users to manufacturers to ensure products are secure throughout their lifecycle. Companies that fail to comply face significant financial penalties.

Regulatory Details

The CRA establishes a new legal framework for cybersecurity requirements for tangible and intangible digital products. The reporting obligations are a key pillar of this framework.

Reporting Timeline and Process

Upon a manufacturer becoming aware of a vulnerability or incident, a strict timeline is triggered:

• Actively Exploited Vulnerabilities:

  • Within 24 hours: An "early warning" notification must be sent to the relevant CSIRT and ENISA. This is to enable rapid coordination and potential warnings to other member states.
  • Within 72 hours: A more detailed notification must be submitted, describing the vulnerability, affected products, and any available mitigations or patches.
  • Within 14 days: A final, comprehensive report is due.

• Serious Security Incidents:

  • Within 24 hours: An initial notification of the incident's impact on the product's security.
  • Within 72 hours: An updated notification with more details.
  • Within one month: A final report on the incident.

All notifications will be submitted through a centralized CRA Single Reporting Platform managed by ENISA.

Affected Organizations

The CRA has an extremely broad scope. It applies to all manufacturers, importers, and distributors who place products with digital elements on the EU market. This includes:

• Hardware manufacturers (e.g., IoT devices, smart home appliances, network equipment).
• Software developers (e.g., operating systems, standalone applications, mobile apps).
• Manufacturers of industrial control systems and operational technology.

Essentially, if a product contains software or firmware and is sold in the EU, it is likely covered by the CRA.

Compliance Requirements

Beyond reporting, the CRA introduces a wide range of lifecycle security requirements:

• Security by Design: Manufacturers must conduct risk assessments and build security into their products from the earliest design stages.
• Vulnerability Management: A formal process must be in place to handle and remediate vulnerabilities discovered in products, free of charge to the user.
• Software Bill of Materials (SBOM): Manufacturers must provide an SBOM for their products, detailing all the software components and dependencies.
• Conformity Assessment and CE Marking: Products must undergo a conformity assessment to prove they meet CRA standards before they can receive a CE mark and be sold in the EU.

Implementation Timeline

• September 11, 2026: Vulnerability and incident reporting obligations begin.
• December 11, 2027: Full compliance with all other CRA requirements (e.g., security by design, conformity assessments) becomes mandatory for all new products placed on the market.

Enforcement & Penalties

Non-compliance with the CRA can result in substantial penalties. Fines can reach up to €15 million or 2.5% of the company's total worldwide annual turnover for the preceding financial year, whichever is higher. This makes CRA compliance a critical business and financial issue, not just a technical one.

Compliance Guidance

Organizations should not wait until the deadlines to act. The long product development cycles mean that work must start now.

1. Conduct a Product Portfolio Review: Identify all products sold in the EU that fall under the CRA's scope.
2. Gap Analysis: Assess current security development lifecycle (SDL) and vulnerability management processes against the CRA's requirements.
3. Establish an Incident Response Plan: Develop and test an incident response plan that specifically incorporates the CRA's 24-hour reporting timeline. Designate roles and responsibilities for reporting to ENISA.
4. Implement SBOM Generation: Integrate tools and processes into the CI/CD pipeline to automatically generate and manage SBOMs for all products.
5. Engage with Legal and Compliance Teams: Ensure that legal and compliance teams are fully briefed on the CRA's requirements and potential liabilities.