CRA Timeline: Key Deadlines from 2024 to 2027
Don't be caught off guard by the Cyber Resilience Act. Here is the official timeline of obligations and compliance deadlines.
Don't be caught off guard by the Cyber Resilience Act. Here is the official timeline of obligations and compliance deadlines.
The Cyber Resilience Act is no longer a distant project. The calendar is now set, and the first deadlines are fast approaching.
The regulation has entered into force. Companies should start their gap analysis now to identify priority projects.
From 11 September 2026, manufacturers must report actively exploited vulnerabilities and severe incidents through the CRA Single Reporting Platform, including an early warning within 24 hours after becoming aware. This obligation requires robust monitoring, review, and evidence workflows.
From 11 December 2027, products with digital elements placed on the European market must meet the applicable CRA cybersecurity, conformity-assessment, technical-documentation, and CE-marking requirements. Market-surveillance authorities may require corrective action, restriction, withdrawal, or recall where applicable.
Anticipation is key. Building an operational CRA evidence and reporting process can take months, especially for multi-product portfolios.