The Cyber Resilience Act is no longer a distant project. The calendar is now set, and the first deadlines are fast approaching.

2024: Entry into Force

The regulation has entered into force. Companies should start their gap analysis now to identify priority projects.

2026: Mandatory Vulnerability Reporting

From 11 September 2026, manufacturers must report actively exploited vulnerabilities and severe incidents through the CRA Single Reporting Platform, including an early warning within 24 hours after becoming aware. This obligation requires robust monitoring, review, and evidence workflows.

2027: Full CRA Application and CE Marking

From 11 December 2027, products with digital elements placed on the European market must meet the applicable CRA cybersecurity, conformity-assessment, technical-documentation, and CE-marking requirements. Market-surveillance authorities may require corrective action, restriction, withdrawal, or recall where applicable.

Anticipation is key. Building an operational CRA evidence and reporting process can take months, especially for multi-product portfolios.