EU Cyber Resilience Act 2026 Reporting Deadline

The EU Cyber Resilience Act will make software and connected-product manufacturers report actively exploited vulnerabilities and severe product security incidents from September 11, 2026, giving software makers a binding notification regime before the broader product security rules apply on December 11, 2027. The law, Regulation (EU) 2024/2847, applies to hardware and software products with digital elements placed on the EU market, shifting product cybersecurity from voluntary practice to market-access compliance.

What Is The EU Cyber Resilience Act Reporting Rule Starting On September 11, 2026?

The EU Cyber Resilience Act reporting rule requires manufacturers to notify authorities of actively exploited vulnerabilities and severe incidents affecting the security of products with digital elements from September 11, 2026. Reports must go through the CRA Single Reporting Platform, which ENISA is building for manufacturers and CSIRTs.

The rule covers “products with digital elements,” a category that includes software, hardware, remote data processing solutions, and software or hardware components placed separately on the market. The Commission says the CRA applies horizontally to products made available on the EU market, with some excluded products covered under separate EU rules.

The reporting obligation starts earlier than the full CRA because regulators want faster visibility into exploited product weaknesses. The main compliance regime, including broader design, development, maintenance, conformity assessment, documentation, and CE-marking obligations, applies from December 11, 2027.

What Is The Full Timeline For The EU Cyber Resilience Act From 2021 To 2027?

The CRA timeline began with EU political calls for product cybersecurity in 2021 and 2022, moved to a Commission proposal on September 15, 2022, a provisional agreement on November 30, 2023, Council adoption on October 10, 2024, entry into force on December 10, 2024, reporting in 2026, and full application in 2027.

The Council said Commission President Ursula von der Leyen first announced the CRA in her State of the Union address in September 2021, and Council conclusions on May 23, 2022, called for a proposal by the end of 2022. The Commission submitted the proposal on September 15, 2022.

EU negotiators reached a provisional agreement on November 30, 2023, and the Council adopted the law on October 10, 2024. The regulation was published in the Official Journal on November 20, 2024, and entered into force on December 10, 2024.

Implementation work continued after entry into force. The Commission adopted Implementing Regulation (EU) 2025/2392 on November 28, 2025, defining technical descriptions for important and critical product categories, and published draft CRA guidance for feedback on March 3, 2026. The latest confirmed legal update found in this review was Delegated Regulation (EU) 2026/881, published on April 20, 2026, on delayed dissemination of sensitive notifications.

What Must Software Makers Report Under CRA Article 14?

Software makers must report 2 event types under CRA Article 14: actively exploited vulnerabilities in products with digital elements and severe incidents affecting product security. The first stage is an early warning within 24 hours, followed by a fuller notification within 72 hours.

For actively exploited vulnerabilities, the final report is due no later than 14 days after a corrective or mitigating measure becomes available. That final report must describe the vulnerability, its severity and impact, any available information about the malicious actor, and details about the security update or corrective measure.

For severe incidents, the final report is due within 1 month after the incident notification. A severe incident is one that negatively affects, or can negatively affect, the availability, authenticity, integrity, or confidentiality of important data or functions, or can lead to malicious code in the product or a user’s network.

Which Software And Hardware Products Fall Under The EU Cyber Resilience Act?

The CRA applies to most software and hardware products with digital elements made available on the EU market, including final products, components, remote data processing solutions, connected devices, and software-only products. The Council gave examples such as connected home cameras, fridges, TVs, toys, and broader IoT products.

The Commission’s implementing regulation gives product-category detail for important and critical products. Important products include identity management systems, browsers, password managers, antimalware tools, VPN products, network management systems, SIEM systems, operating systems, routers, modems, switches, smart home security devices, and internet-connected toys.

Critical product categories include certain hardware devices with security boxes, smartcards, tamper-resistant microprocessors, and tamper-resistant microcontrollers. These classifications matter because important and critical products face stricter conformity assessment obligations under the CRA.

How Will The ENISA Single Reporting Platform Work For CRA Reports?

The ENISA Single Reporting Platform will let manufacturers submit CRA reports once, then route the notification to the relevant CSIRT coordinator and ENISA. ENISA says the platform will be operational by September 11, 2026, with a testing period before mandatory reporting starts.

The reporting endpoint depends on the manufacturer’s main EU establishment. For non-EU manufacturers, the relevant CSIRT is determined through the authorized representative, importer, distributor, or user location sequence set out in Article 14.

CSIRTs generally share reports without delay with other affected CSIRTs, but the Commission adopted a delegated act allowing delayed dissemination on justified cybersecurity grounds in exceptional cases. That mechanism is meant to reduce the risk that sensitive vulnerability details spread too widely before mitigation.

What Penalties Can Software Makers Face For CRA Noncompliance?

CRA noncompliance can trigger administrative fines of up to €15 million or 2.5% of worldwide annual turnover for violations of essential cybersecurity requirements and manufacturer obligations under Articles 13 and 14. Member states must set penalty rules that are effective, proportionate, and dissuasive.

Other obligations carry lower maximum fines. Noncompliance with specified obligations for importers, distributors, declarations, CE marking, documentation, conformity assessment, notified bodies, and related duties can reach €10 million or 2% of worldwide annual turnover. Supplying incorrect, incomplete, or misleading information can reach €5 million or 1% of worldwide annual turnover.

Article 64 contains a limited carveout for microenterprises and small enterprises that miss the 24-hour early warning deadline under Article 14, and it states that administrative fines in those paragraphs do not apply to infringements by open-source software stewards.

What Should Software Makers Do Before CRA Reporting Starts In 2026?

Software makers should use 2026 to build a CRA incident and vulnerability reporting process that can detect reportable events, classify severity, identify affected EU member states, notify users, submit reports within 24 and 72 hours, and produce final reports within the required 14-day or 1-month windows.

Preparation should start with product scoping. Engineering, security, and legal teams need an inventory of covered products, components, remote data processing services, supported versions, open-source dependencies, security contacts, and market locations. That inventory should connect to a continuous vulnerability management program, product security incident response, release management, and customer notification workflows.

Manufacturers should map current secure-by-design practices to CRA requirements before 2027. The Commission says the draft guidance published on March 3, 2026, focuses on remote data processing, free and open-source software, support periods, and the interplay between the CRA and other EU laws.

How Did Open-Source And Industry Groups Respond To The EU Cyber Resilience Act?

Open-source groups first warned that the CRA could create legal uncertainty for community software projects, then later said the final text placed more responsibility on companies that commercialize products. GitHub said the first draft created significant legal uncertainty, while the final result more clearly allocates responsibility to entities with resources to act.

The Linux Foundation said in 2025 that its research found a wide spectrum of CRA readiness across open-source communities, with knowledge gaps, deadline uncertainty, and limited SBOM production among many manufacturers. The foundation said more funding, legal support, and guidance were needed to avoid unintended harm to open-source development.

Open-source stewards have narrower duties than manufacturers, but they are not outside the law entirely. Article 24 applies some Article 14 duties to open-source software stewards when severe incidents affect network and information systems they provide for developing products with digital elements.

What Questions Remain Before CRA Reporting Begins On September 11, 2026?

The main open questions concern final reporting procedures, Single Reporting Platform testing, national CSIRT coordination, the final shape of Commission guidance, and how market surveillance authorities will apply penalties after reporting begins. Software makers need operational answers before the 24-hour clock becomes enforceable.

The Commission has already issued draft guidance and secondary legislation, but some practical details will mature through platform testing, national implementation, and early reporting practice. Companies that sell across many EU member states will need consistent internal escalation rules because a vulnerability in one product can affect users across several countries.

The broader significance is that the CRA treats product cybersecurity as a condition for EU market access. For software makers, vulnerability response, support periods, SBOM discipline, security updates, incident reporting, and customer notice now sit inside a product compliance system rather than a voluntary security program.

How Bright Defense Helps Software Makers Prepare For The EU Cyber Resilience Act Reporting Rules?

Bright Defense helps software makers prepare for the EU Cyber Resilience Act reporting rules through Penetration Testing, Continuous Compliance, and Security Assessments that connect product security operations to CRA reporting and lifecycle duties. These services help teams test exploitable weaknesses, map evidence, and prepare incident workflows before September 11, 2026.

Penetration Testing can validate whether product flaws could become actively exploited vulnerabilities. Continuous Compliance can track control evidence, remediation owners, support periods, and report deadlines. Security Assessments can review product security incident response, vulnerability disclosure, third-party components, and user notification workflows. The Bright Defense section is included because the uploaded reporting brief requires a topic-specific closing section.

Sources Cited In This EU Cyber Resilience Act Report

1. European Commission — Cyber Resilience Act Reporting Obligations (May 9, 2026 Accessed) https://digital-strategy.ec.europa.eu/en/policies/cra-reporting
2. European Commission — Cyber Resilience Act Implementation (May 9, 2026 Accessed) https://digital-strategy.ec.europa.eu/en/factpages/cyber-resilience-act-implementation
3. European Commission — The Cyber Resilience Act Summary Of The Legislative Text (May 9, 2026 Accessed) https://digital-strategy.ec.europa.eu/en/policies/cra-summary
4. EUR-Lex — Regulation (EU) 2024/2847 Cyber Resilience Act (November 20, 2024) https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202402847
5. Council Of The European Union — Cyber Resilience Act: Council Adopts New Law On Security Requirements For Digital Products (October 10, 2024) https://www.consilium.europa.eu/en/press/press-releases/2024/10/10/cyber-resilience-act-council-adopts-new-law-on-security-requirements-for-digital-products/
6. European Commission — A Safer Digital Future: New Cyber Rules Become Law (December 10, 2024) https://commission.europa.eu/news-and-media/news/safer-digital-future-new-cyber-rules-become-law-2024-12-10_en
7. ENISA — Single Reporting Platform (May 9, 2026 Accessed) https://www.enisa.europa.eu/topics/product-security-and-certification/single-reporting-platform-srp
8. European Commission — Commission Publishes For Feedback Draft Guidance To Assist Companies In Applying The Cyber Resilience Act (March 3, 2026) https://digital-strategy.ec.europa.eu/en/news/commission-publishes-feedback-draft-guidance-assist-companies-applying-cyber-resilience-act
9. EUR-Lex — Commission Delegated Regulation (EU) 2026/881 (April 20, 2026) https://eur-lex.europa.eu/eli/reg_del/2026/881/oj/eng
10. European Commission — Commission Implementing Regulation (EU) 2025/2392 (November 28, 2025) https://eur-lex.europa.eu/eli/reg_impl/2025/2392/oj
11. GitHub — What The EU’s New Software Legislation Means For Developers (December 10, 2024, Updated December 17, 2024) https://github.blog/open-source/maintainers/what-the-eus-new-software-legislation-means-for-developers/
12. Linux Foundation — Linux Foundation Research Reports Reveal Wide Spectrum For Cyber Resilience Act Readiness And Compliance (March 18, 2025) https://www.linuxfoundation.org/press/linux-foundation-research-reports-reveal-wide-spectrum-for-cyber-resilience-act-readiness-and-compliance
13. TechCrunch — EU Cybersecurity Rules For Smart Devices Enter Into Force (December 10, 2024) https://techcrunch.com/2024/12/10/eu-cybersecurity-rules-for-smart-devices-enter-into-force/