EU Cyber Resilience Act Starts 2026 Reporting Countdown

The EU Cyber Resilience Act will force manufacturers of software and connected products to report actively exploited vulnerabilities and severe product security incidents from September 11, 2026, creating the first binding EU-wide cyber reporting duty for digital products before the broader product security rules apply on December 11, 2027. The latest official Commission update, posted on June 8, 2026, confirmed the reporting deadlines and the role of ENISA’s Single Reporting Platform.

What Is The EU Cyber Resilience Act 2026 Reporting Deadline?

The EU Cyber Resilience Act 2026 reporting deadline is the date when manufacturers must start notifying authorities about actively exploited vulnerabilities and severe incidents affecting products with digital elements. The obligation starts on September 11, 2026, even though the CRA’s main product security requirements apply later, on December 11, 2027.

The law is Regulation (EU) 2024/2847, a horizontal cybersecurity regulation for hardware and software products made available on the EU market. The European Commission says the CRA applies to products with digital elements, including final products and components placed separately on the market.

The Commission says the law addresses weak product cybersecurity and the lack of timely security updates. That turns product security from a voluntary market practice into a legal duty for manufacturers, importers, distributors, and some open-source software stewards.

What Is The EU Cyber Resilience Act Timeline From 2020 To 2027?

The CRA grew out of the EU’s 2020 Cybersecurity Strategy, was proposed by the Commission on September 15, 2022, reached political agreement in 2023, was adopted by the Council on October 10, 2024, and entered into force on December 10, 2024. The next hard deadline is September 11, 2026.

The law was published as Regulation (EU) 2024/2847 in the Official Journal on November 20, 2024. The Commission later published implementation FAQs on December 3, 2025, and draft guidance on March 3, 2026.

Several implementation steps followed. Member states had to designate notifying authorities for conformity assessment bodies by June 11, 2026. ENISA’s reporting platform must be operational by September 11, 2026. Full CRA application begins on December 11, 2027, while some existing EU type-examination certificates and approval decisions can remain valid until June 11, 2028, unless they expire earlier.

What Must Manufacturers Report Under Article 14 Of The EU Cyber Resilience Act?

Manufacturers must report actively exploited vulnerabilities and severe incidents that affect the security of products with digital elements. The CRA requires an early warning within 24 hours, a fuller notification within 72 hours, and final reporting within either 14 days after a corrective measure is available or 1 month after the initial incident notification.

The 24-hour early warning starts when the manufacturer becomes aware of an actively exploited vulnerability or severe incident. The 72-hour notice must give general information and an initial assessment. For exploited vulnerabilities, the final report is due no later than 14 days after a patch or other corrective measure becomes available.

For severe incidents, the final report is due within 1 month after the 72-hour submission. The reporting duty applies to products already made available on the EU market, including products placed on the market before December 11, 2027.

Which Digital Products And Companies Are Covered By The EU Cyber Resilience Act?

The Cyber Resilience Act covers hardware and software products with digital elements made available on the EU market, including products and components with direct or indirect data connections to a device or network. The scope reaches manufacturers, authorized representatives, importers, distributors, and certain open-source software stewards.

Examples include connected cameras, smart watches, routers, apps, computer programs, connected toys, industrial software, embedded systems, and software components placed separately on the market. The CRA also covers remote data processing solutions when the product depends on them to perform a function.

The law excludes certain products covered by other EU rules, including specific areas such as medical devices, aviation, and vehicles where sectoral legislation applies. The Commission adopted Delegated Regulation (EU) 2025/1535 for certain products under Regulation (EU) No 168/2013, and Implementing Regulation (EU) 2025/2392 on technical descriptions for important and critical product categories.

What Penalties Apply Under The EU Cyber Resilience Act?

The Cyber Resilience Act allows administrative fines of up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher, for non-compliance with essential cybersecurity requirements and manufacturer obligations, including Article 14 reporting. Lesser infringements can draw fines of up to €10 million or 2% of turnover.

Supplying incorrect, incomplete, or misleading information can bring fines of up to €5 million or 1% of worldwide annual turnover. Member states set the detailed penalty rules, but the CRA requires penalties to be effective, proportionate, and dissuasive.

The CRA gives market surveillance authorities a broader toolset than fines alone. Authorities can request technical documentation, evaluate products that present significant cybersecurity risk, require corrective action, restrict product availability, or order market withdrawal where legal conditions are met.

What Should Manufacturers Do Before The September 11, 2026 CRA Deadline?

Manufacturers should build a CRA reporting process before September 11, 2026, because the first enforceable duties concern detection, escalation, notification, and evidence. Product teams need vulnerability intake, incident severity rules, 24-hour alert routing, 72-hour assessment workflows, patch tracking, and records for final reports.

The practical work starts with product scoping. Companies should list all products with digital elements sold or offered in the EU, identify responsible legal entities, map support periods, and confirm which products depend on remote data processing.

Security teams should create or update vulnerability disclosure policies, software bill of materials processes, exploit monitoring, patch release workflows, and customer notification templates. Legal teams should review importer, distributor, and open-source component obligations before product release plans reach the 2027 deadline.

How Are ENISA And EU CSIRTs Preparing The CRA Single Reporting Platform?

ENISA is responsible for establishing and managing the CRA Single Reporting Platform, which will act as a single entry point for mandatory reports from manufacturers and open-source software stewards. ENISA says the platform will be operational by September 11, 2026, with testing before that date.

The Commission says manufacturers will report once through the platform. The report goes to the CSIRT in the member state where the manufacturer has its main establishment and, except in exceptional circumstances, to ENISA at the same time.

Commission Delegated Regulation (EU) 2026/881, published on April 20, 2026, sets conditions for delaying dissemination of sensitive notifications among CSIRTs. The regulation allows delay only where cybersecurity-related grounds justify it, such as sensitive exploit information, an imminent patch, a compromised reporting platform, or concerns about a CSIRT’s ability to protect information.

How Has Industry Responded To The EU Cyber Resilience Act?

Industry response has focused on scope, implementation guidance, open-source treatment, reporting mechanics, and the cost of proving product security across the lifecycle. DigitalEurope said in 2024 that the CRA could create a clearer framework for connected-device cybersecurity when implementation guidance avoids unnecessary burden.

Open-source groups focused on whether maintainers, foundations, and commercial users would be treated as manufacturers or open-source software stewards. OpenSSF said the CRA entered into force on December 10, 2024, and said some requirements become mandatory on September 11, 2026.

The Commission’s March 3, 2026 draft guidance sought feedback on remote data processing, free and open-source software, support periods, and links with other EU legislation. That guidance signals continuing uncertainty even as the first reporting deadline approaches.

What Business Costs And Market Risks Does The EU Cyber Resilience Act Create?

The Cyber Resilience Act creates business costs through secure development work, vulnerability handling, technical documentation, conformity assessment, incident reporting, product support, and supplier due diligence. The largest near-term operational risk is missed reporting, because the 24-hour and 72-hour deadlines start in 2026.

Manufacturers may need new tooling for SBOMs, exploit intelligence, product inventory, coordinated vulnerability disclosure, incident triage, customer notification, and patch tracking. Importers and distributors face risk when they sell non-compliant products or fail to act after they learn of vulnerabilities.

The commercial risk is market access. Products that do not meet CRA obligations after the full application date may face sales restrictions in the EU. The practical effect reaches non-EU manufacturers that place products on the Union market.

What Questions Remain Before The Cyber Resilience Act Applies In Full In 2027?

The main unresolved CRA questions concern final guidance, harmonized standards, notified-body capacity, platform testing, member-state enforcement readiness, and how authorities will judge severe incidents in practice. The Commission has published guidance drafts, but companies still need operational detail before the September 11, 2026 reporting start.

No major court challenge was found in the available public record. The policy process is now focused on implementation rather than repeal.

The broader significance is that the EU is turning product cybersecurity into a market-access condition. The CRA sits alongside NIS2, the Cybersecurity Act, the AI Act, and sectoral rules, creating a compliance model where software and connected hardware must be secure, supportable, and reportable across the product lifecycle.

How Bright Defense Helps Digital Product Makers Prepare For The EU Cyber Resilience Act

Bright Defense helps software vendors, SaaS companies, connected-device makers, and technology suppliers prepare for the EU Cyber Resilience Act with Penetration Testing, Continuous Compliance, and Security Assessments. These services help teams validate vulnerabilities, test product security, document remediation work, collect audit-ready evidence, and prepare reports ahead of the CRA deadlines in 2026 and 2027.

For CRA preparation, Bright Defense can assess applications, APIs, cloud platforms, embedded systems, internet-facing assets, and related product environments. The team can help verify vulnerability management processes, test likely attack paths, review security controls, and create practical evidence for incident reporting, customer trust, and market-access decisions.

Sources Cited In This EU Cyber Resilience Act Report

1. European Commission — Cyber Resilience Act (Accessed June 18, 2026)
   https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
2. European Commission — Cyber Resilience Act Reporting Obligations (June 8, 2026)
   https://digital-strategy.ec.europa.eu/en/policies/cra-reporting
3. European Commission — The Cyber Resilience Act Summary Of The Legislative Text (December 3, 2025)
   https://digital-strategy.ec.europa.eu/en/policies/cra-summary
4. EUR-Lex — Regulation (EU) 2024/2847, Cyber Resilience Act (November 20, 2024)
   https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng
5. ENISA — Single Reporting Platform (SRP) (Accessed June 18, 2026)
   https://www.enisa.europa.eu/topics/product-security-and-certification/single-reporting-platform-srp
6. European Commission — Commission Publishes Draft Guidance To Assist Companies In Applying The Cyber Resilience Act (March 3, 2026)
   https://digital-strategy.ec.europa.eu/en/news/commission-publishes-feedback-draft-guidance-assist-companies-applying-cyber-resilience-act
7. EUR-Lex — Commission Delegated Regulation (EU) 2026/881 (April 20, 2026)
   https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32026R0881
8. Council Of The European Union — Cyber Resilience Act: Council Adopts New Law On Security Requirements For Digital Products (October 10, 2024)
   https://www.consilium.europa.eu/en/press/press-releases/2024/10/10/cyber-resilience-act-council-adopts-new-law-on-security-requirements-for-digital-products/
9. European Commission — New EU Cybersecurity Rules Aim To Make Hardware And Software Products More Secure (September 15, 2022)
   https://digital-strategy.ec.europa.eu/en/news/new-eu-cybersecurity-rules-ensure-more-secure-hardware-and-software-products
10. European Commission — Cyber Resilience Act Impact Assessment (September 15, 2022)
    https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act-impact-assessment
11. European Parliament — Legislative Train: European Cyber Resilience Act (Accessed June 18, 2026)
    https://www.europarl.europa.eu/legislative-train/carriage/european-cyber-resilience-act/report
12. DigitalEurope — Developing Guidelines For The Cyber Resilience Act (September 4, 2024)
    https://www.digitaleurope.org/resources/developing-guidelines-for-the-cyber-resilience-act/
13. OpenSSF — EU Cyber Resilience Act (Accessed June 18, 2026)
    https://openssf.org/public-policy/eu-cyber-resilience-act/
14. OpenSSF — OSS And The CRA: Am I A Manufacturer Or A Steward? (June 2, 2025)
    https://openssf.org/blog/2025/06/02/oss-and-the-cra-am-i-a-manufacturer-or-a-steward/
15. Hogan Lovells — EU Cyber Resilience Act: Key 2026 Milestones Toward CRA Compliance (January 20, 2026)
    https://www.hoganlovells.com/en/publications/eu-cyber-resilience-act-getting-ready-for-cra-compliance-in-2026