CRA Deadlines Explained: Sep 2026 vs Dec 2027
The CRA has three critical dates. Here's what each one means and what you need to have ready before each deadline.
The EU Cyber Resilience Act introduces a phased compliance timeline with three distinct dates that manufacturers, importers, and distributors need to understand. Getting them confused — or treating the regulation as a single December 2027 deadline — is one of the most common planning mistakes we see.
The Three Key Dates
December 2024 — Entry into Force
The CRA officially entered into force in December 2024 after publication in the Official Journal of the EU. From this point, the regulation exists as law, but most obligations are not yet active. This date starts the clock for the transition periods that lead to the two enforcement deadlines below.
September 2026 — Incident Reporting Obligations
Article 14 incident reporting obligations become enforceable from September 2026 — a full 15 months before full product compliance is required. This is significant: manufacturers need to have their incident detection and reporting processes in place well before they need to certify their products.
⚠️ Important: Article 14 incident reporting obligations apply from September 2026 — over a year before full compliance is required.
From this date, manufacturers who become aware of an actively exploited vulnerability or a security incident affecting their product must follow a strict three-stage reporting process: a 24-hour early warning to ENISA, a 72-hour detailed report, and a final report within 14 days of issuing a patch or one month from awareness.
December 2027 — Full Compliance Required
This is the headline deadline most manufacturers are planning toward. By December 2027, all products with digital elements placed on the EU market must meet the essential cybersecurity requirements in Annex I, including security by design, vulnerability handling, and SBOM documentation. Products already on the market before this date are grandfathered in — but any product placed on the market on or after this date must comply in full.
Why the September 2026 Deadline Matters More Than You Think
Many manufacturers are treating December 2027 as their only planning horizon. This is a mistake for two reasons.
First, building a robust incident detection and Article 14-compliant reporting workflow takes significant organisational work. You need monitoring capabilities, a documented escalation process, legal review of disclosure obligations, and integration with ENISA's reporting systems. This is not something that can be stood up in weeks.
Second, national market surveillance authorities (MSAs) will be empowered to enforce Article 14 from September 2026. A manufacturer who experiences a significant incident in October 2026 and fails to submit the required reports will be in violation of the law, regardless of whether their products are technically compliant with Annex I requirements.
What to Prioritise Now
Given these timelines, manufacturers should prioritise in this order. First, complete a CRA applicability assessment to understand your classification and obligations. Second, build the incident detection and reporting workflow needed for September 2026. Third, work through the technical Annex I requirements — SBOM generation, vulnerability disclosure policy, security update mechanisms — in time for December 2027.
Waiting until late 2027 to begin is not viable. The conformity assessment process for Class I and Class II products alone requires documentation preparation, testing, and in some cases third-party audit time that manufacturers should not underestimate.
Ready to assess your CRA compliance obligations?
Try the Free Applicability Checker