← Back to ResourcesLive Countdown

EU Cyber Resilience Act: Timeline and Deadlines

The CRA has two critical compliance deadlines. Miss them and you risk product withdrawal from the EU market and fines of up to €15 million or 2.5% of global annual turnover.

Live countdown

Reporting obligations (Article 14)

11 September 2026

00
Days
00
Hours
00
Mins
00
Secs

Full compliance deadline

11 December 2027

00
Days
00
Hours
00
Mins
00
Secs

Key Dates Explained

In force

CRA entered into force

Regulation (EU) 2024/2847 was published in the Official Journal and entered into force. The compliance clock started.

Upcoming

Reporting obligations begin

Articles 14 and 17 become applicable. Manufacturers must begin reporting actively exploited vulnerabilities and significant security incidents to ENISA within 24 hours of discovery.

  • Article 14 — incident and vulnerability reporting
  • Article 17 — reporting to national CSIRTs
Full deadline

Full CRA compliance required

All products with digital elements placed on the EU market must be fully compliant. CE marking demonstrating CRA conformity is required. Products that do not comply must be withdrawn from the EU market.

  • Annex I — all essential requirements
  • Annex V — Declaration of Conformity
  • Annex VII — Technical File

What You Should Be Doing Right Now

Most manufacturers need 12–18 months to implement all CRA requirements properly. If you haven't started, start now — the December 2027 deadline does not allow time to begin in 2026.

Now (if you haven't started)

  • Run a CRA applicability assessment for each product line
  • Classify products into Default / Class I / Class II / Critical
  • Identify your conformity assessment route

Q3–Q4 2026 (before September 2026)

  • Build Article 14 incident reporting capability before the September 2026 reporting deadline
  • Publish a CVD policy and security.txt under Article 15
  • Establish vulnerability monitoring against NVD, OSV, and EUVD

2026–2027 (before December 2027)

  • Implement all Annex I security requirements
  • Generate and automate SBOMs for all product versions
  • Compile Technical File (Annex VII)
  • Complete conformity assessment appropriate to your product class
  • Draw up Declaration of Conformity and affix CE marking
Full CRA guide →Compliance step-by-step →Article 14 reporting guide →Start your CRA assessment →

Don't let the deadline catch you out. CRAReady helps you build a compliance programme that covers SBOM, vulnerability management, incident reporting, and your Technical File — all in one platform.

Start your free assessment