As of 2026-03-09T21:05:01Z (UTC), the Cyber Resilience Act (CRA) is no longer just a “2027 problem” for hardware and software makers selling into the EU. The operational clock that matters first is 11 September 2026, when mandatory reporting for actively exploited vulnerabilities and severe incidents starts.[1][2][3][4]

The practical shift is simple: teams that still treat compliance as a documentation stream running in parallel to engineering are now late. Reporting windows measured in hours mean your incident response, product telemetry, patch workflow, and regulatory workflow have to run as one system.

Image note: The header photo shows the Berlaymont building in Brussels, the European Commission’s headquarters. It is included as policy context for CRA implementation and is not evidence of any specific cyber incident or enforcement action.[7]

What has already moved from policy to schedule

Three timeline anchors are now stable enough to plan against:

• The CRA entered into force on 10 December 2024.[1][3]
• Reporting obligations apply from 11 September 2026.[1][2][4]
• The broader CRA obligations apply from 11 December 2027.[1][3][4]

That sequencing matters. September 2026 is effectively a live-fire readiness test one year before full application.

What “reporting obligations” mean in real operations

Under Commission and ENISA implementation materials, reporting is staged, not one-shot:[2][5]

1. Early warning within 24 hours of becoming aware.
2. Notification within 72 hours with initial assessment details.
3. Final reporting on a later clock (for example, after corrective measures are available for exploited vulnerabilities, or within a month for severe incidents).

Manufacturers are expected to report through the CRA Single Reporting Platform (SRP) rather than building separate notification workflows per member state authority.[2][5]

For leadership teams, this changes org design decisions today: if incident triage cannot produce regulator-grade facts inside 24 to 72 hours, the formal legal deadline is already missed even if patching quality is strong.

Why many teams still underprice the September-2026 milestone

1) They index on the 2027 date and miss the 2026 control gate

The “full application in December 2027” headline is true, but operationally incomplete. The September-2026 reporting start means companies need production-ready detection, escalation, ownership, and evidence pipelines before that date.[1][2][4]

2) They treat the SRP as a portal project, not an incident-governance project

The portal matters less than the upstream system feeding it: product inventory, vulnerability ownership, exploitation confidence levels, and legal sign-off lanes. ENISA’s implementation path makes clear that this is an ecosystem workflow, not a single web form.[2][5]

3) They assume “we have SOC tooling” equals “we can meet CRA reporting quality”

SOC alerting helps, but CRA reporting needs product-level context (affected versions, remediation status, dissemination risk, jurisdictional routing) that many engineering organizations still track manually.[2][5][6]

A realistic readiness build for the next 6 months

If your products are in EU scope, the minimum practical track looks like this:

• By end of Q2 2026: lock ownership map (product, PSIRT, legal, exec on-call), and dry-run 24-hour early-warning drills.
• By mid Q3 2026: run at least one full 72-hour simulation including evidence packaging and approval handoffs.
• Before 11 September 2026: verify SRP-facing workflow, notification templates, and escalation triggers for cross-border product exposure.

Use a simple pass/fail question: Can we produce a defensible, regulator-ready initial report in under 24 hours on a weekend with partial data? If not, the gap is operational, not legal.

What to watch next (and what can still move)

Two moving parts should stay on your watchlist:

1. Secondary acts and guidance cadence (delegated/implementing measures and Commission guidance through 2026).[4][4]
2. Standardization deliverables and conformity-assessment capacity milestones scheduled across 2026–2027.[4]

These can change implementation friction and evidence expectations by product class, even if the headline dates remain fixed.

Bottom line

The CRA is now in an execution phase where time-to-detection and time-to-regulatory-notification become first-class product metrics. For most teams, the real decision is no longer whether to prepare, but whether to build a fast, evidence-ready reporting lane before 11 September 2026 or absorb repeated deadline risk afterward.

Sources

1. European Commission, Cyber Resilience Act (entry into force, application timeline)
2. European Commission, Cyber Resilience Act – Reporting obligations (24h/72h/final reporting flow, SRP)
3. Regulation (EU) 2024/2847, Cyber Resilience Act legal text (EUR-Lex)
4. European Commission, Cyber Resilience Act – Implementation (progress milestones through 2026–2027)
5. ENISA, Single Reporting Platform (SRP) FAQ and implementation notes
6. BSI (Germany), Cyber Resilience Act implementation explainer
7. Wikimedia Commons image source, Berlaymont building, Brussels (photo: Trougnouf)