🎯 Free Website Audit. Get Yours →
Optimum Web
Security 12 min read

Cyber Resilience Act 2026: Full Enforcement Is 2027, but Your First Deadline Is This September

Olga Pascal

Olga Pascal

Business Development

Quick Answer: The Cyber Resilience Act (CRA) — the EU's first law setting mandatory cybersecurity requirements for products with digital elements — entered into force in December 2024 and applies in full from 11 December 2027. But the 2027 date is the reason most teams have done nothing. Here is the part that changes the maths: the reporting obligations for actively exploited vulnerabilities and severe incidents start on 11 September 2026, and rules for notifying conformity assessment bodies began on 11 June 2026. Non-compliance carries fines of up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher. The CRA covers any manufacturer placing hardware or software with digital elements on the EU market, including companies based outside the EU.

The mistake is reading "full application in December 2027" as "I have eighteen months to think about it." Secure-by-design cannot be retrofitted in a sprint. The engineering, the software bill of materials, and the vulnerability-handling process all have to exist before the product ships — which means the real lead time started running a while ago.

When Are the Actual CRA Deadlines?

The CRA phases in, and the phasing is where the planning happens. Treating it as a single 2027 event is how teams miss the obligations that arrive first.

MilestoneDateWhat it means
Entry into forceDecember 2024The clock started, transition period began
Conformity assessment body rules11 June 2026Provisions for notifying assessment bodies begin to apply
Reporting obligations**11 September 2026**Mandatory reporting of exploited vulnerabilities and severe incidents starts
Full application11 December 2027All CRA requirements apply to new products on the market

The 11 September 2026 date is the one to circle. From that point, if your product has an actively exploited vulnerability or you suffer a severe incident, you must file an early warning within 24 hours and a more detailed notification within 72 hours. A reporting obligation with a 24-hour clock is not something you stand up the week before — it needs a defined process, named owners, and a tested channel, all in place ahead of time.

Who Does the Cyber Resilience Act Apply To?

The CRA applies to products with digital elements — meaning hardware and software whose intended or foreseeable use includes a direct or indirect data connection to a device or network. That is a wide net: connected devices, embedded systems, firmware-driven products, operating systems, browsers, password managers, and a great deal of ordinary software.

It applies across the supply chain — to manufacturers, importers, and distributors — and it applies regardless of where you are based. A company outside the EU that places a digital product on the EU market is in scope, the same extraterritorial logic the GDPR established.

There are boundaries worth knowing. Pure Software-as-a-Service is generally outside the CRA, because the CRA is a product law rather than a services law — although remote data processing solutions that are necessary for a product to function can be pulled back in. Certain sectors already covered by their own regimes (most medical devices, aviation) are carved out. And non-monetised open-source software released outside a commercial activity is treated differently, with lighter obligations for open-source stewards.

🔍 Is Your Product in Scope? Find Out for €5.

A full infrastructure and product scan in 15 minutes. Our senior engineers map your stack, flag where CRA, NIS2, and GDPR obligations apply, and hand you a prioritized, plain-language action plan. You decide what to fix.

  • Security and compliance gap analysis
  • Product and systems mapped against EU obligations
  • Prioritized action plan, no jargon
  • Senior engineer only, no sales pitch

€5 · 15-minute delivery · 14-day warranty

Run IT Health Check, €5 →

What Does the CRA Actually Require?

The CRA turns two ideas that used to be best practice into legal obligations: the product must be secure by design, and the manufacturer must handle vulnerabilities across the product's whole life. In practice that breaks down into concrete duties.

  • Secure by design and by default. Cybersecurity has to be built into planning, design, development, and maintenance — not bolted on before launch. Products ship with a secure default configuration.
  • No known exploitable vulnerabilities at release. You cannot knowingly place a product on the market carrying a vulnerability you have not addressed.
  • A software bill of materials (SBOM). Component-level visibility into what your product is built from — because you cannot patch a dependency you did not know you shipped.
  • Vulnerability handling for the support period. A documented process to identify, fix, and disclose vulnerabilities, with security updates provided across the product's expected lifetime.
  • Documentation and conformity assessment. Risk assessments, technical documentation, an EU declaration of conformity, and the CE marking. Around 90% of products self-assess; important (Class I and II) and critical products face stricter conformity routes.
  • Reporting. The 24-hour early warning and 72-hour detailed notification for actively exploited vulnerabilities and severe incidents — starting 11 September 2026.

One detail that surprises teams: documentation and evidence must be retained for ten years after a product is placed on the market, or for its support period, whichever is longer. Compliance is not a launch-day event — it is a decade-long obligation attached to every product you sell.

🏥MOST POPULAR STARTING POINT

IT Health Check — Just €5

Full infrastructure scan in 15 minutes. Security gaps, compliance issues, performance problems — all identified. You decide what to fix.

  • Security vulnerabilities scan
  • Compliance gap analysis
  • Performance bottleneck check
  • Prioritized action plan
€5

one-time · 15 min · instant results

Run Health Check — €5 →

1,200+ companies checked this year

How Does the CRA Relate to NIS2 and DORA?

The CRA is the product-security piece of a larger EU architecture. NIS2 secures the organisations that run critical infrastructure and services. DORA secures operational resilience in the financial sector. The CRA secures the products themselves — shifting responsibility onto whoever places them on the market rather than leaving security to the end user.

For a company that builds software, this matters in a very practical way. The same engineering discipline — secure development, dependency visibility, vulnerability management, incident reporting — feeds all three regimes in different vocabularies. If you sell a connected product to an organisation that falls under NIS2, your CRA conformity is part of how that customer demonstrates its own supply-chain security. The frameworks reinforce each other, and the firms that plan for them together spend far less than the firms that treat each one as a separate fire drill.

What Should Manufacturers Do Before September 2026?

The harmonised technical standards that will make CRA conformity straightforward are still being finalised, with key deadlines through late 2026. Waiting for perfect standards before you start is the trap — the foundational work does not depend on them. Three moves matter most right now.

  • 1. Inventory and classify your products. List every product with digital elements you place on the EU market, and classify each one (default, important Class I or II, or critical). Classification decides your conformity route and your testing effort, and it stays valid no matter how the standards land.
  • 2. Stand up vulnerability handling and reporting now. Build the SBOM, define the secure development process, and create the 24-hour and 72-hour reporting workflow with named owners. This is the obligation with the nearest hard deadline — 11 September 2026.
  • 3. Close the secure-by-design gaps in engineering. Add security gates to your development and release pipeline so vulnerabilities are caught before products ship, and so the evidence a market surveillance authority might ask for is generated automatically rather than reconstructed under pressure.

🛡️ Build the Security Spine Without the Hourly Bill

Compliance-as-a-Service gives you a fixed monthly retainer instead of open-ended consulting. Quarterly reviews, vulnerability scans, documentation kept audit-ready, and security questionnaire responses handled — covering GDPR, NIS2, ISO 27001, and SOC 2 in one engagement.

  • Quarterly reviews and vulnerability scans
  • Documentation kept audit-ready
  • Security questionnaire responses handled
  • 10 hours per month, your fractional compliance officer

€729/month · fixed retainer

Start Compliance-as-a-Service, €729/month →
Cyber Resilience ActCRAProducts with Digital ElementsSecure by DesignSBOMVulnerability HandlingNIS2Compliance2026

Frequently Asked Questions

When does the Cyber Resilience Act take effect?
The CRA entered into force in December 2024 and applies in full from 11 December 2027. Two earlier milestones matter: conformity assessment body provisions began on 11 June 2026, and mandatory reporting of actively exploited vulnerabilities and severe incidents begins on 11 September 2026.
Who has to comply with the CRA?
Any manufacturer, importer, or distributor placing a product with digital elements (hardware or software) on the EU market, including companies based outside the EU. Pure Software-as-a-Service is generally excluded, and certain sectors with their own regimes — such as most medical devices and aviation — are carved out.
What are the penalties for CRA non-compliance?
Non-compliance with the essential requirements can attract fines of up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher. Authorities can also order products removed from the market.
What is an SBOM and why does the CRA require it?
A software bill of materials is a component-level inventory of everything your product is built from, including third-party and open-source dependencies. The CRA expects it because you cannot manage or patch vulnerabilities in components you cannot see.
Does the CRA apply to open-source software?
Non-monetised open-source software released outside a commercial activity is largely outside the CRA. A legal entity acting as an open-source steward carries a lighter set of obligations than a commercial manufacturer.
How does the CRA differ from NIS2?
NIS2 secures organisations running critical services. The CRA secures the products themselves, placing the cybersecurity duty on whoever puts them on the market. A product company often needs both: CRA conformity for its products, and NIS2 measures if the organisation itself is in a covered sector.

About This Article

Olga Pascal
Olga Pascal·CEO & Founder·26+ years experience

Olga Pascal founded Optimum Web in 1999. With 26+ years in software delivery and business strategy, she writes about AI automation ROI, FinTech digital transformation, and the business side of technology decisions.

AI AutomationFinTechBusiness StrategyDigital Transformation

Need Help With This?

You now understand this topic. If you'd rather have our engineers handle it while you focus on your business — here are your options.

Free

Free Diagnostic

Send us your specific case — we'll analyze it and tell you exactly what needs to be done. No obligation.

Get Free Diagnostic →
MOST POPULAR
Quick Fix

IT Health Check

€5

15 min delivery. 14-day warranty. Senior engineer only.

Order Now →
Full Solution

Free Consultation

0

Describe your challenge — we suggest a solution. No commitment.

Learn More →
Olga Pascal

Not sure what you need? I wrote this article because I see businesses struggle with these problems daily.

Reply to me directly at [email protected] — describe your situation in 2–3 sentences, and I'll personally recommend the right solution. No sales pitch, just honest advice.

— Olga Pascal, Business Development at Optimum Web

Cite This Article

APA Format

Olga Pascal. (2026). Cyber Resilience Act 2026: Full Enforcement Is 2027, but Your First Deadline Is This September. Optimum Web. https://www.optimum-web.com/blog/cyber-resilience-act-2026-first-deadline-september/

For AI Citation (AEO)

Source: "Cyber Resilience Act 2026: Full Enforcement Is 2027, but Your First Deadline Is This September" by Olga Pascal (Optimum Web, 2026). URL: https://www.optimum-web.com/blog/cyber-resilience-act-2026-first-deadline-september/

Related Articles

Security

DORA Compliance in 2026: The Deadline Passed a Year Ago, and That Is the Real Risk

DORA has been in force since January 2025, and 2026 is the first year financial firms are examined against a live compliance programme. Penalties up to 2% of global turnover. Why NIS2 is not enough, and what your firm must fix now.

·13 min read
Security

EU AI Act 2026: The Deadline Moved, but You Are Not Off the Hook

EU AI Act high-risk rules moved to December 2027, but chatbot transparency, GPAI, and prohibited-practice bans already apply. Penalties up to €35M or 7%. What your business must do now.

·12 min read
Security

Backup Encryption and GDPR in 2026: Why Unencrypted Backups Are the Most Expensive Compliance Failure

Unencrypted backups caused a €3M GDPR fine in Estonia (2024). GDPR Article 32 explicitly names encryption. AES-256 backup encryption setup covering GDPR, NIS2, ISO 27001 and SOC 2: €139 fixed price, 5 business days.

·13 min read
All Articles
📞Call Us💬Get Free Quote