← Regulatory Horizon

EU Cybersecurity

EU Cyber Resilience Act: deadlines, obligations & 2026 timeline

The EU Cyber Resilience Act (Regulation (EU) 2024/2847) entered into force in December 2024. Its reporting obligations apply from 11 September 2026 and its main obligations from 11 December 2027. It covers nearly every product with digital elements sold into the EU.

Next deadline: 11 September 2026 · 67 days

Deadline timeline

  1. Entry into force · passed

    Regulation (EU) 2024/2847 enters into force; the phased application clock starts.

    Applies to: All products with digital elements

    Source ↗
  2. Product-class technical descriptions take effect · passed

    Commission Implementing Regulation (EU) 2025/2392 takes effect, setting out the technical descriptions of the important (Annex III) and critical (Annex IV) product categories so manufacturers can classify products and determine their conformity assessment route.

    Applies to: Manufacturers of important and critical products with digital elements

    Source ↗
  3. Conformity assessment bodies · passed

    Provisions on the notification of conformity assessment bodies begin to apply.

    Applies to: Notified/conformity assessment bodies

    Source ↗
  4. Reporting obligations apply

    Manufacturers must report actively exploited vulnerabilities and severe incidents to ENISA on a 24h / 72h / 14-day timeline via the Single Reporting Platform.

    Applies to: Manufacturers of products with digital elements

    Source ↗
  5. Main obligations apply

    Full application: essential cybersecurity requirements (Annex I), CE marking, conformity assessment, and technical documentation.

    Applies to: Manufacturers, importers, distributors

    Source ↗

Who’s in scope

  • Any product with digital elements — hardware or software — whose use includes a direct or indirect data connection to a device or network
  • Smart consumer electronics, industrial IoT, embedded components, and standalone software

Exclusions

  • Medical devices under MDR/IVDR (Article 2(2))
  • Motor vehicles under the EU type-approval regime (Article 2(2)(c)) — but the same systems sold separately remain in scope
  • Civil aviation products (Article 2(3)) and marine equipment (Article 2(4))
  • Products developed exclusively for national security or defence (Article 2(7))

The Cyber Resilience Act phases in over three years. The date most manufacturers need on the wall is 11 September 2026, when the vulnerability and incident reporting obligations begin: an early warning to ENISA within 24 hours of becoming aware of an actively exploited vulnerability or severe incident, a substantive notification within 72 hours, and a final report within 14 days. The “becoming aware” trigger is wide — the clock starts at first credible internal awareness, not formal escalation — so the operational work is building the reporting decision into your incident-response runbook before the deadline, not after an incident hits.

The heavier lift lands on 11 December 2027, when the essential cybersecurity requirements in Annex I, CE marking, conformity assessment, and technical documentation all apply. Reporting failures sit in the top penalty tier under Article 64 — up to €15 million or 2.5% of worldwide annual turnover — so this is not a regime to treat as low-stakes. The default assumption for any regulated hardware product is that the CRA applies until you have verified a specific exclusion holds.

For the operational detail on the reporting workflow itself, see the deep dive: What the EU CRA’s September 2026 reporting obligation requires.

Last reviewed . Deadlines change — always confirm against the cited primary source.