Cyber Resilience Act: Current Status — July 2026
Where the EU Cyber Resilience Act stands right now: which obligations already apply, which deadline comes next, and what manufacturers should do about it.
Quick Answer
As of July 2026, the Cyber Resilience Act (Regulation (EU) 2024/2847) is in force and in its transition period. The notified-body provisions have applied since June 11, 2026. The next deadline is September 11, 2026: mandatory ENISA reporting of actively exploited vulnerabilities. Full application for all new products follows on December 11, 2027.
Is the Cyber Resilience Act Already in Force?
Yes. The CRA entered into force on December 10, 2024, and applies directly in all EU member states — no national implementation laws are needed. Its obligations phase in over a three-year transition period, which is why most manufacturers are currently in the preparation window rather than under full enforcement.
Which CRA Deadlines Apply — and Which Comes Next?
The regulation fixes four milestones. Here is where they stand as of July 2026:
| Date | Milestone | Status |
|---|---|---|
| Dec 10, 2024 | CRA enters into force — transition period starts for all manufacturers | Passed |
| Jun 11, 2026 | Notified-body provisions apply (Chapter IV) — conformity assessment bodies can be notified | Passed |
| Sep 11, 2026 | Article 14 reporting obligations begin: actively exploited vulnerabilities and severe incidents must be reported to ENISA within 24 hours — including for products already on the market | Next up |
| Dec 11, 2027 | Full application: every new product with digital elements placed on the EU market must meet all CRA requirements | Upcoming |
What Should Manufacturers Do Now?
With less than two months to the reporting deadline, the July 2026 priorities are clear:
- 1
Stand up the reporting process before September 11, 2026
The 24h/72h/14-day ENISA cascade applies to products already on the market. You need vulnerability monitoring, an assessment path and a submission workflow — running, not planned.
- 2
Complete the product inventory and risk classification
Which products fall under the CRA, and into which Annex III class? The classification decides whether self-assessment is enough or a notified body must be involved — and notified-body capacity for the CRA is only now building up.
- 3
Work backwards from December 2027
A CRA compliance project typically takes 9–12 months. Products placed on the market from December 11, 2027 need the full evidence chain: risk assessment, SBOM, Annex VII documentation, declaration of conformity.
Frequently Asked Questions About the Current CRA Status
When does the Cyber Resilience Act apply?+
The CRA has been in force since December 10, 2024, with obligations phasing in: the notified-body provisions have applied since June 11, 2026, ENISA reporting obligations start September 11, 2026, and full application for all new products on the EU market begins December 11, 2027.
Is the Cyber Resilience Act already in force?+
Yes, since December 10, 2024. As an EU regulation it applies directly in all member states without national implementation laws. Most obligations, however, only take effect after the transition period — the next binding deadline is the reporting obligation from September 11, 2026.
What changes on September 11, 2026?+
From that date, manufacturers must report actively exploited vulnerabilities and severe incidents to ENISA: early warning within 24 hours, supplementary details within 72 hours, final report within 14 days (vulnerabilities) or one month (incidents). This also covers products already on the market.
Does the CRA apply to products already on the market?+
The full product requirements apply to products placed on the EU market from December 11, 2027. The Article 14 reporting obligations from September 11, 2026, however, also cover products already on the market — vulnerabilities in existing products must be monitored and reported.
Where can I read the official CRA text?+
The official text of Regulation (EU) 2024/2847 is published on EUR-Lex in all EU languages, including a PDF version from the Official Journal. Our knowledge base mirrors the full text — all articles, recitals and annexes — with plain-language explanations and FAQ.
How Ready Are You for the Next Deadline?
The free CRA maturity assessment shows you in about 15 minutes where your organization stands against the September 2026 and December 2027 milestones — with a prioritized roadmap.