CRA Compliance Timeline: Every Deadline You Need to Know

The EU Cyber Resilience Act has a phased rollout. Reporting obligations start September 2026. Full compliance is required by December 2027. Here's what happens when.

4 min read

Complete Timeline

Dec 10, 2024CRA entered into force (Regulation (EU) 2024/2847 published)

Jun 11, 2026Conformity assessment bodies must be designated by member states

Sep 11, 2026ENISA vulnerability reporting obligations begin — Article 14 applies

Sep 11, 2026ENISA Single Reporting Platform (SRP) must be operational

Dec 11, 2027Full CRA compliance required — all obligations apply

Dec 11, 2027CE marking must include cybersecurity compliance

September 11, 2026 — What Changes

This is the first mandatory deadline. From this date, manufacturers must report actively exploited vulnerabilities to ENISA following the Article 14 timeline:

-24 hours — Early warning to ENISA after becoming aware of an actively exploited vulnerability
-72 hours — Full vulnerability notification with details of impact and initial mitigation
-14 days — Final report after a corrective measure (patch or workaround) is available

This deadline is not optional

If you manufacture connected products sold in the EU, you must be able to detect, assess, and report vulnerabilities within 24 hours from September 11, 2026. This requires monitoring infrastructure in place before the deadline — you cannot build it in the moment.

December 11, 2027 — Full Compliance

From this date, all CRA requirements apply in full. Products placed on the EU market must meet all cybersecurity requirements, and CE marking must reflect cybersecurity compliance.

This means:

-All products must be designed with security by design from day one
-A Software Bill of Materials (SBOM) must be maintained for every product
-Vulnerability management processes must be documented and operational
-Security updates must be provided for the expected product lifetime (minimum 5 years)
-Technical documentation (Annex VII) must be maintained and available
-A Declaration of Conformity must be signed before applying CE marking
-A coordinated vulnerability disclosure (CVD) policy must be publicly available

What You Should Do Now

With the September 2026 reporting deadline approaching, manufacturers should prioritize:

-Generate SBOMs for all products currently on the market — you need to know what's inside your products before you can monitor for vulnerabilities
-Set up automated vulnerability monitoring — manual CVE tracking won't meet a 24-hour deadline
-Establish an ENISA reporting workflow — know who is responsible, what the process is, and where reports go
-Start compliance gap analysis — identify which CRA requirements you already meet and which need work
-Document your vulnerability handling process — this is required evidence for conformity assessment

Products Already on the Market

The CRA applies to products placed on the EU market after December 11, 2027. However, the reporting obligations under Article 14 apply from September 11, 2026 to all products that are still supported and receiving updates.

If you shipped an IoT device in 2023 and it is still receiving firmware updates, the September 2026 reporting obligations apply to it. The vulnerability in that device's firmware is your responsibility under the CRA.

How Lexoreg Helps You Meet These Deadlines

Lexoreg is designed specifically for the CRA compliance timeline. Upload your SBOM today, and we start monitoring immediately — so you are ready before September 2026, not scrambling after.

-SBOM upload and parsing — CycloneDX and SPDX formats supported
-CVE monitoring every 2 hours — NVD, OSV, CISA KEV, EUVD sources
-ENISA Article 14 report auto-drafting — 24h/72h/14d chain
-CRA compliance checklist — track your readiness for December 2027
-Audit trail — 5-year retention for regulatory evidence