Cyber Resilience Act: every deadline and phase you must hit by 2027

10 December 2024 – CRA entered into force

The regulation entered into force and the transition period began. Legally, CRA is in effect – only its main obligations apply later. For companies this means one thing: the clock is already running and this is the official starting line for preparation.

11 September 2026 – the first hard obligations

This date is often underrated in CRA discussions. Reporting obligations start before full compliance. Manufacturers must report, within short deadlines:

• actively exploited vulnerabilities in their products,
• severe cybersecurity incidents that affect the security of the product.

Reports go to ENISA via a single platform and follow a multi-stage pattern – from an early warning to a detailed report. To meet these deadlines, a company needs processes and templates ready in advance, not only at the moment of an incident.

11 December 2027 – full CRA compliance

From this date, all products with digital elements placed on the EU market must meet CRA requirements, have complete technical documentation, a completed conformity assessment, the EU declaration of conformity and the CE marking. A product that does not meet these conditions cannot legally be placed on the market.

Why 'we have time until 2027' is a trap

CRA compliance is not a document written at the last minute. It is the result of processes that must run for months in advance:

1. 1Security by design means decisions early in development – hard to change in a finished product.
2. 2The risk assessment and threat modeling are the input for everything else, so they must be done first.
3. 3Vulnerability management and incident reporting processes must work from September 2026 – more than a year before full compliance.
4. 4Important and critical class products require a notified body, which adds extra time.