The Cyber Resilience Act deadline that shapes every product roadmap is 11 December 2027, the date from which the full CRA applies and in-scope products with digital elements must meet the essential requirements, carry the CE marking, and ship with vulnerability handling in place. But 2027 is not the only date that matters. Reporting duties land on 11 September 2026, and a quieter milestone for conformity assessment bodies falls on 11 June 2026. This guide sets out the Cyber Resilience Act deadlines for 2026 and 2027 and what to do about each of them.
Regulation (EU) 2024/2847, the CRA, entered into force on 10 December 2024. From there the rules phase in through fixed milestones rather than a single switch-on date, and the reporting duties arrive more than a year before full application.
| Date | What applies | |||
|---|---|---|---|---|
| 10 December 2024 | 11 June 2026 | 11 September 2026 | 11 December 2027 | The Cyber Resilience Act deadline timeline, step by stepEntry into force came on 10 December 2024, which started the transition period without placing operator duties on anyone yet. On 11 June 2026, the rules on notified bodies begin, so that the third-party assessors needed for important and critical products can be designated before manufacturers require them. The next date with duties for manufacturers is 11 September 2026, when the reporting obligations begin. The final date is 11 December 2027, when the regulation applies in full and every substantive obligation is live. The order is deliberate. The reporting duties come first so that authorities gain visibility of actively exploited vulnerabilities and severe incidents while manufacturers are still finishing their conformity work ahead of full application. Reading the dates the other way, the reporting clock gives you a firm 2026 target and the essential requirements give you a firm 2027 target, so the roadmap plans itself once you know which products are in scope. 11 September 2026: reporting obligations beginFrom 11 September 2026, manufacturers must report actively exploited vulnerabilities and severe incidents in their products to the CSIRT designated as coordinator in the Member State of their main establishment and to ENISA, through the single reporting platform ENISA operates. This is the first hard Cyber Resilience Act deadline with teeth, and it applies even to products already on the market, so it runs on a tight clock well before full conformity is required. The reporting clock has three stages, and the final stage differs by report type. An early warning is due within 24 hours of becoming aware of an actively exploited vulnerability or a severe incident. A fuller notification follows within 72 hours. Then a final report: for an exploited vulnerability, within 14 days of a corrective or mitigating measure becoming available; for a severe incident, within one month of the 72-hour notification. Standing up this workflow is 2026 work, because you cannot improvise a 24-hour reporting process during a live incident. 11 December 2027: the CRA applies in fullOn 11 December 2027 the full weight of the regulation lands. From that date, products with digital elements placed on the EU market must meet the Annex I essential requirements, and manufacturers must have completed conformity assessment, affixed the CE marking, drawn up the EU declaration of conformity, and be running vulnerability handling across a support period that reflects how long the product is expected to be in use and is at least five years unless the lifetime is shorter. Annex I has two halves, and both apply. Part I is the set of product security requirements: secure by default, no known exploitable vulnerabilities, protection from unauthorised access, confidentiality and integrity, data minimisation, resilience against denial of service, a limited attack surface, and the ability to be updated securely. Part II is the vulnerability-handling side: document components in a software bill of materials, run a coordinated vulnerability disclosure policy, ship security updates with advisories, and test regularly. Meeting one half is not enough. The manufacturer must also keep the Annex VII technical documentation and the declaration of conformity for at least ten years after the product is placed on the market, or for the support period if that is longer. What missing the deadline costsThe CRA sets administrative fines in three tiers under Article 64. Breaching the Annex I essential requirements or the Article 13 and 14 obligations can draw fines of up to EUR 15 million or 2.5% of total worldwide annual turnover, whichever is higher. Other operator obligations carry up to EUR 10 million or 2%, and supplying incorrect or misleading information to notified bodies or market surveillance authorities up to EUR 5 million or 1%. Market surveillance authorities can also order a product withdrawn or recalled, which for a connected product is often the more painful outcome than the fine. Start now: a readiness path to the 2027 deadlineThe window looks generous, but conformity assessment, CE marking, and a five-year support commitment are not last-minute tasks. A practical path starts today. Inventory your products with digital elements. Classify each one against the default, important, and critical tiers. Run a gap assessment against Annex I. Build vulnerability handling and a software bill of materials. Reuse the evidence you already hold from NIS2, DORA, and ISO 27001. Then complete conformity assessment and CE marking before 11 December 2027. Frequently Asked QuestionsWhat is the main Cyber Resilience Act deadline?11 December 2027, when the CRA applies in full. From that date, in-scope products with digital elements placed on the EU market must meet the Annex I essential requirements, have completed conformity assessment, and carry the CE marking. The earlier date of 11 September 2026 brings in the vulnerability and incident reporting duties. Do the reporting duties apply to products already on the market?Yes. From 11 September 2026, the Article 14 duty to report actively exploited vulnerabilities and severe incidents applies to in-scope products, including those already made available before full application. That is why the reporting workflow is 2026 work, not 2027 work. What happens on 11 June 2026?The rules on conformity assessment bodies (Chapter IV) begin to apply, so Member States can designate and notify the third-party bodies that will assess important class II and critical products. It is not a manufacturer deadline, but it matters if your products need third-party assessment, because you will want a notified body available in good time before December 2027. Is there a phase-in for the essential requirements?No. Unlike the reporting duties, the Annex I essential requirements, conformity assessment, CE marking, and technical documentation all switch on together on 11 December 2027. There is no staggered grace period after that date for products newly placed on the market. What are the penalties for missing the deadline?Up to EUR 15 million or 2.5% of worldwide annual turnover for breaching the essential requirements or the Article 13 and 14 obligations, with lower tiers of EUR 10 million or 2% and EUR 5 million or 1% for other breaches. Authorities can also order a non-compliant product withdrawn from the market. Planning both deadlines with VenveraThe Venvera CRA module turns this path into a tracked gap assessment, and its crosswalk engine reuses evidence you have already produced for NIS2, DORA, and ISO 27001 so you do not rebuild the same controls twice. Good CRA compliance software keeps the risk assessment, technical documentation, and vulnerability records in one place so your readiness stays tracked against both the 2026 and 2027 dates. If you want a quick baseline before you plan the work, run a free compliance check. Because the CRA layers onto obligations you may already meet, the earlier you map the overlap, the shorter the road to both deadlines. Primary sourcesThe dates and obligations above are drawn from Regulation (EU) 2024/2847 (Articles 13, 14, 31, 64, 71 on application dates, and Annexes I and VII) and the European Commission's Cyber Resilience Act policy pages and legislative summary. Confirm the current text before relying on a specific date. ![]() CEO & Founder Alexander is the founder of Venvera and a 20+ year veteran of European cybersecurity and compliance. He has led security and risk programmes for regulated financial institutions, fintechs and SaaS companies operating under DORA, NIS2, GDPR, ISO 27001 and the EU AI Act. Before Venvera, he founded Atlant Security, an offensive security consultancy that ran penetration tests, red-team exercises and ISO 27001 readiness programmes for clients across the EU and the Middle East. He writes on the cross-framework realities of running modern compliance: how to map one control to many obligations, where the spreadsheets fall apart, and what regulators are actually asking for once the auditor sits down. RELATED POSTS |




