What is the Cyber Resilience Act timeline?
Direct answer
The Cyber Resilience Act entered into force on 10 December 2024. Reporting obligations start on 11 September 2026 and the bulk of the requirements — secure design, vulnerability handling, SBOM, CE marking — apply from 11 December 2027. Products already on the market before that date do not need a new conformity assessment unless they undergo a substantial modification.
Key Facts
- 10 December 2024: Regulation enters into force (Art. 71).
- 11 June 2026: Framework for notifying conformity-assessment bodies applies (Chapter IV).
- 11 September 2026: Reporting obligations start — 24h early warning, 72h notification, 14-day final report to ENISA and national CSIRT (Art. 14).
- 11 December 2027: All essential requirements, SBOM, conformity assessment and CE marking apply.
- Legacy trap: products placed on the market before 11 December 2027 do not need a new conformity assessment unless they undergo a substantial modification — but the Article 14 reporting obligation applies from 11 September 2026 to all products currently in use across the EU, including legacy systems shipped before the CRA existed.
- Penalty tiers: up to EUR 15 million or 2.5 % of worldwide turnover for breaches of Annex I or Articles 13 and 14 (Art. 64).
The CRA is already law. It entered into force on 10 December 2024 and its obligations roll out in three stages (Art. 71): | Date | Milestone | |---|---| | 10 December 2024 | Regulation enters into force | | 11 June 2026 | Framework for notifying conformity-assessment bodies applies (Chapter IV) | | **11 September 2026** | **Reporting obligations apply (Art. 14): 24-hour early warning · 72-hour notification · 14-day final report** | | 11 December 2027 | Full application: all essential requirements and manufacturer obligations | **The 11 September 2026 date is the most immediate.** From that day, manufacturers must report actively exploited vulnerabilities and severe incidents through the ENISA single reporting platform. Critically, this obligation reaches back to products already on the EU market -- it is not limited to products first placed on the market after the CRA. A legacy device that predates the regulation is still subject to the reporting duty if it is actively exploited on or after 11 September 2026. This is the "legacy trap": teams that treat the 2027 conformity deadline as the real start line risk being caught by the earlier reporting obligation on products they consider out of scope. **The 11 December 2027 deadline** covers everything else: secure by design, vulnerability-handling process, SBOM, technical documentation, conformity assessment, EU declaration of conformity and CE marking. A product placed on the market before 11 December 2027 does not require a full CRA conformity assessment unless it undergoes a substantial modification that changes its risk profile. The reporting duty from September 2026 reaches back regardless. For a product team, the practical sequence is: build the detection and 24-hour escalation process first (it arrives first and covers legacy products), then run the classification and conformity-assessment work for the 2027 deadline.
Regulatory References