When does the Cyber Resilience Act apply?

Alexis Hirschhorn· CEO, Acuna16 July 2026

Direct answer

The Cyber Resilience Act is already in force. The reporting obligation — the 24-hour early warning, 72-hour notification and 14-day final report to ENISA — applies from 11 September 2026. The full set of essential requirements, vulnerability handling, SBOM, conformity assessment and CE marking applies from 11 December 2027.

Key Facts

  • In force since 10 December 2024 (Art. 71).
  • 11 September 2026: reporting obligations start — 24h early warning, 72h notification, 14-day final report (Art. 14).
  • 11 December 2027: all essential requirements, SBOM, conformity assessment and CE marking apply.
  • Legacy trap: the September 2026 reporting duty applies to ALL products currently in use across the EU, including those placed on the market before the CRA existed — not only new products.
  • No fresh conformity assessment needed for pre-2027 products unless they undergo a substantial modification.

The CRA entered into force on 10 December 2024, so it is already law. What changes across the next two years is which obligations are active (Art. 71): **11 September 2026 — the first hard deadline.** From this date, manufacturers must report actively exploited vulnerabilities and severe incidents through the ENISA single reporting platform. This obligation is retroactive in scope: it applies to all products currently available on the EU market, including those placed there before the CRA was adopted. A legacy device that predates the regulation is still subject to the reporting duty if it is actively exploited on or after 11 September 2026. This is the "legacy trap" -- teams that treat the 2027 conformity deadline as the real start line risk being caught by the earlier reporting obligation on products they consider grandfathered. **11 December 2027 — the main implementation date.** All essential requirements from Annex I apply: secure by design and by default, free of known exploitable vulnerabilities at release, vulnerability-handling process, SBOM, support-period updates, technical documentation, conformity assessment, EU declaration of conformity and CE marking. **Products already on the market.** A product placed on the market before 11 December 2027 does not require a full CRA conformity assessment unless it undergoes a substantial modification that changes its risk profile. However, the reporting duty from September 2026 reaches back to existing products. For a product team, the practical sequence is: start the classification and conformity-assessment work now (it takes longer than most teams expect), and build the incident-detection and 24-hour escalation process as a separate track, so it is ready well before September 2026 and covers the legacy product estate.

What's next

See how Acuna handles this

When does the Cyber Resilience Act apply? | Acuna GRC Answers | Acuna