CRA December 2027 readiness — the 18-month roadmap to full conformity

On 11 December 2027 the Cyber Resilience Act enters full application per Article 71(2). From that date, no product with digital elements can be CE-marked or placed on the EU market without satisfying the essential cybersecurity requirements in Annex I.

This article is the practical 18-month preparation roadmap — what to do in each quarter from mid-2026 through Q4 2027 to be ready on the application date.

For the parallel September 2026 reporting milestone, see CRA September 2026 reporting checklist. For the full CRA timeline, see CRA timeline and reporting obligations.

Preparation timeline at a glance

              Mid-2026   Q4 2026    Q1 2027    Q2 2027    Q3 2027   T-30 days
                 │           │           │           │           │       │
                 ▼           ▼           ▼           ▼           ▼       ▼
Phase 1: Scope    █──────────█
Phase 2: Annex I gap          █──────────█
Phase 3: NB engagement                    █───────────────█       (Class I/II/critical)
Phase 4: Tech File                                    █──────█
Phase 5: DoC reissue                                              █──────█
Phase 6: Production                                                          █
                                                                          DEC 11 2027

Quarterly milestones

Q3 2026 — Phase 1: scope analysis

Before mid-September 2026 (overlapping with the Article 14 reporting deadline):

• List every product the manufacturer places on the EU market
• Classify each product against the CRA scope per Article 3(1) — is it a product with digital elements?
• Categorise each in-scope product as standard / Annex III Class I / Annex III Class II / Annex IV critical. See CRA Annex III important products
• Document classification rationale for each product in the Technical File
• Identify conformity assessment route per Article 32 (Module A self-assessment for standard products; Module A or B+C/H for Class I; B+C/D/E/F or H for Class II; full Module H + EU certification for critical)
• Confirm in-scope inventory with engineering, product management, and legal stakeholders

The output of Phase 1 is a per-product compliance plan with realistic effort estimates.

Q4 2026 — Phase 2: Annex I gap assessment

For each in-scope product:

• Map current product capabilities against the 13 Annex I Part I design requirements and the 8 Part II vulnerability handling requirements
• Document gaps — which requirements are satisfied today, which are partially satisfied, which need engineering work
• Estimate effort to close each gap
• Prioritise — focus on requirements that have the largest implementation lead time (secure boot, secure update, signed firmware distribution typically take longest)
• Initiate engineering work on high-effort gaps

For products in scope of RED Delegated Act (Commission Delegated Regulation 2022/30), the EN 18031 conformity work performed by August 2025 covers approximately 70-85% of CRA Annex I — see RED Delegated Act + EN 18031 walkthrough. The gap is in the formalisation of vulnerability handling processes (Part II requirements).

Q1 2027 — Phase 3 begins: Notified Body engagement (for Class I requiring NB, Class II, critical)

For products requiring Notified Body involvement:

• Select Notified Body from NANDO — confirm the NB is designated for CRA on the date of intended engagement
• Submit initial enquiry — Notified Bodies typically have 3 to 6 month queues for new CRA assessments
• Negotiate scope and cost — Module B (type examination), Module D/E/H (production / QMS surveillance) selection, fee structure, surveillance schedule
• Begin Technical File preparation for NB submission (Phase 4 starts in parallel)

Critical product manufacturers face additional EU certification scheme processing under Article 8; the scheme's specific implementation may not be fully operational until 2027, requiring even earlier preparation.

For standard products using Module A self-assessment, no NB engagement is needed and Phase 3 is skipped.

Q2 2027 — Phase 4: Technical File compilation and final engineering

For every in-scope product:

• Complete the engineering work identified in Phase 2 — all Annex I Part I capabilities operational, Part II processes documented and tested
• Compile the Technical File per Annex VII — see Technical File 101 and Technical File for IoT devices template
• Generate SBOMs per release in CycloneDX or SPDX — see SBOM CycloneDX vs SPDX
• Run cybersecurity test campaigns — internal SAST/DAST, dependency scans, optional third-party penetration test for higher-risk products
• Document conformity — for Module A products, internal documentation; for NB-engaged products, prepare submission package

For NB-engaged products, NB review typically runs Q2-Q3 2027.

Q3 2027 — Phase 5: DoC reissue and final preparations

Reaching the home stretch:

• Draft the CRA-citing Declaration of Conformity for each product (citing CRA Regulation (EU) 2024/2847 alongside other applicable directives — see Sample DoC walkthrough)
• For NB-engaged products, receive the EU-type examination certificate; reference the NB number and certificate on the DoC
• Update product labelling — ensure CE mark visibility and the NB number where applicable
• Update product packaging and accompanying documents to reference the new DoC and include the CRA citation
• Update EC REP copies for non-EU manufacturers
• Train customer support and sales on CRA-related customer queries — support periods, SBOM availability, CVD policy

T-30 days to T-0 (11 December 2027) — Phase 6: production cutover

The last month:

• Hold final pre-production review — Technical File current, DoC signed, product labels and packaging updated
• Stop legacy production of products that will be non-conformant on or after 11 December 2027
• Start CRA-conformant production — for stockpile-and-ship operations, all stock placed on the market from 11 December 2027 onwards must be CRA-conformant
• Confirm post-market surveillance is operational — Article 13 vulnerability handling, Article 14 reporting workflow (now in force since September 2026)

Common preparation gaps

From the Inovasense practice working with manufacturers preparing for December 2027:

• Starting Annex I gap work too late. A 6-month preparation window is sufficient only for the simplest standard products. Class I products requiring NB engagement need 12 months minimum.
• Confusing September 2026 reporting with December 2027 substantive conformity. Both are CRA obligations but they apply at different dates — September 2026 reporting only; December 2027 full Annex I conformity.
• Assuming products on the market before December 2027 are exempt. Article 13 vulnerability handling and Article 14 reporting apply throughout the support period regardless of original placement date.
• Treating EN 18031 RED Delegated Act work as automatically satisfying CRA Annex I. It covers most of Part I but the Part II vulnerability handling formalisations under CRA (explicit SBOM, mandatory CVD policy, severity-tiered patch SLA) need to be made specific.
• Not engaging Notified Body early enough. Top-tier NBs (TÜV SÜD, DEKRA, SGS, BSI) had 6+ month queues for CRA assessment as of mid-2026.
• Assuming a generic ISO 27001 ISMS substitutes for CRA Annex I. ISO 27001 covers the manufacturer's information security management, not the product's compliance. See ISO 27001 vs CRA (cluster article when published).
• Not version-controlling SBOMs. A historic SBOM is needed when an incident is reported on a product version no longer in production.

How Cenitia helps with December 2027 readiness

Cenitia automates the per-product Annex I gap assessment, generates the Technical File template aligned with Annex VII, ingests SBOMs and monitors them against vulnerability feeds, produces CRA-citing Declaration of Conformity drafts, and tracks every cited regulation and standard for amendment between now and December 2027.

For products needing Notified Body engagement, NB queue management, or full lifecycle compliance operations, our parent company Inovasense provides consulting.

Frequently asked questions

What happens on 11 December 2027?

Per Article 71(2) of the Cyber Resilience Act, this is the date the Annex I essential cybersecurity requirements become enforceable. From this date no new product with digital elements can be CE-marked or placed on the EU market without satisfying Annex I, citing CRA on the Declaration of Conformity, and maintaining a CRA-compliant Technical File. Products already on the market before this date continue under their existing conformity but must still satisfy the Article 13 vulnerability handling and Article 14 reporting obligations.

What is realistic 18-month preparation timeline?

For a standard product (Module A self-assessment): 4 to 8 months of engineering and documentation work, leaving slack for testing campaigns and regulation tracking. For an Annex III Class I important product where Notified Body involvement is needed: 9 to 12 months including NB queue time. For Class II or critical: 12 to 18 months including NB queue and EU certification scheme processing. Starting earlier reduces risk; starting at T-6 months for a Class II product is high risk.

What if EN 18031 is not fully cited in the Official Journal by December 2027?

EN 18031-1, -2, -3 were cited in the Official Journal under RED Delegated Act 2022/30 in 2025. For CRA, the harmonised standard family is in development with citation expected through 2026 and 2027. Until cited under CRA specifically, manufacturers either: anticipate the standard with that caveat documented; use EN 18031 cited under RED Delegated Act as evidence of equivalent practice; or take a Module B+C/H path with a Notified Body that establishes presumption of conformity through type examination. Monitor the Official Journal CRA harmonised standards section continuously.

Do products placed on the market before 11 December 2027 need to be CRA-compliant?

Products placed on the market before that date do not need to retrospectively meet Annex I Part I (design requirements). However, Article 13 vulnerability handling and Article 14 reporting obligations apply throughout the support period for any product still actively supported on or after 11 December 2027. In practice, manufacturers continuing to ship products that were originally placed on the market before December 2027 should re-evaluate whether each new shipment constitutes a 'placing on the market' under Article 3 — which would bring the unit into CRA scope.

How do I know when my product has crossed into 'placed on the market' under CRA Article 3?

Article 3(13) defines 'placing on the market' as the first making available of a product on the Union market. Each unit is placed on the market when first supplied for distribution, consumption, or use in the EU market in the course of a commercial activity. For hardware shipped continuously, every shipment after 11 December 2027 is a new placing on the market and is subject to Annex I. For software products, each download is potentially a placing on the market; the manufacturer's distribution model determines the exact pattern.

What if the product is an upgrade or new version of an existing product?

Under CRA Recital 30 and the Blue Guide approach to substantial modifications, a new version that materially changes the product (functional changes, new features bringing it into a new directive scope) is a new product for CE marking purposes — and must satisfy the regulations in force at the time of placing it on the market. A new firmware release with security updates only is typically not a new product. The grey area is where firmware updates add user-facing features; document the manufacturer's classification in the Technical File.

Related from the Library

• CRA timeline and reporting obligations — pillar context
• CRA Annex I explained — the substantive requirements coming into force
• CRA Annex III important products — classification for NB engagement decision
• Technical File 101 — the Annex VII structure
• CRA September 2026 reporting checklist — the earlier milestone

Further reading

• Cyber Resilience Act Article 71 — transitional provisions
• Cyber Resilience Act Article 32 — Conformity assessment procedures
• Cyber Resilience Act Article 8 — EU Cybersecurity Certification scheme
• ENISA CRA implementation guidance
• Official Journal — CRA harmonised standards section

Last reviewed: 30 June 2026. Cited regulations watched continuously by Cenitia — when one amends, this article is flagged for update.