CRA timeline and reporting obligations — September 2026, December 2027, and the 24-hour rule
Complete CRA timeline: 11 September 2026 ENISA reporting starts, 11 December 2027 full application. The 24-hour rule, 72-hour update, and final report explained.
By Vladimír Vician
The Cyber Resilience Act (Regulation (EU) 2024/2847) has four critical dates between publication and full application. Misunderstanding the order or the obligations between them is the single most common CRA mistake we see in manufacturers' compliance roadmaps.
This article explains every milestone, the 24-hour reporting rule that activates on 11 September 2026, what counts as an actively exploited vulnerability or a severe incident, who you report to, what the penalties are for failure to report, and how the CRA reporting obligations relate to GDPR and NIS2 reporting.
The four CRA dates
| Date | Event |
|---|---|
| 11 December 2024 | CRA entered into force (publication in Official Journal) |
| 11 June 2026 | Conformity assessment bodies can be notified for CRA |
| 11 September 2026 | Article 14 reporting obligations apply — 24-hour rule activates |
| 11 December 2027 | Full application — no new product placed on the EU market without satisfying Annex I |
Article 71 of the CRA contains the staggered entry-into-application schedule. The dates are fixed in the regulation and not subject to delegated postponement.
What happens at each milestone
11 December 2024 — entry into force
The CRA was published in the Official Journal on this date. From this point onwards the regulation is law, but the substantive obligations on manufacturers are not yet active. Conformity assessment bodies could not yet be designated, harmonised standards had not yet been listed in the Official Journal, and manufacturers had a 36-month transition window to prepare.
11 June 2026 — Notified Bodies can be designated
Per Article 71(2), from this date member states can notify conformity assessment bodies under the CRA. Notified Bodies that hold designation can issue Module B/C/D/H certificates for products that need them (CRA Annex III important products, CRA Annex IV critical products).
This is the date manufacturers preparing CRA conformity for important or critical products start engaging with potential Notified Bodies. The NANDO database starts listing CRA-designated bodies from this date.
11 September 2026 — reporting obligations apply
This is the most underestimated CRA date. From 11 September 2026 onwards, every manufacturer of a product with digital elements already on or being placed on the EU market is subject to the Article 14 reporting obligations:
- Actively exploited vulnerabilities — 24-hour early warning, 72-hour incident notification, monthly progress reports, and a final report within 14 days of fix availability
- Severe incidents having an impact on security — same three-tier reporting schedule
The 24-hour clock starts when the manufacturer becomes aware of the vulnerability or incident. "Awareness" is interpreted as a confirmed report — vague rumours and unconfirmed claims do not start the clock, but a credible threat intelligence report or internal triage finding does.
11 December 2027 — full application
From this date onwards no product with digital elements can be CE-marked or placed on the EU market without satisfying Annex I essential requirements. The Declaration of Conformity must cite the CRA. The Technical File (see TF 101) must contain the eight Annex VII sections including the SBOM. The conformity assessment must have been performed under the appropriate module — Module A self-assessment for standard products, Module B+C or H for important products in Annex III.
Products already on the market before this date continue to be sold without retrospective Annex I conformity, but the Article 13 vulnerability handling processes and Article 14 reporting obligations still apply to them through their declared support period.
The 24-hour rule explained
Article 14 of the CRA imposes a three-tier reporting cascade for actively exploited vulnerabilities and severe incidents:
Tier 1 — Early warning (24 hours)
Within 24 hours of becoming aware, the manufacturer submits to ENISA and the CSIRT designated as single point of contact in a member state:
- Whether the vulnerability is suspected of being caused by malicious activity
- The nature of the issue and the affected products
- Member states where the manufacturer is established
- Initial contact point at the manufacturer
The early warning is intentionally short — its purpose is to let CSIRTs and ENISA start coordinating, not to require a full technical report under time pressure.
Tier 2 — Incident notification (72 hours)
Within 72 hours of awareness, the manufacturer updates the report with:
- An assessment of the vulnerability or incident's severity (CVSS or equivalent)
- Available mitigations or workarounds
- Geographical spread of affected products — which member states, how many units approximately
- Whether personal data was likely affected (which may also trigger a parallel GDPR notification)
Tier 3 — Final report (within 14 days of fix availability)
A complete report after remediation:
- Description of the vulnerability or incident
- Severity, impact assessment
- Root cause analysis
- Corrective measures applied
- Mitigations and updates made available to users
- Lessons learned and any longer-term hardening planned
Until the final report is submitted, monthly progress updates are required if the incident remains unresolved.
What triggers the 24-hour clock
Two distinct categories trigger Article 14 reporting:
Actively exploited vulnerabilities (Article 14(1))
Article 3(40) defines an actively exploited vulnerability as one "for which there is reliable evidence that the execution of malicious code was carried out by an actor on a system without permission of the system owner".
The key word is reliable evidence. Theoretical vulnerabilities, proof-of-concept demonstrations, disclosed CVEs without confirmed exploitation, and vendor-issued advisories all fall outside the trigger. Confirmed in-the-wild exploitation falls inside.
Examples of triggers:
- Threat-intel report from a CSIRT confirming use of a vulnerability against your product
- Customer report with forensic evidence of compromise via your product
- Honeypot detection of exploitation attempts against your product's signature
- Public disclosure of an in-the-wild exploit in a security advisory
Severe incidents having an impact on security (Article 14(2))
Annex VI defines severity criteria — any incident that:
- Has the capability to negatively affect the development, production, or maintenance of products with digital elements
- Has actually compromised confidentiality, integrity, or availability of data or functions
- Resulted in or could result in serious operational disruption or financial loss
When in doubt, the regulation incentivises over-reporting — under-reporting carries fine risk; over-reporting does not.
Who you report to
From 11 September 2026 the single reporting platform operated by ENISA is the channel. Manufacturers submit the early warning, incident notification, and final report once; the platform routes to ENISA and to the relevant member-state CSIRT.
The member-state CSIRT is typically the one designated as single point of contact in:
- The member state where the manufacturer is established, or
- The member state hosting the largest share of affected users
Each EU member state has a designated CSIRT under the NIS2 Directive Article 9. For Slovakia: CSIRT.SK. For Germany: BSI CSIRT. For France: CERT-FR.
GDPR breach notification to the data protection authority and NIS2 incident notification to the sector authority run in parallel and separate from CRA reporting. A single incident can trigger all three. The same factual content goes to three different recipients under three different legal bases.
Penalties for failure to report
Article 64 of the CRA establishes administrative fine ceilings:
| Violation type | Fine ceiling |
|---|---|
| Non-compliance with Annex I essential requirements | €15 million or 2.5% of global annual turnover (whichever is higher) |
| Non-compliance with Article 14 reporting obligations | €10 million or 2% of global annual turnover |
| Other CRA violations | €5 million or 1% of global annual turnover |
| Misleading information to a Notified Body or authority | €5 million or 1% of global annual turnover |
Member states implement the fines through national procedures. In addition, market surveillance authorities can order product withdrawal, recall, import bans, and require updates be issued. The signer of the Declaration of Conformity is named personally in the proceedings.
For small and medium enterprises, Article 64(7) requires member states to take into account the manufacturer's size and economic position when setting fines — but does not exempt SMEs from the obligations.
Practical preparation timeline
| When | Action |
|---|---|
| Now (mid-2026) | Identify whether your products are in scope of CRA (which they almost certainly are if connected) |
| Now | Designate an internal reporting officer and document the escalation path |
| Now | Set up your coordinated vulnerability disclosure policy (Article 13(8)) and publish security.txt |
| Now | Establish baseline SBOM and CVE monitoring per Annex I Part II |
| By 11 September 2026 | Have the Article 14 reporting workflow tested — including out-of-hours coverage for the 24-hour rule |
| By 11 September 2026 | Establish CSIRT contact and ENISA platform account |
| By 11 June 2027 | If important Annex III product: select Notified Body, complete Module B+C or H assessment |
| By 11 December 2027 | Annex I conformity demonstrated; CRA cited on Declaration of Conformity; full Technical File complete |
How Cenitia helps
Cenitia tracks every CRA-cited regulation, Annex III important product list update, and harmonised standard publication in the Official Journal. When a change is published, affected Declarations of Conformity in your organisation are flagged. The Cenitia Technical File template pre-populates the Article 13 vulnerability handling policy, the Article 14 reporting workflow, and the Annex VII Technical File structure.
For products that need Notified Body assessment under Annex III or full operational compliance management including ENISA notification operations, our parent company Inovasense provides expert consulting.
One email at launch · cancel any time
Frequently asked questions
When does the Cyber Resilience Act fully apply?
The CRA entered into force on 11 December 2024 (date of publication in the Official Journal). Conformity assessment bodies can be notified from 11 June 2026. Article 14 reporting obligations apply from 11 September 2026. Full application of the essential requirements — meaning no new product can be CE-marked or placed on the EU market without satisfying Annex I — is 11 December 2027.
What is the 24-hour rule?
From 11 September 2026 onwards, when a manufacturer becomes aware of an actively exploited vulnerability or a severe incident affecting a product they placed on the EU market, they must submit an early warning notification to ENISA and a member-state CSIRT within 24 hours of awareness. The early warning is short — nature of the issue, suspected malicious involvement, affected products, contact point. A more complete incident notification follows within 72 hours, and a final report within one month after the vulnerability has been remediated.
What counts as an 'actively exploited vulnerability'?
Article 3(40) of the CRA defines an actively exploited vulnerability as one for which there is reliable evidence of malicious actor exploitation against a system without permission. Theoretical vulnerabilities, proof-of-concept demonstrations, and disclosed-but-not-exploited issues do not trigger the 24-hour notification. Confirmed in-the-wild exploitation does.
What is a 'severe incident having an impact on security'?
Article 14(2) and Annex VI of the CRA define this as any incident that has the capability to negatively affect the development, production, or maintenance of products with digital elements; or that has actually compromised confidentiality, integrity, or availability of data or functions; or that resulted in or could result in serious operational disruption or financial loss. The thresholds are intentionally broad — when in doubt, manufacturers should report.
Who is the reporting addressed to?
Reports go to ENISA and to a CSIRT designated as a single point of contact in a member state — typically the CSIRT of the member state where the manufacturer is established, or the member state hosting most affected users. From 11 September 2026 a single reporting platform operated by ENISA is the channel; member-state CSIRTs receive the reports through that platform. Other authorities (data protection authorities under GDPR, sector authorities under NIS2) are not addressed by the CRA channel — those obligations run in parallel.
What are the penalties for failing to report?
Article 64 of the CRA sets administrative fine ceilings at €10 million or 2% of global annual turnover (whichever is higher) for failure to comply with the reporting obligations in Article 14. Failure to comply with Annex I essential requirements is higher — €15 million or 2.5% of turnover. Member states can also order product withdrawal, recall, and import bans. The signing officer of the Declaration of Conformity is personally named in proceedings.
Do I need to report personal-data breaches too?
GDPR breach notification under Article 33 (72 hours to the supervisory authority) runs in parallel and remains separate. A single security incident can trigger both — a 24-hour CRA early warning to ENISA plus a 72-hour GDPR notification to the data protection authority — when personal data has been compromised. The two reports go to different authorities under different legal bases with different thresholds.
Do existing products already on the market need to comply with CRA?
Products placed on the EU market before 11 December 2027 do not need to retrospectively meet Annex I essential design requirements. However, the manufacturer must operate the Article 13 vulnerability handling processes (the Part II requirements in Annex I) and the Article 14 reporting obligations during the product's support period for any product still actively supported on or after 11 December 2027.
Related from the Library
- CRA Annex I explained — the 21 essential cybersecurity requirements the timeline drives toward
- CE Marking 101 — umbrella context for CRA within the CE marking framework
- Technical File 101 — what the CRA Annex VII Technical File contains
Further reading
- Cyber Resilience Act — full text including Article 14 and Annex VI
- ENISA CRA implementation guidance
- NIS2 Directive — Article 9 CSIRTs and Article 23 incident reporting
- GDPR Article 33 — personal data breach notification
Last reviewed: 20 June 2026. Cited regulations watched continuously by Cenitia — when one amends, this article is flagged for update.
FAQ
Frequently asked questions
When does the Cyber Resilience Act fully apply?
The CRA entered into force on 11 December 2024 (date of publication in the Official Journal). Conformity assessment bodies can be notified from 11 June 2026. Article 14 reporting obligations apply from 11 September 2026. Full application of the essential requirements — meaning no new product can be CE-marked or placed on the EU market without satisfying Annex I — is 11 December 2027.
What is the 24-hour rule?
From 11 September 2026 onwards, when a manufacturer becomes aware of an actively exploited vulnerability or a severe incident affecting a product they placed on the EU market, they must submit an early warning notification to ENISA and a member-state CSIRT within 24 hours of awareness. The early warning is short — nature of the issue, suspected malicious involvement, affected products, contact point. A more complete incident notification follows within 72 hours, and a final report within one month after the vulnerability has been remediated.
What counts as an 'actively exploited vulnerability'?
Article 3(40) of the CRA defines an actively exploited vulnerability as one for which there is reliable evidence of malicious actor exploitation against a system without permission. Theoretical vulnerabilities, proof-of-concept demonstrations, and disclosed-but-not-exploited issues do not trigger the 24-hour notification. Confirmed in-the-wild exploitation does.
What is a 'severe incident having an impact on security'?
Article 14(2) and Annex VI of the CRA define this as any incident that has the capability to negatively affect the development, production, or maintenance of products with digital elements; or that has actually compromised confidentiality, integrity, or availability of data or functions; or that resulted in or could result in serious operational disruption or financial loss. The thresholds are intentionally broad — when in doubt, manufacturers should report.
Who is the reporting addressed to?
Reports go to ENISA and to a CSIRT designated as a single point of contact in a member state — typically the CSIRT of the member state where the manufacturer is established, or the member state hosting most affected users. From 11 September 2026 a single reporting platform operated by ENISA is the channel; member-state CSIRTs receive the reports through that platform. Other authorities (data protection authorities under GDPR, sector authorities under NIS2) are not addressed by the CRA channel — those obligations run in parallel.
What are the penalties for failing to report?
Article 64 of the CRA sets administrative fine ceilings at €10 million or 2% of global annual turnover (whichever is higher) for failure to comply with the reporting obligations in Article 14. Failure to comply with Annex I essential requirements is higher — €15 million or 2.5% of turnover. Member states can also order product withdrawal, recall, and import bans. The signing officer of the Declaration of Conformity is personally named in proceedings.
Do I need to report personal-data breaches too?
GDPR breach notification under Article 33 (72 hours to the supervisory authority) runs in parallel and remains separate. A single security incident can trigger both — a 24-hour CRA early warning to ENISA plus a 72-hour GDPR notification to the data protection authority — when personal data has been compromised. The two reports go to different authorities under different legal bases with different thresholds.
Do existing products already on the market need to comply with CRA?
Products placed on the EU market before 11 December 2027 do not need to retrospectively meet Annex I essential design requirements. However, the manufacturer must operate the Article 13 vulnerability handling processes (the Part II requirements in Annex I) and the Article 14 reporting obligations during the product's support period for any product still actively supported on or after 11 December 2027.
Continue reading
Related guides
reference
CRA Annex I explained — the 21 essential cybersecurity requirements
Plain-English breakdown of the 13 design and 8 vulnerability-handling requirements under EU Cyber Resilience Act Annex I — what each means for a hardware product.
16 min read
reference
Declaration of Conformity translation requirements — every EU language explained
Which EU language(s) the Declaration of Conformity must be drawn up in, which language(s) must accompany the product per market, and what counts as a valid translation.
9 min read
tutorial
Sample Declaration of Conformity — annotated walkthrough with template
Full annotated sample EU Declaration of Conformity for a connected IoT product, citing CRA, RED, LVD, EMC, RoHS — with explanation of each of the nine elements.
10 min read
guide
Updating a Declaration of Conformity after a regulation amendment
When a cited EU regulation or harmonised standard is amended, the Declaration of Conformity may need to be reissued. This guide explains when, how, and what to retain.
9 min read
Put this into practice
Free tools & references
- CRA Readiness CheckerScore your product against the Cyber Resilience Act essential requirements.Open tool →
- EU Directive SelectorDescribe your product and find which EU directives and regulations apply.Open tool →
New to the terminology? Browse the compliance glossary — plain-English, citation-backed definitions of every term above.