CADABLE
LoginBook a demo
EU CRACRA deadlineCRA reportingComplianceReporting obligations

The EU CRA timeline, what to expect and when

The EU Cyber Resilience Act timeline in plain terms. The two dates that decide your roadmap, what changes on each, and what to expect in the months between now and the deadlines.

Ali Rahbar3 min read

The EU Cyber Resilience Act has been in force since December 2024, but the obligations that change your roadmap phase in on two later dates: 11 September 2026 for reporting, and 11 December 2027 for the full requirements. The reporting clock comes first and it is the one most teams underestimate. This is the timeline, what flips on each date, and what to expect in between.

For the full scope of who is covered and what the requirements are, see our Cyber Resilience Act framework page. This post is about the calendar.

When does the EU Cyber Resilience Act take effect?

The CRA, Regulation (EU) 2024/2847, entered into force in December 2024. Entry into force started the clock, but the headline obligations were deliberately phased so manufacturers had time to adapt. That phasing is why "the CRA is already in force" and "we still have time" are both true, and why the two dates below are the ones that actually drive planning.

What happens on 11 September 2026?

The reporting obligations apply. From this date, a manufacturer must report an actively exploited vulnerability in its product, or a severe incident, within 24 hours of becoming aware, sending an early warning to the relevant national CSIRT and ENISA, followed by a fuller notification and a final report. This is the first hard obligation and the one with the least slack, because it is operational. You cannot file a 24-hour report on an exploited vulnerability if you cannot tell, in that window, which of your fielded devices are affected. Our CRA readiness checklist covers the capabilities this date demands.

What happens on 11 December 2027?

The full set of essential requirements applies. By this date, products with digital elements placed on the EU market must be secure by design, ship with no known exploitable vulnerabilities, carry a Software Bill of Materials in their technical documentation, provide security updates through the support period, and pass the appropriate conformity assessment. In other words, December 2027 is when the CRA applies end to end, not just the incident-reporting slice.

What should I be doing now, and what to expect in between?

Treat the calendar as two runways. Here is a realistic shape for what to expect.

  1. Now through mid 2026: stand up the operational capabilities the reporting date needs. Inventory what you have shipped, generate SBOMs, wire vulnerability monitoring to your SBOMs, and make sure you can deliver a fix to fielded devices quickly. Our SBOM walkthrough and CVE-to-patch pipeline cover the mechanics.
  2. By 11 September 2026: have a working 24-hour reporting process, with named owners, a coordinated disclosure policy, and a tested path from "we are aware" to "report filed".
  3. Mid 2026 through 2027: close the secure-by-design and documentation gaps for the full requirements. Determine your product class, line up a notified body if you need one, and assemble the technical documentation an assessment will ask for.
  4. By 11 December 2027: be fully conformant for any product you place on the EU market.

Expect the standards landscape to keep moving in parallel. Harmonised standards under the CRA are still being finalised, so build your process around the regulation text and ENISA guidance rather than waiting for a single checklist to drop.

What does "actively exploited" mean for the reporting clock?

The 24-hour clock is not triggered by every disclosed CVE. It triggers when a vulnerability in your product is being actively exploited, or when a severe incident affecting the security of your product occurs. That distinction matters for the timeline: you do not need to file on theoretical issues, but you do need the monitoring to recognise active exploitation quickly, because the clock starts when you become aware.

Is there a grace period?

Plan as if there is none. The obligations apply from the stated dates. The lead time you have is the months between now and 11 September 2026 for reporting, and 11 December 2027 for everything else. Investing in the capability now is what turns the deadline from a scramble into a non-event.

Where Scadable fits

Scadable keeps a live map of every device, deployment, and component you have shipped, flags what is actively exploited, writes and backports the fix to fielded devices, opens the pull request, and files the report inside the window. That is the operational core both dates demand, run continuously. If the CRA is on your roadmap, book a walkthrough.

Frequently asked questions

When does the EU Cyber Resilience Act take effect? The CRA, Regulation (EU) 2024/2847, has been in force since December 2024. Two obligations phase in later: the reporting duties apply from 11 September 2026, and the full essential requirements apply from 11 December 2027.

What is the CRA deadline I should plan around first? 11 September 2026. From that date you must report actively exploited vulnerabilities and severe incidents within 24 hours. It arrives before the full requirements and most teams have done the least to prepare for it.

What changes on 11 December 2027? The full set of essential requirements applies, including secure-by-design obligations and the conformity-assessment requirement. By this date a product placed on the EU market must meet the CRA in full.

Is there a grace period after the deadlines? No general grace period is built into the dates. The obligations apply from the stated dates, so the practical lead time is the months you have now, not after.

Read next

← All posts