Skip to content
PolicyForge
All posts
By Vyrhak SATH · Founder, NAGASHIELD SECURITY10 min

Cyber Resilience Act: reporting starts 11 September 2026 — who is concerned and what to do

The EU Cyber Resilience Act (Regulation 2024/2847) explained: which products with digital elements are in scope, the verified timeline (reporting from 11 September 2026, full application 11 December 2027), the 24h/72h/14-day notification ladder, essential requirements and sanctions.

What the Cyber Resilience Act is

The Cyber Resilience Act — CRA, Regulation (EU) 2024/2847 — is the first EU law imposing horizontal cybersecurity requirements on products with digital elements: connected hardware and software placed on the EU market, from routers and smart devices to operating systems and desktop applications. It entered into force on 10 December 2024 and applies in two waves: reporting obligations from 11 September 2026, and the main obligations from 11 December 2027. Compliance becomes a condition of the CE marking: a non-compliant product simply cannot be sold in the EU.

The verified timeline

DateWhat applies
10 December 2024Entry into force
11 September 2026Article 14 reporting: actively exploited vulnerabilities and severe incidents must be notified — including for products already on the market
11 December 2027Full application: essential requirements, conformity assessment, market surveillance

Products placed on the market before 11 December 2027 are not retroactively subject to the main requirements (unless substantially modified) — but the Article 14 reporting duty from September 2026 applies to them regardless.

The notification ladder (Article 14)

From 11 September 2026, a manufacturer that becomes aware of an actively exploited vulnerability in one of its products, or of a severe incident affecting product security, must notify ENISA and its national CSIRT:

  1. Early warning within 24 hours of becoming aware;
  2. Structured notification within 72 hours, with an initial severity and impact assessment;
  3. Final report — within 14 days once a fix or mitigation is available (exploited vulnerability), or within one month (severe incident).

The pattern will look familiar to anyone tracking NIS2 or GDPR: the EU has standardised on the 24h/72h escalation. The practical consequence is the same too — you need a documented, rehearsed process before the first event, not during it.

Who is in scope — and the SaaS nuance

The CRA targets manufacturers of products with digital elements sold in the EU (plus importers and distributors), wherever the manufacturer is based. Pure SaaS is generally not covered — cloud services fall under NIS2 — except when a remote data-processing service is integral to a product’s functions. Products carry proportionate regimes: a default category self-assessed by the manufacturer, and *important* or *critical* categories (identity systems, firewalls, smart meters…) subject to stricter conformity assessment. Free and open-source software developed outside a commercial activity benefits from a lighter regime.

The essential requirements, in practice

The Annex I essential requirements read like a secure-development policy: secure-by-default configuration, no known exploitable vulnerabilities at release, vulnerability handling with coordinated disclosure, security updates for the product’s expected lifetime, and technical documentation demonstrating it all. For a software editor, the deliverables are concrete: a secure development policy, a vulnerability management and disclosure process, an update/support commitment, and the incident notification runbook above. Sanctions reach €15M or 2.5% of worldwide turnover for breaches of the essential requirements.

What to do before September 2026

  1. Qualify your products: which of your offerings are products with digital elements placed on the EU market, and in which category?
  2. Stand up the Article 14 runbook now — the 24-hour clock starts at awareness, and it applies to products already sold.
  3. Document secure development and vulnerability handling — they are both an essential requirement and your best evidence.
  4. Track ANSSI’s guidance: the French authority publishes CRA resources on cyber.gouv.fr.

Primary sources

How PolicyForge helps

PolicyForge generates the CRA’s documentary backbone — secure development, vulnerability management with disclosure, incident response with the 24h/72h ladder, supplier security — bilingual, versioned and approved. Start free →

Frequently asked questions

When does the Cyber Resilience Act apply?

The CRA entered into force on 10 December 2024. Its reporting obligations (Article 14 — actively exploited vulnerabilities and severe incidents) apply from 11 September 2026, including to products already on the market. The main obligations — essential requirements, conformity assessment, CE marking — apply to products placed on the market from 11 December 2027.

Does the CRA apply to SaaS?

Generally no: pure cloud services fall under NIS2, not the CRA. The CRA covers products with digital elements — hardware and software placed on the EU market — and only reaches remote data processing when it is integral to a product’s functions. Software sold as a product (desktop, mobile, embedded, on-premise) is squarely in scope.

What must be notified under CRA Article 14?

From 11 September 2026, manufacturers must notify ENISA and their national CSIRT of any actively exploited vulnerability in a product and any severe incident affecting product security: early warning within 24 hours, structured notification within 72 hours, and a final report within 14 days (vulnerability, once a fix exists) or one month (incident).

What are the CRA sanctions?

Non-compliance with the essential requirements can cost up to €15M or 2.5% of worldwide annual turnover, whichever is higher, with lower ceilings for other breaches. Just as importantly, a non-compliant product loses access to the EU market, since CRA compliance conditions the CE marking.