Home/Blog/CRA September 2026
DEADLINE ALERTApril 8, 2026

Cyber Resilience Act: The September 11, 2026 Deadline
Most Companies Are Missing

Most organizations believe they have until December 2027 to comply with the Cyber Resilience Act. That assumption is wrong. The first hard deadline is September 11, 2026 — five months from today. From that date, every manufacturer of products with digital elements sold in the EU must report actively exploited vulnerabilities within 24 hours. This applies to products already on the market, including software you shipped years ago. Unlike the EU AI Act, no extension has been proposed.

Key Facts

September 11, 2026: Vulnerability reporting obligations begin. Not December 2027.

24 hours: Early warning to ENISA and national CSIRT after discovering an actively exploited vulnerability.

72 hours: Full notification with technical details.

14 days: Final report after a corrective measure is available.

Retroactive: Applies to all in-scope products already on the EU market — not just new products.

Up to €15M or 2.5% of global annual turnover for non-compliance.

No extension proposed. The Digital Omnibus does not affect CRA timelines.

What is the Cyber Resilience Act?

The Cyber Resilience Act (Regulation (EU) 2024/2847) establishes mandatory cybersecurity requirements for hardware and software products with digital elements sold in the EU. It entered into force on December 10, 2024 and covers the entire product lifecycle — from design through end-of-life.

The scope is broad: any software or hardware product that connects directly or indirectly to a device or network falls under the CRA. This includes IoT devices, desktop software, mobile apps, SaaS components, embedded systems, industrial control systems, and networking equipment. Exceptions exist for products governed by sector-specific regulations like medical devices, aeronautical equipment, and vehicles.

Unlike the EU AI Act, which focuses on a specific technology category, the CRA applies to virtually every digital product on the EU market. If you sell software or connected hardware into the EU, this regulation applies to you.

The three CRA deadlines

DateWhat appliesStatus
Jun 11, 2026Conformity assessment bodies must be designated by national authorities2 MONTHS
Sep 11, 2026Vulnerability and incident reporting obligations begin5 MONTHS
Dec 11, 2027Full CRA compliance required. CE marking mandatory for new products.20 MONTHS

Source: Regulation (EU) 2024/2847, Article 71. European Commission CRA implementation page.

What September 11 actually requires

From September 11, 2026, manufacturers must report two categories of events through the ENISA Single Reporting Platform:

1. Actively exploited vulnerabilities

A vulnerability is "actively exploited" when there is reliable evidence that a malicious actor has used it in a system without the system owner's permission. This includes vulnerabilities disclosed publicly or reported online.

24 hoursEarly warning to CSIRT and ENISA after becoming aware
72 hoursFull notification with technical details, severity, and affected products
14 daysFinal report after a corrective or mitigating measure is available

2. Severe security incidents

Any incident that impacts the security of the product with digital elements. Same reporting cadence: 24 hours early warning, 72 hours full notification, final report within one month.

Why this catches companies off guard

It applies retroactively to products already on the market

The reporting obligation covers all in-scope products currently on the EU market, not just products placed after the CRA entered into force. Software you shipped in 2020 is subject to these requirements if it's still available and in use.

You cannot report what you cannot identify

To report an exploited vulnerability within 24 hours, you need to know which components are in your products. That requires a Software Bill of Materials (SBOM). The CRA explicitly mandates SBOMs (Annex I, Part II), but the practical reality is that SBOM readiness is required by September 2026 — not December 2027 — because you cannot comply with reporting without it.

The Digital Omnibus does not affect CRA timelines

The Digital Omnibus on AI proposes extending the EU AI Act's high-risk deadline to December 2027. It does not propose any changes to CRA deadlines. The September 11, 2026 reporting obligation is fixed.

Product classification has additional earlier deadlines

Beyond reporting, certain product categories have compliance dates before the December 2027 full application: horizontal type A products must comply by August 30, 2026, and horizontal type B and vertical type C products by October 30, 2026.

What you need in place by September

01
Product inventory. Identify every product with digital elements you sell or distribute in the EU. Include legacy products still on the market.
02
SBOM generation. Create and maintain software bills of materials for every in-scope product. Machine-readable format, covering at least top-level dependencies.
03
Vulnerability monitoring. Establish continuous monitoring against vulnerability databases (NVD, KEV). Map known vulnerabilities to your product components via SBOM.
04
Incident response process. Build a workflow that can produce a 24-hour early warning: detection, triage, exploitability assessment, and CSIRT notification within one business day.
05
ENISA Single Reporting Platform access. The platform will be operational by September 2026 with a testing period before. Register and test your reporting workflow before the deadline.
06
Documentation and audit trail. Document your vulnerability handling process, reporting decisions, and remediation actions. When a regulator asks how you handled an incident, you need evidence.

CRA compliance timeline at a glance

Dec 10, 2024CRA enters into force
Jun 11, 2026Conformity assessment body designation begins
Aug 30, 2026Horizontal type A product compliance
Sep 11, 2026Vulnerability and incident reporting obligations begin
Oct 30, 2026Horizontal type B and vertical type C product compliance
Dec 11, 2027Full CRA compliance required. CE marking mandatory.

How AI Attest helps with CRA compliance

AI Attest includes a complete Cyber Resilience Act compliance pipeline with 11 artifacts covering product security description, security risk assessment, secure development lifecycle, vulnerability management, incident response, SBOM, technical documentation, and user information — all mapped to specific CRA requirements.

The platform's dependency tracking ensures your vulnerability management documentation stays consistent with your product security description and risk assessment. When your architecture changes, cascade invalidation flags every downstream document that needs updating. Every submission is recorded in a SHA-256 hash-chained audit trail — evidence that your compliance process was followed.

September is closer than December

Start your CRA compliance documentation now. Upload your existing security documentation and see where the gaps are. Free during beta.

Start your free compliance audit

Related

EU AI Act Deadline: August 2026 or December 2027? →

What the Digital Omnibus means for your AI Act compliance timeline.

EU AI Act Compliance Guide — Articles 9-17 →

Article-by-article breakdown of 68+ requirements for high-risk AI systems.

How AI Attest works →

Gap analysis, guided templates, cascade invalidation, and cryptographic audit trails.

See where your AI system stands

Upload your documentation and get a gap report in minutes. Free during beta.

Start your free audit