Bright luminous rectangular shaped signboard with inscription 24 hrs on window of nightclub

Article 14 strikes first: The september 2026 CRA Reporting Deadline

ByStefan Karg 31.03.202631.03.2026

Most CRA conversations I have right now orbit around December 2027. That’s the wrong date to focus on first.

Article 14 of the CRA – the reporting obligation for actively exploited vulnerabilities and severe incidents – applies from 11.09.2026. That’s roughly 5 months from now. And 15 months before the rest of the regulation kicks in.

What Article 14 actually requires:

An early warning to ENISA and your national CSIRT within 24 hours of becoming aware of an actively exploited vulnerability in your product
A notification with more detail within 72 hours
A final report within 14 days after a fix or mitigation is available (for actively exploited vulnerabilities; severe incidents get 30 days)

The 24-hour window is the part that keeps me up at night when I look at where most manufacturers are today. To meet it, you need a clear escalation path that lands in front of someone with authority to notify a government body. Manufacturers submit via the EU’s Single Reporting Platform, which routes to both your national CSIRT and ENISA simultaneously.

Most SME product manufacturers have none of this in place. Not because they’re negligent, but because this type of operational security response is genuinely new territory for hardware-adjacent industries.

The uncomfortable part: September 2026 applies to products already on the market. You don’t get a grace period for existing products. If you shipped a connected device in 2024 and a vulnerability in it is actively exploited in October 2026, the 24-hour clock starts.

I’m not saying this to create panic. But if you’re building your CRA roadmap around 2027, you may be structuring the work in the wrong order.

Cyber Resilience Act (CRA)

CRA FAQ
ByStefan Karg 04.12.202504.12.2025

The EU Commission services have just released a comprehensive FAQ to help to demystify the implementation of the Cyber Resilience Act. If the official text left you scratching your head, this 66-page document might be your go-to resource for first practical answers to your questions. Worth a bookmark. Read it here:EU Commission – CRA Implementation

Read More CRA FAQ
Cyber Resilience Act (CRA) | Uncategorized

CRA: Standardization projects
ByStefan Karg 01.12.202501.12.2025

Currently a lot of standardization projects regarding the CRA are on-going. These standardization projects aim to develop harmonized European standards for the fundamental cybersecurity requirements of the CRA and the requirements regarding vulnerability management (horizontal standards) as well as different product categories (vertical standards). You can find an overview over the currently active standardization projects…

Read More CRA: Standardization projects
Cyber Resilience Act (CRA)

Understanding the Cyber Resilience Act (CRA) Timeline
ByStefan Karg 26.02.202626.02.2026

What are the most important dates related to the CRA that manufacturers, importers or distributors need to keep in mind? Are you prepared?

Read More Understanding the Cyber Resilience Act (CRA) Timeline
Cyber Resilience Act (CRA)

Understanding “Products with Digital Elements” Under the Cyber Resilience Act (CRA)
ByStefan Karg 16.02.202616.02.2026

If you’re evaluating whether your product falls under the Cyber Resilience Act (CRA), you’ve likely encountered the term “Product with Digital Elements” (PDE). This term is central to the CRA, and understanding it is crucial. The Cyber Resilience Act (CRA) defines the scope of its regulations in Article 2, which explicitly references “products with digital…

Read More Understanding “Products with Digital Elements” Under the Cyber Resilience Act (CRA)
Cyber Resilience Act (CRA)

CRA Compliance Deadline: Why Your Customers Won’t Wait Until December 2027
ByStefan Karg 25.03.202625.03.2026

Most manufacturers plan their CRA compliance around one date: 11 December 2027. That’s when the Cyber Resilience Act fully applies, and that’s the CRA compliance deadline their project plans are built around. From a regulatory perspective, this makes sense. From a business perspective, it’s already too late. The regulatory date is not the market date…

Read More CRA Compliance Deadline: Why Your Customers Won’t Wait Until December 2027
Cyber Resilience Act (CRA)

EU Commission Releases CRA FAQ in Markdown Format
ByStefan Karg 20.02.202620.02.2026

The European Commission has published the Cyber Resilience Act (CRA) FAQ as a Markdown file. This format is particularly valuable for: The Markdown version of the CRA FAQ is available for download here: Cyber Resilience Act implementation – Frequently asked questions

Read More EU Commission Releases CRA FAQ in Markdown Format

Similar Posts