EU CRA: what you must do before 11 September 2026
EU Cyber Resilience Act · 8-min read · Open the CRA edition → · updated June 2026
The EU Cyber Resilience Act puts hard dates on software security. The vulnerability-reporting obligations bite on 11 September 2026; full conformity follows on 11 December 2027. Most of what it asks for is what good teams already do — here's how to be ready.
The two dates that matter
11 Sep 2026
- Report actively-exploited vulnerabilities & severe incidents
- 24h early warning · 72h notification · final report on fix
11 Dec 2027
- Full CE-marking conformity for products with digital elements
- SBOM, secure-by-design, vuln handling, lifetime updates
The 24-hour clock (Article 14)
When a vulnerability in your product is being actively exploited, the reporting timeline runs fast:
| Within | What you send |
|---|---|
| 24 hours | Early warning to your designated CSIRT and ENISA |
| 72 hours | Vulnerability notification with available detail and any corrective action |
| On fix | Final report describing the vulnerability and the remediation |
To hit that, you need to know the moment one of your components is being exploited — that's exactly the KEV signal IsItPatched surfaces.
Readiness checklist
- Inventory your products and the components inside each (an SBOM per product).
- Watch for active exploitation across those components so the 24h clock never catches you blind.
- Produce a machine-readable SBOM (CycloneDX/SPDX) you can hand over on request.
- Author VEX statements so you report what truly affects you, not noise — see how to write a VEX.
- Keep risk evidence and a coordinated-disclosure process; retain documentation across the support period.
Turn this into action. The vulnerability-reporting obligations, the 24h/72h clock, the machine-readable SBOM requirement — and a checklist to be ready before the deadline.
Open the CRA edition — free →Frequently asked questions
When do the CRA vulnerability-reporting obligations start?
The reporting obligations for actively-exploited vulnerabilities and severe incidents apply from 11 September 2026. Full CE-marking conformity for products with digital elements applies from 11 December 2027.
What has to be reported, and how fast?
For an actively-exploited vulnerability you notify your designated CSIRT and ENISA with an early warning within 24 hours, a fuller notification within 72 hours, and a final report once a fix or mitigation is available.
Does the CRA require an SBOM?
Yes — manufacturers must produce a machine-readable SBOM covering at least the top-level dependencies, and handle vulnerabilities across the support period. See what is an SBOM.
Does IsItPatched make me CRA-compliant?
No tool can. The CRA involves conformity assessment and processes beyond software. IsItPatched helps you meet specific obligations — knowing your reportable (actively-exploited) vulnerabilities, producing an SBOM/VEX, and keeping risk evidence — see the CRA edition.
This guide summarises publicly-available information about the EU Cyber Resilience Act for orientation only. It is not legal advice and does not constitute or replace conformity assessment. Confirm your obligations with qualified counsel. See our disclaimer.