The EU Cyber Resilience Act is now in the implementation phase, and 2026 is a key transition year for manufacturers of connected products.
As of March 2026, implementation milestones for reporting and conformity-assessment setup are approaching quickly.
Key dates
- 11 June 2026: notification rules for Conformity Assessment Bodies begin applying.
- 11 September 2026: CRA reporting obligations begin applying.
- 11 December 2027: main CRA obligations become fully applicable.
What this means for product teams
Before September 2026, manufacturers should ensure they can identify affected products and components quickly, triage vulnerabilities consistently, and report severe incidents and actively exploited vulnerabilities within the required timelines.
Recommended next steps
- Confirm CRA product scope and ownership by product line.
- Test 24h/72h reporting workflows and escalation paths.
- Align remediation SLAs with internal policy and CRA expectations.
- Validate reporting artifacts and audit-ready documentation.
Teams that operationalize these processes now will reduce compliance risk and improve response quality ahead of full CRA applicability.