The EU Cyber Resilience Act is now in its implementation phase. 2026 is the operational preparation year, and teams should align reporting workflows, vulnerability handling, and compliance evidence before full applicability.
Key dates
- 11 June 2026: notification rules for Conformity Assessment Bodies start applying.
- 11 September 2026: CRA reporting obligations start applying.
- 11 December 2027: main CRA obligations become fully applicable.
What to operationalize now
- Confirm CRA scope by product family and assign accountable owners.
- Prepare fast notification workflows for severe incidents and actively exploited vulnerabilities.
- Align triage and remediation timelines with internal policy and CRA expectations.
- Ensure exportable audit evidence is ready for customer and regulatory reviews.
Recommended action plan (next 60 days)
- Run a dry-run reporting exercise for a high-priority vulnerability scenario.
- Validate vulnerability status traceability and closure rationale quality.
- Review backlog against risk and exploitability criteria (CVSS + KEV + EPSS).
Teams that prepare now will reduce compliance risk and avoid reactive execution in Q3 2026.