The EU CRA Countdown: Why September 2026 is Your Real Deadline
If you are a manufacturer of "products with digital elements" (PDEs), you likely have December 11, 2027 circled in red on your calendar. That is the date the EU Cyber Resilience Act (CRA) becomes fully applicable, requiring the CE mark for all new connected products.
However, there is a much closer deadline that many engineering teams are overlooking. By September 11, 2026, the CRA’s mandatory reporting obligations begin.
The Phased Timeline at a Glance
The CRA isn't a single switch; it’s a phased rollout. Here are the milestones you need to know as of early 2026:
| Date | Milestone | What it means to you |
|---|---|---|
| June 11, 2026 | Notified Bodies Appointed | Member States must designate the authorities that will eventually certify "Critical" and "Important" products. |
| Sept 11, 2026 | Reporting Enforcement | Crucial: You must report actively exploited vulnerabilities to ENISA and national CSIRTs within 24 hours. |
| Dec 11, 2027 | Full Compliance | Every product in scope must meet essential security requirements and carry the CE mark to stay on the market. |
Why September 2026 Changes Everything
While you have nearly two years for "Security-by-Design," you have less than eight months to get your reporting house in order.
The reporting obligation is unique because it applies to existing products already on the market. If you have an IoT device shipped in 2024 that is still being sold or supported in September 2026, and a vulnerability is actively exploited, the clock starts ticking the moment you become aware of it.
The "24-Hour" Challenge:
To comply with the 24-hour early warning requirement, you cannot rely on manual spreadsheets. You need:
A live SBOM (Software Bill of Materials): You can't report what you don't know is there.
Continuous Monitoring: You need to know immediately when a vulnerability in a sub-component (like OpenSSL or a kernel module) is being exploited in the wild.
An Incident Response Plan: A clear workflow to notify ENISA and national authorities without hesitation.
Don't Wait for 2027
The reporting deadline in 2026 is an "implicit" deadline for your vulnerability management process. If you don't have an automated way to track vulnerabilities across your firmware and cloud backends by this September, you are effectively in non-compliance.
At Test of Things, we help you bridge this gap. Our platform automates the generation of SBOMs and provides continuous monitoring, ensuring that when the reporting rules hit this September, you have the data you need at your fingertips.
Is your product portfolio ready for the September reporting deadline?
Request early access to Test of Things to automate your CRA gap analysis and stay ahead of the regulatory curve.
