NEW: CRA vulnerability reporting begins 11 September 2026 — is your product ready? Check now →

Compliance dates that matter

CRA Deadlines — what's due when

The CRA is being phased in over a 36-month transition window. This page tracks every milestone, the reporting timeline, and the financial penalties for missing them.

⏱ Time to Sept 2026 Deadline
--
days
:
--
hrs
:
--
min
:
--
sec

Key Milestones

CRA Compliance Timeline

The CRA is being phased in over a 36-month window. Here are the dates that matter for any business shipping a digital product into the EU.

  1. 10 Dec 2024 Done

    CRA Enters Into Force

    EU Regulation 2024/2847 officially published in the Official Journal. The 36-month main transition window starts.

  2. 11 Sep 2026 In ~5 months

    Vulnerability Reporting Begins

    From this date, manufacturers must report actively exploited vulnerabilities and severe incidents to ENISA. The 24h / 72h / 14d timeline applies.

  3. 11 Dec 2027 ~20 months

    Full CRA Compliance Deadline

    All products with digital elements placed on the EU market must conform with the CRA, carry CE marking, and have a Declaration of Conformity.

  4. 2027 onwards Enforcement era

    Market Surveillance

    National authorities begin enforcement. Non-conforming products can be banned from the EU market. Fines up to €15M or 2.5% of global turnover.

From Sept 2026

The 24h / 72h / 14d Reporting Workflow

From 11 September 2026 onwards, manufacturers must report any actively exploited vulnerability or severe incident impacting the security of the product. The clock starts when you become aware.

01
within 24h

Early warning to ENISA

Notify the relevant CSIRT and ENISA via the Single Reporting Platform that you are aware of an actively exploited vulnerability or severe incident.

02
within 72h

Vulnerability notification

Submit a vulnerability notification including general information about the product, the nature of the exploitation, and any corrective or mitigating measures taken or that users can take.

03
within 14d

Final report

Submit a final report covering the impact of the vulnerability or incident, the corrective measures taken, the corrective measures recommended to users, and any cross-border or cross-sector impact.

All notifications go through the ENISA Single Reporting Platform (SRP), which routes them to the relevant national CSIRT. Microenterprises and SMEs benefit from extended timelines on the early warning where reasonable.

Article 64

Penalties and Fines

Member States must impose effective, proportionate, and dissuasive penalties for breaches of the CRA. The cap is whichever is higher between the absolute amount and the percentage of total worldwide annual turnover for the preceding year.

Breach Maximum cap
Non-compliance with the essential requirements (Annex I) €15M / 2.5%
Non-compliance with manufacturer obligations (Article 13) €10M / 2%
Supplying false or misleading information to authorities €5M / 1%

Caps shown as: absolute amount / % of global annual turnover. Whichever is higher applies.

Right now

What to do today

Step 01

Inventory your in-scope products

List every product, app, library, or hardware item you place on the EU market.

Step 02

Classify each product

Default, Class I, or Class II — the route to compliance is different for each.

Step 03

Generate an SBOM

Use CycloneDX or SPDX. Most CI/CD tools have plugins. This is a hard requirement.

Step 04

Publish a vulnerability disclosure policy

A simple security.txt + a triage email is enough to satisfy the obligation.

Step 05

Set up incident detection

You can't report what you can't detect. Wire up basic logging and alerting before Sept 2026.

Step 06

Draft your Declaration of Conformity

Use the Annex V template. Don't wait until Dec 2027 — it forces other questions to surface.

Free Compliance Assessment

Is Your Product CRA Ready?

Get a free personalised CRA compliance briefing for your specific product type — delivered to your inbox. No spam, no sales calls.

  • Understand your exact product category (default, Class I, or Class II)
  • Get a checklist of your specific obligations and deadlines
  • Receive guidance on SBOM, vulnerability management, and reporting
  • Early access to our CRA Compliance Manager tool (launching 2026)
  • Weekly CRA news digest — ENISA updates, regulatory guidance

Get Your Free CRA Brief

Takes 60 seconds · Completely free

🔒 No spam. Unsubscribe anytime. Processed in accordance with GDPR.