Key deadlines and reporting requirements for the EU Cyber Resilience Act (CRA)
Key deadlines
September 11, 2026
CRA enforcement begins
Starting September 11, 2026, manufacturers, importers, and distributors must notify ENISA and designated national CSIRTs of actively exploited vulnerabilities and severe security incidents. Here’s what needs to be in place by September 11, 2026.
- Vulnerability monitoring and processes aligned with Article 14
- SBOM-driven visibility
- Reporting workflows and timelines
- Disclosure and update processes
Important vulnerability reporting timelines
Reporting timelines are triggered the moment you become aware of an actively exploited vulnerability or severe security incident.
24 hours: File an early warning with ENISA and national
72 hours: Submit triage report including a resolution path
14 days: Submit final report after remediation is available
December 11, 2027
Full EU CRA product conformity required
Three additional obligations come due in 2027.
- CE marking
- Full conformity assessment
- Harmonized standard compliance
How Black Duck can help
Black Duck provides tools designed to meet the stringent requirements of the CRA.
- Black Duck® SCA identifies third-party risk and clearly indicates when a vulnerability in the EUVD is exploitable, allowing companies to meet their 24-hour reporting requirements.
- Coverity® Static Analysis identifies first-party risks that could become third-party risks if not properly addressed prior to shipping a product with digital elements to a customer within a supply chain.
- Defensics® Fuzzing identifies first- and third-party risk associated with cyber-physical devices, assemblies and subassemblies, and spare parts.
By helping teams identify open source and third-party components, track vulnerabilities, and establish repeatable processes for managing software risk, Black Duck supports the foundational practices needed to meet CRA vulnerability management and reporting obligations.
The post Key deadlines and reporting requirements for the EU Cyber Resilience Act (CRA) appeared first on Blog.
*** This is a Security Bloggers Network syndicated blog from Blog authored by Corey Hamilton. Read the original post at: https://www.blackduck.com/blog/eu-cyber-resilience-act-cra-compliance-deadlines.html
