Security Compliance

What Changes in 2026 and 2027 under the Cyber Resilience Act?

The Cyber Resilience Act timeline has two critical dates. Learn the difference between the Sept 2026 reporting duties and the full Dec 2027 compliance deadline.

Written by Headshot of Dimitri Page
Dimitri Page
December 13, 2025
6 min read
What Changes in 2026 and 2027 under the Cyber Resilience Act?

Understanding the timeline of the Cyber Resilience Act (CRA) is essential for any organisation building or distributing digital products in the EU. The regulation introduces a phased rollout, and two dates matter above all: 11 September 2026 and 11 December 2027.

These milestones do not carry the same obligations. The first introduces fast moving operational reporting duties. The second establishes the complete CRA security baseline for all new products placed on the EU market.

This article breaks down the difference clearly, with clarifications based on the CRA FAQ and official text.

Disclaimer: This content is provided for informational purposes only. The official text remains the authoritative reference.

The CRA Timeline at a Glance

2026 → Reporting starts, for all products with digital elements available in the EU

You must report actively exploited vulnerabilities and severe security incidents for any product in scope already on the EU market.

2027 → Everything starts, for new products released on the market

Full CRA compliance becomes mandatory for any new product placed on the EU market from 11 December 2027.

September 2026; The Reporting Duties Begin

From 11 September 2026, one specific part of the Cyber Resilience Act becomes legally binding: mandatory reporting of actively exploited vulnerabilities and security issues.

This applies to any product with digital elements that is already on the EU market, regardless of when it was first released. Legacy products are not exempt from reporting.

Actively Exploited Vulnerabilities

This is the area where the CRA FAQ adds important nuance that most teams miss.

A vulnerability is considered actively exploited when there is reliable evidence that a malicious actor has used it in a system without the permission of the system owner.

This includes, but is not limited to, actively exploited vulnerabilities that are publicly disclosed or reported online.

Manufacturers may become aware of such vulnerabilities through many channels, including customer reports, CSIRTs, threat intelligence, internal monitoring, honeypots, or dark web activity. The CRA does not prescribe how awareness must occur. It only defines what you must do once you become aware.

If your product contains a component with a known exploited vulnerability, you must report it if the vulnerability can be exploited in your product.

If the vulnerability exists in a dependency but cannot be exploited in your specific implementation, the CRA does not require mandatory reporting; although you still have a duty to inform the component maintainer.

This is a key distinction. ScanDog smart prioritisation immediately surfaces actively exploited vulnerabilities and also makes clear the distinction of whether it can be exploited in your specific implementation.

Severe Security Incidents

A severe incident has a specific meaning under the CRA. It is an incident that:

  • negatively affects or could negatively affect the ability of your product to ensure confidentiality, integrity, availability, authenticity
  • or has introduced or could introduce malicious code into your product or the user’s systems.

A key example appears in the official text: if an attacker compromises your software update channel and injects malicious code, this is automatically considered severe.

Strict CRA Reporting Deadlines

The Cyber Resilience Act sets non negotiable timelines once a manufacturer becomes aware of the issue:

  • 24 hours → early warning
  • 72 hours → incident or vulnerability notification with technical detail
  • 14 days → final report for vulnerabilities, tied to the moment a corrective or mitigating measure is available
  • 1 month → final report for severe incidents

In practical terms:

If your digital product is on the market, new or old, you must be prepared to detect, triage, verify exploitability and notify authorities within these time windows. While the CRA does not mandate how you monitor for issues, it requires that your internal processes can support timely awareness and reporting.

Tip: Tackling these vulnerabilities before September 11th 2026 dramatically reduces future reporting load. Fixing them early means you remove the duty to notify entirely.

December 2027; Full CRA Compliance Becomes Mandatory

From 11 December 2027, the entire Cyber Resilience Act activates.

This applies to any new product placed on the EU market from that date onward.

“New product” refers to units first placed on the market after 11 December 2027; even if the product was originally created years earlier. This includes re-releases, new versions and new shipments of an existing model.

Essential Cybersecurity Requirements

Products must be:

  • secure by design
  • secure by default
  • built with a limited attack surface
  • able to ensure confidentiality, integrity and availability throughout their defined support period

Vulnerability Handling Processes

Manufacturers must maintain:

  • SBOMs
  • coordinated vulnerability disclosure
  • secure update mechanisms
  • documented vulnerability management processes
  • a defined support period, during which the product must remain secure (many guidance documents suggest at least five years unless the expected usage period is shorter)

Conformity Assessment and CE Marking

Before a product can be placed on the market:

  • it must undergo a CRA aligned conformity assessment
  • it must meet all essential cybersecurity requirements
  • the manufacturer must affix a CE marking as proof of compliance

Importer and Distributor Responsibilities

These parties must verify that the manufacturer has met CRA obligations before making a product available in the EU.

Note on Existing Products

Products already on the market before December 2027 enter a special regime:

  • They do not need full CRA compliance unless they undergo a substantial modification.
  • They do still need to report Actively Exploited Vulnerabilities and Severe Security Incidents from 11 September 2026.
  • They are not required to meet all CRA vulnerability handling obligations if it is technically impossible to investigate or patch older versions, but manufacturers must still take reasonable steps to manage risk and inform affected users.

ScanDog supports this second compliance phase with automated SBOM generation, vulnerability contextualisation, conformity evidence and reporting workflows, helping teams accelerate readiness with less overhead.

Stay Updated

Follow us on LinkedIn for the latest security insights and product updates

ScanDog logo
ScanDog

Technology, Information and Internet

Berlin, Germany

About ScanDog

ScanDog is an AI-powered Application Security Posture Management (ASPM) platform that helps development teams build secure software faster. With advanced vulnerability prioritization, reachability analysis, and AI-assisted remediation, ScanDog cuts through the noise of false positives to focus on what truly matters.

Explore ScanDog's Platform
Share

Shrink your AppSec debt by 95% in less than 2h