← Back to CRA Insights
Getting compliant

Your CRA Compliance Checklist: A Sequenced Readiness Roadmap

Editorial cover evoking a compliance checklist and countdown roadmap toward a 2027 deadline. A calm timeline/checklist motif with milestone markers, brand navy #1C3D6E with a small gold #E0A100 accent on #FAF9F6. No dense text.

The Cyber Resilience Act gives you three dates to work backwards from, not one. The first hard cliff - mandatory vulnerability reporting - lands on 11 September 2026, fewer than 100 days away. Full product compliance follows on 11 December 2027. This guide sequences every major obligation so you can work through them in the right order.

This article is general guidance on the Cyber Resilience Act, not legal advice. Confirm specifics against Regulation (EU) 2024/2847.

The Three Deadlines at a Glance

The CRA (Regulation (EU) 2024/2847) entered into force on 10 December 2024. From that point, three dates structure everything:

CRA Key Deadlines
DateWhat appliesWho it affects
11 June 2026Chapter IV: notified bodies can be designated by Member StatesConformity assessment bodies, Member States
11 September 2026Article 14 reporting obligations: actively exploited vulnerabilities and severe incidents must be reported via ENISA's Single Reporting PlatformAll manufacturers of PDEs on the EU market
11 December 2027Full application: all essential requirements, SBOM, CE marking, EU Declaration of Conformity, technical documentation enforceableManufacturers, importers, distributors

One important nuance: reporting obligations apply to all products with digital elements already available on the EU market, including those placed on the market before 11 December 2027. You cannot wait for the 2027 deadline to start caring about reporting.

See the full timeline on the CRA deadlines page.

Phase 0 - Know Your Scope and Class

Do this before anything else. Every subsequent obligation depends on whether your product is in scope and which class it falls into.

Is your product a PDE? A product with digital elements (PDE) is broadly any hardware or software product that connects - directly or indirectly - to a network or another device, and is placed on the EU market commercially. Remote data-processing solutions designed and developed by the manufacturer, without which the product could not perform one of its functions, are treated as part of the product.

What class is it?

  • Default (~90% of products): self-assess via internal control (Module A). No notified body required.
  • Important - Class I or II (Annex III): third-party conformity assessment required for Class II; Class I can use harmonised standards or Module B+C.
  • Critical (Annex IV): EU type-examination or full quality assurance required.

Use the scope and class checker if you are unsure where your product sits.

warning Warning

No harmonised standards are yet cited in the Official Journal (as of June 2026), so the Article 27 presumption of conformity is not available for any product category. The EN 40000 series and EN 18031-based drafts are in progress under Standardisation Request M/606, with the public enquiry on the core horizontal drafts expected from mid-July to mid-November 2026. Until standards are formally cited, you must demonstrate conformity directly against Annex I. Do not wait for standards before starting design work — they are a tool for demonstrating compliance, not a prerequisite for building secure products.

Before 11 September 2026 - Get Reporting-Ready

This is the first real cliff. From 11 September 2026, manufacturers must report actively exploited vulnerabilities and severe incidents via ENISA's Single Reporting Platform (SRP), with a 24-hour early warning, a 72-hour notification, and a final report within 14 days of a corrective measure being available for vulnerabilities (or one month for severe incidents).

The SRP is scheduled to be operational by 11 September 2026, with a testing period before then. ENISA has indicated it will publish access instructions and an onboarding manual during June 2026 - watch the ENISA SRP page closely. You submit once through the platform; it routes your notification to the CSIRT of the Member State where your organisation has its main establishment, and simultaneously to ENISA.

Reporting readiness checklist (do this now):

  1. Confirm your product is in scope for reporting. The obligation applies to every PDE on the EU market from 11 September 2026, regardless of when it was placed there.
  2. Identify your coordinator CSIRT. This is determined by where your organisation has its main EU establishment. Non-EU manufacturers should clarify their authorised representative's role.
  3. Designate a named reporting officer with authority to file the 24-hour early warning without waiting for a committee decision. Name a backup.
  4. Draft and pre-approve report templates for the 24-hour, 72-hour, and final-report stages. These cannot be written while the clock is running.
  5. Register on the SRP as soon as ENISA opens onboarding. Do not leave this until September.
  6. Run a tabletop exercise. Simulate a realistic scenario - a critical CVE in a dependency, discovered on a Friday evening - and time the workflow from signal to filed notification.
  7. Define your "actively exploited" decision gate. The clock starts when you form a reasonable belief of active exploitation, not when you have forensic proof.
lightbulb Tip

The reporting obligation is operationally a detection-to-disclosure workflow problem. The teams that will struggle in September are those that have not practised the escalation path. Run the tabletop before the deadline, not after.

Toward 11 December 2027 - The Full Product Checklist

The 2027 deadline covers the full set of essential requirements. Work through these in roughly this order, because each step feeds the next.

Step 1 - Cybersecurity Risk Assessment (Article 13)

The risk assessment is the document that drives everything else. It must be completed before you can legitimately draw up the EU Declaration of Conformity or affix CE marking. It should document your product's intended purpose, operational environment, foreseeable misuse, and the specific threats and mitigations that flow from those. See the Article 13 risk assessment guide for what the document must contain.

Step 2 - Security by Design and Secure by Default

Annex I, Part I sets out the essential requirements. In plain terms:

  • No weak default passwords - every instance must have a unique credential or require the user to set one at first use.
  • Minimal attack surface - disable interfaces and services that are not needed for the product's function.
  • Reset-to-secure-state - the product must be restorable to a known-secure configuration.
  • Confidentiality, integrity, and availability protections appropriate to the risk.
  • Protection against unauthorised access.

Design decisions made now are hard to reverse later. The risk assessment (Step 1) should be informing architecture choices, not documenting them after the fact.

Step 3 - Software Bill of Materials (SBOM)

The CRA requires manufacturers to draw up and maintain a machine-readable SBOM covering at least the top-level dependencies, in CycloneDX or SPDX format, kept in the technical documentation (Annex I, Part II(1)). It does not have to be made public, but authorities can request it.

Build SBOM generation into your CI/CD pipeline now - it also underpins the reporting workflow, because you need to know which product versions are affected when a vulnerability surfaces. See the SBOM starter guide.

Step 4 - Vulnerability Handling and CVD Policy

You must have a documented process for receiving, triaging, and remediating vulnerability reports, and a publicly accessible contact point. A coordinated vulnerability disclosure (CVD) policy is required. This is also the foundation for the Article 14 reporting workflow - the same process that handles incoming researcher reports should feed the SRP notification chain.

Step 5 - Free Security Updates Across the Support Period

The CRA presumes a support period of at least five years unless the product's expected useful life is shorter. Security updates must be provided free of charge throughout that period. The support period is not a flat five years for every product - it depends on the product's intended use and market expectations. See the support period guide for how to determine and document yours.

Step 6 - Technical Documentation (Annex VII)

The technical file must be compiled before CE marking is affixed and kept for ten years after the last product is placed on the market. It includes: the risk assessment, design and architecture documentation, the SBOM, test results, the CVD policy, and the EU Declaration of Conformity. Think of it as the evidence dossier that a market surveillance authority would inspect.

Step 7 - EU Declaration of Conformity and CE Marking

The EU Declaration of Conformity (Annex V) is the manufacturer's formal statement that the product meets the CRA's essential requirements. CE marking follows from it. For Default products, this is self-declared. For Important Class II and Critical products, a notified body must be involved. Notified bodies can be designated from 11 June 2026. If your product requires third-party assessment, engage a notified body early - capacity will be constrained.

Use the full compliance checklist to track your documentation status across all of these steps.

Roles Other Than Manufacturer

The CRA places obligations on the whole supply chain, not just the maker.

Importers must verify that the manufacturer has carried out the appropriate conformity assessment, that the technical documentation exists, that CE marking is affixed, and that the EU Declaration of Conformity accompanies the product - before placing it on the EU market. If a product does not comply, the importer must not place it on the market and must notify the manufacturer and market surveillance authorities.

Distributors must verify that CE marking is affixed and that the required documentation is available. If they become aware of a non-compliant product or a vulnerability, they must act and inform the manufacturer.

Open-source software stewards (Article 24) have a lighter, tailored set of duties - they are not subject to the full manufacturer obligations and cannot be fined under the CRA's penalty provisions. Non-commercial open-source software developed outside a commercial activity is largely outside scope.

See the importer and distributor obligations guide for the full picture.

What to Do This Quarter

If you are reading this in June 2026, here is the prioritised short list:

  1. Confirm scope and class using the scope checker - everything else depends on this.
  2. Designate your reporting officer and backup - name them, write it down, share it internally.
  3. Draft your 24h/72h/final report templates and get them pre-approved by legal.
  4. Identify your coordinator CSIRT based on your main EU establishment.
  5. Watch for ENISA's SRP onboarding instructions, expected during June 2026, and register as soon as the window opens.
  6. Start your Article 13 risk assessment if you have not already - it is the foundation for every 2027 obligation.
  7. Integrate SBOM generation into your build pipeline; you will need it for both reporting and technical documentation.
lightbulb Tip

Penalty context: Under Article 64, breaching the essential requirements (Annex I) or the Article 13/14 obligations carries fines of up to €15 million or 2.5% of worldwide annual turnover, whichever is higher. The reporting obligation is the first one with an operational enforcement mechanism — a missed 24-hour notification is visible to ENISA in real time.

What's Still Developing

A few things to watch as you plan:

  • Harmonised standards: No CRA harmonised standard has been cited in the Official Journal as of June 2026. The public enquiry on the core EN 40000 horizontal drafts is expected from mid-July to mid-November 2026. Until citation, design against Annex I directly.
  • Commission guidance: In March 2026 the European Commission published draft guidance clarifying scope (remote data processing, open source, support periods). The final version has not yet been published - watch the EC CRA page for updates.
  • SRP onboarding: ENISA has indicated access instructions will be published during June 2026. The platform itself is scheduled to be operational by 11 September 2026, with a testing period before then.
lightbulb Tip

Stay current: CRA guidance, standards, and SRP details are moving fast. Subscribe to The CRA Brief for a weekly digest of regulatory updates, new standards drafts, and ENISA announcements — so you hear about changes before they affect your roadmap.

Related reading

Generated image
Conformity & CE marking

CE Marking and the EU Declaration of Conformity Under the CRA: What You Sign and What Sits Behind It

For most products with digital elements, CE marking under the CRA means one thing: you self-assess, build a technical file, and sign the EU Declaration of Conformity yourself. Here is exactly how that works.

Generated image
Scope

CRA vs NIS2: Which EU Cyber Rule Applies to Your Software - and Is SaaS in or Out?

The CRA covers products placed on the market; NIS2 covers organisations operating essential services. Pure SaaS is generally out of CRA scope - but the line is not always clean.

Support period / security updates theme: a horizontal product lifecycle timeline marked across several years with a recurring update/refresh/shield symbol, conveying "at least five years of free security updates". Brand colours deep navy #1C3D6E and gold accent #E0A100 on warm off-white #FAF9F6. Calm, clean, professional, no fear-mongering, minimal text.
Support period

The CRA Support Period: It's Not a Flat Five Years

The CRA support period is not a flat five-year rule. It's the expected product lifetime - and at least five years. Here's how to set, justify, and communicate yours.