What the 11 September 2026 CRA reporting deadline means for you

The first hard deadline of the EU Cyber Resilience Act is not full compliance in 2027 - it is 11 September 2026, when the reporting obligations switch on. From that date, manufacturers of products with digital elements must report actively exploited vulnerabilities and severe incidents to ENISA, fast. If you make or maintain software or connected hardware sold in the EU, this is the part of the CRA that affects you first.

The key points

• From 11 September 2026, reporting actively exploited vulnerabilities and severe incidents becomes legally binding.
• You report through ENISA's Single Reporting Platform (SRP) - once, and it routes to your national CSIRT and ENISA.
• The clock: an early warning within 24 hours, a notification within 72 hours, and a final report within 14 days of a fix being available (one month for severe incidents).
• This applies to products already on the market, not just new ones.
• Full compliance with the rest of the CRA follows later, on 11 December 2027.

What actually changes on that date

Most of the Cyber Resilience Act - the essential requirements, the Software Bill of Materials, CE marking - applies from 11 December 2027. The reporting duty is pulled forward by more than a year because a vulnerability being exploited in the wild cannot wait for a transition period.

"Actively exploited" has a specific meaning: there is reliable evidence that an attacker has used the vulnerability against a system without permission. A "severe incident" is a security event affecting your product that has, or could have, a serious impact on users. Either one starts the clock.

The 24h / 72h / 14-day clock

When you become aware of a qualifying vulnerability or incident, three things are due:

1. Within 24 hours - an early warning. A short heads-up to the SRP: what you know so far. It is fine that it is incomplete; the point is speed.
2. Within 72 hours - a fuller notification. More detail: the nature of the issue, any corrective or mitigating measures you have taken.
3. A final report. No later than 14 days after a corrective measure is available for an actively exploited vulnerability (within one month for a severe incident).

You submit once, through the SRP, and the platform makes the report available to the relevant national CSIRT and, simultaneously, to ENISA. There is helpful relief built in: micro and small enterprises are not fined for missing the 24-hour deadline, and open-source software stewards are not subject to fines at all. The duty to act in good faith still applies.

How to be ready before September

You do not need a 2027-grade compliance programme to meet the 2026 reporting duty. You need a process that can move in hours, not weeks.

• Know who reports. Name an owner and a deputy. The 24-hour window does not respect holidays.
• Find your CSIRT and register for the SRP. The platform becomes operational on 11 September 2026, with a testing period before then. Get accounts in place early.
• Write the playbook now. A one-page runbook: how you detect, who decides it is "actively exploited", who drafts the early warning, who submits. Rehearse it once.
• Stand up coordinated vulnerability disclosure. A public way for researchers to reach you (a security contact and a CVD policy) is both a CRA requirement and your earliest warning system.
• Keep an inventory of what you ship. When a CVE lands in a popular library, you want to answer "are we affected?" in minutes. That is what a Software Bill of Materials is for.

This is general guidance on the Cyber Resilience Act, not legal advice. Confirm specifics against the official sources below or with a qualified adviser.

Where to go next on CRA Facts

• Use the CRA scope & class checker to confirm whether your product is in scope.
• Read the coordinated vulnerability disclosure guide to set up reporting the right way.
• See every confirmed date on the CRA deadlines & timeline page.
• Want updates as the SRP and guidance evolve? Subscribe to The CRA Brief.

Sources: European Commission - CRA reporting obligations, ENISA - Single Reporting Platform, Regulation (EU) 2024/2847 (EUR-Lex).