| Key Takeaways
• On September 11, 2026, EU CRA vulnerability reporting obligations go live — covering both new and legacy products. • Manufacturers must submit a 24-hour early warning and a 72-hour full notification when an actively exploited vulnerabilities is identified. • Non-compliance carries fines of up to €15 million or 2.5% of global annual turnover, whichever is higher. • The obligations apply to all products with digital elements on the EU market — regardless of where the manufacturer is headquartered. • Document-level access controls and audit trails are essential infrastructure for meeting the CRA’s evidence and reporting requirements. |
On September 11, 2026, the EU Cyber Resilience Act’s mandatory CRA vulnerability reporting obligations go live. Organizations that place products with digital elements on the EU market have fewer than 11 weeks to prepare. This is not a grace period extension — it is a hard deadline backed by fines of up to €15 million. Many compliance teams are scrambling because the September 11 obligations are due more than a year before the CRA’s main application date of December 11, 2027. In this post, we explain who must comply, what the deadlines require, and what steps to take right now.
What Is the EU Cyber Resilience Act, and Why Does September 11 Matter?
The CRA entered into force in November 2024. It establishes cybersecurity requirements for any hardware or software product that connects — directly or indirectly — to a device or network. Products in scope range from enterprise software and industrial control systems to smart devices and embedded components.
Most CRA obligations apply from December 11, 2027, but not all of them. Article 14 of the regulation specifically accelerates the reporting requirements. Those rules apply from September 11, 2026, giving manufacturers just 21 months after the law’s entry into force to be ready. Organizations that miss this timeline face enforcement action, not just a compliance warning.
According to the European Commission’s official CRA reporting guidance, the Single Reporting Platform is being built to be operational by this date, with a testing window available before September 11. Consequently, the time to prepare is running out.
Who Must Comply with CRA Vulnerability Reporting?
The obligation falls primarily on manufacturers. Under the CRA, a manufacturer is any entity that designs, develops, or builds a product with digital elements and places it on the EU market under their own name or trademark. However, the scope extends beyond EU-headquartered companies. Non-EU manufacturers that sell into Europe are equally subject to the rules.
The regulation establishes a clear hierarchy for determining which CSIRT (Computer Security Incident Response Team) receives the notification. The sequence is based on where the manufacturer’s EU representative, importer, or distributor is established. As a result, even a company with no EU office can still have a designated reporting CSIRT.
One explicit exemption exists: micro and small enterprises are exempt from the vulnerability reporting obligations. According to Tributech’s CRA compliance analysis, a small enterprise has fewer than 50 employees and an annual turnover or balance sheet total of €10 million or less. For any larger organization that manufactures digital products sold in Europe, September 11 is a firm deadline.
What Counts as a “Vulnerability” Under the CRA?
Not every bug triggers a reporting obligation. The CRA establishes three distinct vulnerability categories, and understanding the difference matters enormously for compliance.
A vulnerability is any weakness, susceptibility, or flaw that a cyber threat could exploit. This is the broad baseline definition — it covers what most vulnerability scanners flag. However, this level alone does not trigger CRA reporting obligations.
An exploitable vulnerability is one that an adversary could effectively use under real operational conditions. Manufacturers assess exploitability based on product design and environment. Reference tools include CISA’s Known Exploited Vulnerabilities catalog and ENISA’s EU Vulnerability Database (EUVD).
An actively exploited vulnerability is where the CRA reporting obligation kicks in. This means reliable evidence shows a malicious actor has used the vulnerability against a real system without the owner’s permission. Crucially, a confirmed intrusion through your product qualifies — and the 24-hour clock starts the moment you become aware.
What Are the Exact Reporting Deadlines?
The CRA imposes a strict, escalating timeline. The clock starts when a manufacturer becomes aware of an actively exploited vulnerability — not when they can confirm the full scope of impact. Therefore, detection speed is a compliance requirement, not just an operational goal.
- Within 24 hours: Submit an early warning notification signaling awareness of the actively exploited vulnerability or severe incident.
- Within 72 hours: Submit a full vulnerability notification. This must include the affected product, the nature of the exploit, corrective or mitigating measures taken, and guidance users can apply.
- Within 14 days (after a corrective measure is available): Submit a final report for actively exploited vulnerabilities. For severe incidents, the deadline is within one month.
These deadlines demand that detection, classification, and documentation processes are operational before September 11 — not assembled in response to the first incident after the deadline passes.
Where and How Do Manufacturers Submit Reports?
The CRA establishes a single submission channel: the CRA Single Reporting Platform (SRP), managed by ENISA. The SRP will be operational by September 11, 2026. ENISA has already opened a pre-launch testing period. Manufacturers are strongly encouraged to test their workflows before the deadline.
Submissions go to the CSIRT of the manufacturer’s main EU Member State establishment. From there, ENISA receives the notification simultaneously, and the receiving CSIRT shares the alert with CSIRTs across every Member State where the product is available — unless a security-justified hold is applied.
Does This Apply to Products Already on the Market?
YES, and this is the point many organizations miss. The CRA’s vulnerability reporting obligations are not limited to products launched after September 11, 2026. They apply to all products with digital elements already on the EU market and still within their active support period.
In other words, if your product shipped three years ago and still receives updates, it falls within scope. This legacy product obligation significantly broadens the compliance burden. As a result, organizations must audit their entire active product portfolio — not just new releases — to identify which products could trigger reporting obligations from day one.
What Happens If You Miss the Deadline?
The CRA’s penalties are substantial. Non-compliance with vulnerability reporting obligations can result in fines of up to €15 million or 2.5% of the previous year’s global annual turnover, whichever is higher. Beyond financial penalties, authorities can also impose product recalls, market suspension, or revocation of CE marking.
There is no first-offense grace period built into the regulation. The European Commission has confirmed that the enforcement scope covers both new and legacy products from the moment the reporting obligations take effect. Consequently, September 11 is both a starting line and an enforcement trigger.
What Should Organizations Do in the Next 10 Weeks?
With only 10 weeks left until the deadline, the following steps are essential. Start today — each of these takes time to build correctly.
- Audit your active product portfolio. Identify every product with digital elements you sell or distribute in the EU market. Include legacy products still within their active support lifecycle.
- Establish vulnerability classification processes. Train teams to distinguish between a basic vulnerability, an exploitable vulnerability, and an actively exploited one that triggers CRA reporting.
- Build incident detection and response workflows. The 24-hour clock starts when you become aware. Without monitoring and escalation processes already in place, that window is nearly impossible to meet.
- Integrate with vulnerability databases. Tools like CISA’s KEV catalog and ENISA’s EUVD help determine whether a known vulnerability is being actively exploited — the key trigger for reporting.
- Prepare notification templates and documentation systems. CRA notifications require specific technical details: affected product versions, exploit nature, corrective measures, and user guidance. Have templates ready before an incident occurs.
- Test on the SRP before the deadline. ENISA is offering a pre-launch testing period for the Single Reporting Platform. Use it to validate your submission workflow well before September 11.
How Does Data-Centric Security Support CRA Compliance?
The CRA’s reporting obligations rest on a foundation of evidence. Meeting the 72-hour notification deadline requires precise, real-time knowledge of which products were affected, how they were accessed, and what data was exposed. That knowledge depends on the quality of an organization’s security documentation infrastructure.
This is where document-level encryption and persistent audit trails become directly relevant. When sensitive security documentation — vulnerability assessments, incident response records, product specifications, patch notes — is protected by Enterprise Digital Rights Management (EDRM), every access event is logged with a timestamp, user identity, and location. That log is the raw material from which a compliant CRA notification is built.
Furthermore, the CRA’s full security requirements — which apply from December 2027 — mandate that manufacturers design products with data-centric security principles: data minimization, access control, and secure-by-default configurations. These are exactly the principles that digital rights management embeds at the file level — data encryption that travels with the document, access permissions that persist wherever the file moves, and complete lifecycle visibility.
Organizations that invest in data-centric security infrastructure today, ahead of the September 11 reporting deadline, will be better positioned for the December 2027 full CRA compliance horizon as well. In this sense, the September deadline is not just a reporting hurdle. It is the first marker in a longer journey toward embedded product security.
The Clock Is Already Running
The EU Cyber Resilience Act’s September 11 vulnerability reporting deadline is not a distant regulatory milestone. It is a live obligation, backed by penalties in the tens of millions of euros, with a countdown already well underway. With fewer than 11 weeks remaining, now is the time to audit your product portfolio, build your reporting processes, and test your notification workflows.
Organizations that start today will avoid the scramble — and the fines — that September will otherwise bring. Moreover, those who build the underlying documentation and access control infrastructure now will carry that advantage forward into full CRA compliance in December 2027.