| Key Takeaways
• On September 11, 2026, EU CRA vulnerability reporting obligations go live — covering both new and legacy products. • Manufacturers must submit a 24-hour early warning and a 72-hour full notification when an actively exploited vulnerabilities is identified. • Non-compliance carries fines of up to €15 million or 2.5% of global annual turnover, whichever is higher. • The obligations apply to all products with digital elements on the EU market — regardless of where the manufacturer is headquartered. • Document-level access controls and audit trails are essential infrastructure for meeting the CRA’s evidence and reporting requirements. |
On September 11, 2026, the EU Cyber Resilience Act’s mandatory CRA vulnerability reporting obligations go live. Organizations that place products with digital elements on the EU market have fewer than 11 weeks to prepare. This is not a grace period extension — it is a hard deadline backed by fines of up to €15 million. Many compliance teams are scrambling because the September 11 obligations are due more than a year before the CRA’s main application date of December 11, 2027. In this post, we explain who must comply, what the deadlines require, and what steps to take right now.
