CRA Timeline: All Key Dates for the Cyber Resilience Act – From Draft to Full Application

As of: March 2026 | All information is based on Regulation (EU) 2024/2847 and official sources (BSI, European Commission, EUR-Lex).

---

The Cyber Resilience Act (CRA) is the first EU-wide regulation establishing mandatory cybersecurity requirements for all products with digital elements. Since its entry into force on 10 December 2024, the clock is ticking – and the first obligations kick in sooner than many manufacturers think.

This article provides a complete chronological overview of all key dates: from the political origins through the legislative process to the upcoming deadlines that manufacturers, importers, and distributors need to know.

---

The Path to Legislation (2021–2024)

September 2021 – The Announcement

EU Commission President Ursula von der Leyen first introduced the Cyber Resilience Act in her State of the Union address. In May 2022, the Council of the EU called on the Commission to present a concrete proposal by the end of the year.

Source: Council of the EU – Press Release of 19 July 2023 (contains reference to Council conclusions of 23 May 2022)

15 September 2022 – The Draft

The European Commission published the draft of the Cyber Resilience Act. It was the first European legal act proposing horizontal cybersecurity requirements for products with digital elements – covering both hardware and software that can be directly or indirectly connected to a network.

Sources: European Commission – Cyber Resilience Act, Council of the EU – Press Release of 10 October 2024

July 2023 – Parliamentary Review

The responsible committees of the EU Parliament adopted the final report. On the same day, the Committee of Permanent Representatives of the Member States (COREPER) adopted the position of the European Council.

Source: Council of the EU – Press Release of 19 July 2023

November 2023 – Trilogue Agreement

Following negotiations between the European Commission, European Parliament, and the Council, a political agreement was reached on 30 November 2023. Key changes from the original draft: The transition period was extended from 24 to 36 months, the product lifetime support was set to a minimum of 5 years, and the product classification was simplified.

Source: Council of the EU – Press Release of 30 November 2023

12 March 2024 – Adoption by Parliament

The European Parliament adopted the final compromise text.

Source: EUR-Lex – Regulation (EU) 2024/2847

10 October 2024 – Final Approval

The Council of the European Union officially approved the regulation.

Source: Council of the EU – Press Release of 10 October 2024

20 November 2024 – Publication

Regulation (EU) 2024/2847 was published in the Official Journal of the EU. Official title: "Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements."

Source: EUR-Lex – Regulation (EU) 2024/2847 (Full text)

10/11 December 2024 – Entry into Force

20 days after publication, the CRA officially entered into force. The 36-month transition period began. Opinions differ as to whether it was December 10 or 11. Most people seem to say it was the 11th.

Sources: BSI – Cyber Resilience Act, European Commission – Summary of the Legislative Text, EUR-Lex – Regulation (EU) 2024/2847

---

Implementation and Standardisation (2025–2026)

3 February 2025 – Standardisation Mandate

The European Commission issued standardisation mandate M/606 (Document C(2025) 618) to the European standardisation organisations CEN, CENELEC, and ETSI: 41 harmonised standards are to be developed to specify the essential cybersecurity requirements of the CRA. The mandate runs until 30 November 2027. On 3 April 2025, the standardisation request was officially accepted by CEN, CENELEC, and ETSI.

Sources: European Commission – CRA Standardisation, CEN-CENELEC – Standardization Request Officially Accepted, Standardisation Mandate C(2025) 618 (PDF)

1 December 2025 – Implementing Regulation

Implementing Regulation (EU) 2025/2392 was published in the Official Journal of the EU. It contains the technical description of product categories – i.e., the concrete definition of which products are classified as "important" (Class I and II) or "critical" under the CRA.

Sources: European Commission – Cyber Resilience Act Implementation, BSI – Cyber Resilience Act

3 March 2026 – Implementation Guidelines

The European Commission published the draft implementation guidelines for the CRA. The public consultation runs until 31 March 2026. For companies, this is the last opportunity to help shape the practical implementation mechanisms.

Source: European Commission – Cyber Resilience Act Implementation

---

Upcoming Deadlines: What Applies When

11 June 2026 – Conformity Assessment Bodies

Chapter IV of the CRA becomes applicable. Member States must have designated notifying authorities responsible for the approval of conformity assessment bodies by this date. From this point on, testing bodies for CRA certifications can be designated.

For manufacturers of Class II and critical products, this means: The infrastructure for external conformity assessments is being established.

Sources: BSI – Cyber Resilience Act, European Commission – Summary of the Legislative Text, TÜV Rheinland – Cyber Resilience Act; Legal basis: Art. 71(2) CRA

August 2026 (planned) – First Harmonised Standards

According to the current schedule, the horizontal Type A standards and the Type B standards for vulnerability handling should be available by 30 August 2026.

Note: These are planned deadlines from the CEN/CENELEC standardisation process. They may be subject to change.

Source: CEN-CENELEC – Webinar "Standards supporting the Cyber Resilience Act" (PDF)

11 September 2026 – Reporting Obligation Begins

This is the first hard deadline that directly affects manufacturers. From this day on, actively exploited vulnerabilities and severe security incidents must be reported to the authorities:

• 24 hours: Early warning to the responsible national CSIRT and to ENISA
• 72 hours: Full notification with details about the vulnerability
• 14 days: Final report (after provision of a patch or workaround)

Reporting is done via the ENISA Single Reporting Platform, which is currently being developed.

Important: This reporting obligation applies to ALL products with digital elements available on the EU market – including those placed on the market before September 2026.

Sources: BSI – Cyber Resilience Act, European Commission – Summary of the Legislative Text, Fraunhofer IEM – Cyber Resilience Act, BGHM – FAQs Cyber Resilience Act; Legal basis: Art. 14 + Art. 71(2) CRA

October 2026 (planned) – Product-Specific Standards

Planned deadline for Type C standards, which define product category-specific requirements.

Note: Planned date, subject to change.

Source: CEN-CENELEC – Webinar "Standards supporting the Cyber Resilience Act" (PDF)

11 December 2026 – Sufficient Testing Bodies

Member States must ensure by this date that a sufficient number of notified conformity assessment bodies are available to prevent bottlenecks in market access.

Source: BSI – Cyber Resilience Act; Legal basis: Art. 35(2) CRA

20 January 2027 – Machinery Regulation Becomes Applicable in Parallel

The new EU Machinery Regulation (2023/1230) replaces the previous Machinery Directive. For machine manufacturers, this means: From late January 2027, machines with digital elements must comply with both the Machinery Regulation and the CRA. Both must be referenced in the EU Declaration of Conformity.

Sources: Industrial Cyber – CRA and Machinery Regulation (Sarah Fluchs), EUR-Lex – Machinery Regulation (EU) 2023/1230

October 2027 (planned) – Final Standards

Planned deadline for Type B standards on technical measures.

Source: CEN-CENELEC – Webinar "Standards supporting the Cyber Resilience Act" (PDF)

30 November 2027 – Standardisation Mandate Expires

All 41 harmonised standards commissioned under standardisation mandate M/606 should be available by this date.

Sources: European Commission – CRA Standardisation, Standardisation Mandate C(2025) 618 – "This Decision shall expire on 30 November 2027"

11 December 2027 – Full Application

From this day on, all new products with digital elements placed on the EU market must be fully CRA-compliant. This includes:

• CE marking only with CRA conformity certification
• Security by design must be embedded in product development
• Vulnerability management throughout the entire product lifecycle (minimum 5 years of security updates)
• SBOM (Software Bill of Materials) must be available in machine-readable format
• Conformity assessment completed (self-declaration for approximately 90% of products, external assessment for approximately 10%)
• Responsibility for the entire product – including purchased components

Products placed on the market before 11 December 2027 are only affected if a substantial modification is made subsequently.

Without CRA conformity: No CE, no EU market access.

Sources: BSI – Cyber Resilience Act, European Commission – Summary of the Legislative Text, EUR-Lex – Regulation (EU) 2024/2847; Legal basis: Art. 71(2) CRA

11 June 2028 – Existing Certificates Expire

Existing EU-type examination certificates and approval decisions relating to cybersecurity requirements remain valid until this date, unless they expire earlier.

Source: European Commission – Summary of the Legislative Text

---

Penalties for Non-Compliance

Non-compliance with CRA requirements can have significant consequences:

• Up to EUR 15 million or 2.5% of global annual turnover (whichever is higher) for violations of the essential cybersecurity requirements
• Market access restrictions up to and including a complete sales ban for non-compliant products
• Recall orders by national market surveillance authorities

Exception: Micro-enterprises and small enterprises cannot be fined for failing to meet the 24-hour deadline for vulnerability reporting.

Sources: EUR-Lex – Regulation (EU) 2024/2847, Art. 64, European Commission – Summary of the Legislative Text

---

What Manufacturers Should Do Now

The first hard deadline (reporting obligation) is in 6 months. Those who haven't started yet should act now:

1. Check applicability: Do your products fall under the CRA? Does your product contain digital elements with a direct or indirect network connection?

2. Classify your products: Default, important (Class I/II), or critical? Implementing Regulation (EU) 2025/2392 defines the categories.

3. Establish reporting processes (by September 2026): Set up a PSIRT, define internal reporting channels, ensure the 24-hour deadline can be met.

4. Establish vulnerability management: Processes for identifying, assessing, and remediating vulnerabilities throughout the entire product lifecycle.

5. Create SBOMs: Software Bill of Materials in machine-readable format (CycloneDX or SPDX) for every product.

6. Prepare conformity assessment: Technical documentation, risk assessment, EU Declaration of Conformity.

7. Engage suppliers: Ensure that purchased components also meet CRA requirements.

---

Conclusion

The Cyber Resilience Act is the most significant regulatory change for manufacturers of connected products since the introduction of CE marking. The transition period until the end of 2027 may seem long – but the reporting obligation takes effect as early as September 2026, and the necessary adjustments in product development, vulnerability management, and supplier assessment take time.

Manufacturers who act early don't just achieve compliance – they gain a competitive advantage. In a market where many are still hesitating, CRA conformity becomes a trust signal for customers and partners.

---

This article is regularly updated. All information is based on Regulation (EU) 2024/2847 and official sources. This article does not constitute legal advice.

Questions about CRA compliance? Get in touch →