Cyber Resilience Act: application timeline
News · Regulatory evolution
Regulation (EU) 2024/2847, known as the Cyber Resilience Act (CRA), entered into force on 10 December 2024. It establishes horizontal cybersecurity requirements for "products with digital elements" placed on the Union market. Its application is staged: the first binding obligations arrive in 2026, full application in December 2027. Any maker of connected hardware or software is concerned.
A horizontal regulation, not a directive
Section titled “A horizontal regulation, not a directive”The CRA is a regulation, directly applicable in every Member State without national transposition, unlike a directive. It covers all products with digital elements, hardware and software, whose intended or reasonably foreseeable use includes a direct or indirect data connection to a device or network.
Unlike article 3.3 of the RED directive, which targets only radio equipment, the CRA has a far broader scope: a wired sensor, a gateway, a software library or a microcontroller connected over Ethernet fall within it even though they sit outside the RED.
The staged application timeline
Section titled “The staged application timeline”The CRA follows a multi-phase ramp-up. The three milestones confirmed by the official texts are as follows:
| Date | Milestone |
|---|---|
| 10 December 2024 | Entry into force of Regulation (EU) 2024/2847 |
| 11 September 2026 | Application of reporting obligations for actively exploited vulnerabilities and severe incidents |
| 11 December 2027 | Full application of the main obligations, including conformity assessment and CE marking |
The 10 December 2024 entry into force does not trigger any immediate obligation for manufacturers: it is the starting point from which the subsequent phase deadlines run.
First binding deadline: reporting
Section titled “First binding deadline: reporting”From 11 September 2026, manufacturers will have to notify actively exploited vulnerabilities and severe incidents affecting the security of their products. The regulation provides for a fast early warning after becoming aware, followed by fuller notifications within deadlines defined by the text. This phase deliberately arrives before full application, so that disclosure and incident-response processes are operational ahead of the main deadline.
Full application: December 2027
Section titled “Full application: December 2027”From 11 December 2027, the main obligations apply in full: essential cybersecurity requirements, conformity assessment matched to the product category, EU declaration of conformity and CE marking incorporating the cybersecurity dimension. This is the date to aim for so that a product placed on the market is fully CRA compliant.
What the CRA requires of manufacturers
Section titled “What the CRA requires of manufacturers”The essential requirements cover the product across its whole lifecycle:
- Security by design: minimal attack surface, secure default configuration, no identical factory password across all units.
- Vulnerability handling throughout the declared support period: coordinated handling, patches, disclosure policy.
- Security updates available and, where relevant, automatic, signed and verifiable.
- Software bill of materials (SBOM) documenting at least the top-level dependencies.
- Support period declared and communicated to the user.
For a product already subject to RED 3.3 cybersecurity, part of the work (risk analysis, secret handling, signed updates) can be shared. But the two frameworks remain distinct: the RED covers only radio, the CRA also covers non-radio and explicitly mandates vulnerability handling across the support period.
Connection to RED and CE marking
Section titled “Connection to RED and CE marking”The CRA fits the CE marking logic: it adds essential requirements assessed within the EU declaration of conformity, without creating a separate marking. The Commission has signalled its intent to avoid double assessment between the CRA and article 3.3 of the RED for radio equipment already covered. The precise arrangements for this interplay will be clarified through forthcoming implementing acts and harmonised standards.
The point of attention for product teams: the declared support period commits the manufacturer to years of vulnerability handling. It is not an end-of-project formality but an architecture parameter, driving component choice, remote-update capability and the maintenance model.
Key takeaways
Section titled “Key takeaways”- Regulation (EU) 2024/2847 (CRA) is in force since 10 December 2024.
- The reporting obligations for exploited vulnerabilities and severe incidents apply from 11 September 2026.
- Full application of the main obligations, including conformity assessment and CE marking, lands on 11 December 2027.
- The CRA is horizontal: it covers connected hardware and software, radio and non-radio alike.
- The support period and vulnerability handling are design parameters, decided upfront.
Going further
Section titled “Going further”- CE scope: applicable directives and regulations
- RED harmonised standards: radio cybersecurity and presumption of conformity
Sources & references
- Regulation (EU) 2024/2847, Cyber Resilience Act , EUR-Lex eur-lex.europa.eu/eli/reg/2024/2847/oj
- Cyber Resilience Act, summary and timeline , European Commission digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act