Description

Manufacturers of products with digital elements must begin reporting actively exploited vulnerabilities and severe incidents. Mandatory timelines include: early warning within 24 hours, full notification within 72 hours, and final report no later than 14 days after a corrective measure is available. These obligations apply to ALL products already on the EU market, including legacy products.

Requirements

Establish 24-hour vulnerability early warning process
Implement 72-hour full notification workflow
Create 14-day final report procedures
Inventory all products with digital elements on EU market
Set up coordination with ENISA single reporting platform

Applicable To

IoT Device ManufacturersSoftware PublishersHardware ManufacturersSmart Home Device MakersIndustrial IoT Providers

Penalty Information

⚠Up to EUR 15 million or 2.5% of global annual turnover for non-compliance with essential cybersecurity requirements.

197

days remaining

September 11, 2026

Share:X in @

Framework

EU CRA

EU Cyber Resilience Act

Related EU CRA Deadlines

EU CRA - Conformity Assessment Body Designation
June 11, 2026

EU CRA - Vulnerability Reporting Obligations Begin