Complete CRA Timeline
The EU Cyber Resilience Act follows a phased implementation approach, giving manufacturers time to adapt while prioritizing the most critical obligations (vulnerability reporting) with an earlier deadline.
September 15, 2022
European Commission publishes the CRA proposal
March 12, 2024
European Parliament approves the CRA text
October 10, 2024
Council of the EU formally adopts the CRA regulation
November 20, 2024
CRA published in the Official Journal of the European Union (Regulation EU 2024/2847)
December 10, 2024
CRA enters into force (20 days after publication)
Throughout 2025–2026
European Commission prepares implementing acts and delegated acts (technical specifications, harmonised standards, SBOM format guidance)
June 11, 2026
Member States must designate notified bodies (conformity assessment bodies) for CRA
September 11, 2026
Vulnerability reporting obligations become enforceable (Article 14). Manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours.
December 11, 2027
Full CRA compliance required. All essential cybersecurity requirements, conformity assessments, technical documentation, CE marking, and SBOM obligations apply.
What You Should Be Doing Now (March 2026)
With 6 months until the vulnerability reporting deadline and 21 months until full compliance, here's a prioritized action plan:
Immediate Priority (by September 2026)
- • Establish vulnerability reporting capability to ENISA
- • Set up vulnerability monitoring for all product dependencies
- • Publish a coordinated vulnerability disclosure policy
- • Create incident response procedures with 24-hour notification SLAs
Medium-Term (by mid-2027)
- • Implement automated SBOM generation in CI/CD pipelines
- • Complete product risk assessments and classify products under CRA categories
- • Begin preparing technical documentation
- • Implement security-by-design practices and secure defaults
Full Compliance (by December 2027)
- • Complete conformity assessment (self-assessment or third-party)
- • Finalize technical documentation and EU Declaration of Conformity
- • Affix CE marking to all compliant products
- • Ensure continuous monitoring and update mechanisms are operational
Transitional Provisions
Products already on the EU market before December 11, 2027 are not retroactively subject to CRA requirements unless they undergo a "substantial modification" after that date. A substantial modification that affects the product's cybersecurity properties would bring the product into CRA scope.
EU type-examination certificates and conformity decisions issued under existing harmonised legislation before the CRA deadline remain valid until their expiry, unless they need to be amended to reflect CRA requirements.
Related CRA Topics
How Prismor Helps with CRA Compliance
Prismor is the only platform that combines deep regulatory expertise with automated security tooling, so your team can meet EU CRA requirements without manual overhead.
Vulnerability Fixes
Automatically detect and fix known CVEs across your entire dependency tree, no manual patching required.
SBOM & VEX Generation with Compliance Reporting
Produce CycloneDX and SPDX-compliant SBOMs and VEX documents automatically on every build, with audit-ready reports aligned to EU CRA.
Software Supply Chain Monitoring
Continuous monitoring of your software supply chain with real-time alerts on new vulnerabilities and dependency changes.