11 September 2026: The First Hard Deadline of the Cyber Resilience Act
From 11 September 2026, manufacturers of products with digital elements face binding reporting obligations under Regulation (EU) 2024/2847 – the Cyber Resilience Act (CRA). Actively exploited vulnerabilities and severe security incidents must be reported to the competent CSIRT and to ENISA within 24 hours (early warning) and 72 hours (notification).
Fewer than 18 months remain until all product requirements become fully applicable on 11 December 2027. Companies that start building their processes today will be significantly better positioned than those waiting for harmonised standards.
Am I in scope? Find out now.
The CRA applies to manufacturers, importers, and distributors of hardware and software products with network or device connectivity – regardless of whether the product is offered free of charge or commercially. Many companies underestimate their own scope.
Use the interactive eligibility check to get an initial assessment in minutes: What role do you play (manufacturer, importer, distributor)? Does your product fall under the CRA? And if so, what product class is it likely to fall into?
What Blackfort Technology Does for You
Blackfort Technology supports manufacturers of digital products with structured preparation for the Cyber Resilience Act – from initial scoping to the operational build-out of required processes.
- CRA scope and eligibility analysis: Clarification of your role, product class, and conformity path based on the regulation and Implementing Regulation (EU) 2025/2392.
- Reporting processes and PSIRT setup: Operational build or review of your vulnerability handling and incident notification processes for the September 2026 deadline.
- SBOM gap report: Assessment of your software bill of materials for CRA compliance – formats (CycloneDX ≥ 1.6 / SPDX ≥ 3.0.1), completeness, 10-year retention obligation. Request gap report →
- Security-by-design and ISMS integration: Embedding CRA requirements into existing development and security processes; support with technical documentation and EU declaration of conformity.
- DORA and NIS2 cross-references: Coordinated view of regulatory overlaps for companies with multiple compliance exposures.
SMEs: No Size Exemption, but Clear Priorities
The Cyber Resilience Act does not provide a general exemption for SMEs. Smaller manufacturers of products with digital elements are in scope. There are, however, targeted relief provisions – for example on certain notification and sanction aspects for micro-enterprises.
What matters most for SMEs: what to tackle first. Reporting processes (deadline: September 2026) take priority over SBOM completeness and CE marking (deadline: December 2027). Knowing the priorities avoids unnecessary effort.
Our Expertise
Blackfort Technology is led by Christian Gebhardt, who contributes to the development of practical security standards as a member of the ACS AI working group and co-author of the ACS/BSI guide on LLM penetration testing. Hands-on implementation experience covers PKI, DORA, NIS2, ISMS, and SBOM and vulnerability management.
Blackfort Technology's consulting focuses on operational feasibility – not abstract compliance theory, but structured processes that actually work within your organisation.
Knowledge: Background and Technical Detail
- CRA reporting obligations from 11 September 2026: 24h/72h explained
- Am I affected by the Cyber Resilience Act? Roles and exceptions
- CRA product classes: default, class I/II and critical
- SBOM requirements under the CRA: CycloneDX, SPDX, TR-03183-2
- Cyber Resilience Act for SMEs: a prioritised implementation plan