Blackfort Technology
⏱ CRA deadlines: reporting 11 Sep 2026 · full requirements 11 Dec 2027

CRA Readiness: Are You Prepared for the Cyber Resilience Act?

Manufacturers of digital products: check now whether you face reporting obligations from 11 September 2026. Interactive eligibility check + free initial consultation with Blackfort Technology.

Start eligibility checkCRA overview

11 September 2026: The First Hard Deadline of the Cyber Resilience Act

From 11 September 2026, manufacturers of products with digital elements face binding reporting obligations under Regulation (EU) 2024/2847 – the Cyber Resilience Act (CRA). Actively exploited vulnerabilities and severe security incidents must be reported to the competent CSIRT and to ENISA within 24 hours (early warning) and 72 hours (notification).

Fewer than 18 months remain until all product requirements become fully applicable on 11 December 2027. Companies that start building their processes today will be significantly better positioned than those waiting for harmonised standards.

Am I in scope? Find out now.

The CRA applies to manufacturers, importers, and distributors of hardware and software products with network or device connectivity – regardless of whether the product is offered free of charge or commercially. Many companies underestimate their own scope.

Use the interactive eligibility check to get an initial assessment in minutes: What role do you play (manufacturer, importer, distributor)? Does your product fall under the CRA? And if so, what product class is it likely to fall into?

Start eligibility check →

What Blackfort Technology Does for You

Blackfort Technology supports manufacturers of digital products with structured preparation for the Cyber Resilience Act – from initial scoping to the operational build-out of required processes.

  • CRA scope and eligibility analysis: Clarification of your role, product class, and conformity path based on the regulation and Implementing Regulation (EU) 2025/2392.
  • Reporting processes and PSIRT setup: Operational build or review of your vulnerability handling and incident notification processes for the September 2026 deadline.
  • SBOM gap report: Assessment of your software bill of materials for CRA compliance – formats (CycloneDX ≥ 1.6 / SPDX ≥ 3.0.1), completeness, 10-year retention obligation. Request gap report →
  • Security-by-design and ISMS integration: Embedding CRA requirements into existing development and security processes; support with technical documentation and EU declaration of conformity.
  • DORA and NIS2 cross-references: Coordinated view of regulatory overlaps for companies with multiple compliance exposures.

Full overview of CRA requirements →

SMEs: No Size Exemption, but Clear Priorities

The Cyber Resilience Act does not provide a general exemption for SMEs. Smaller manufacturers of products with digital elements are in scope. There are, however, targeted relief provisions – for example on certain notification and sanction aspects for micro-enterprises.

What matters most for SMEs: what to tackle first. Reporting processes (deadline: September 2026) take priority over SBOM completeness and CE marking (deadline: December 2027). Knowing the priorities avoids unnecessary effort.

See the CRA roadmap for SMEs →

Our Expertise

Blackfort Technology is led by Christian Gebhardt, who contributes to the development of practical security standards as a member of the ACS AI working group and co-author of the ACS/BSI guide on LLM penetration testing. Hands-on implementation experience covers PKI, DORA, NIS2, ISMS, and SBOM and vulnerability management.

Blackfort Technology's consulting focuses on operational feasibility – not abstract compliance theory, but structured processes that actually work within your organisation.

Knowledge: Background and Technical Detail

Frequently asked questions

When does the Cyber Resilience Act apply?
The CRA has been in force since 10 December 2024. The first binding obligations – reporting and notification requirements for vulnerabilities and security incidents – apply from 11 September 2026. Full applicability of all product requirements begins on 11 December 2027.
As a software manufacturer, does the CRA apply to me?
Products of this type are typically in scope of the CRA if they have a direct or indirect logical or physical data connection to a device or network – regardless of whether they are offered free of charge or commercially. Whether your specific product is in scope and in which class it falls depends on its technical characteristics and function. The interactive eligibility check provides an initial orientation.
What do I need to prepare as a manufacturer before September 2026?
From 11 September 2026, manufacturers must report actively exploited vulnerabilities and severe security incidents within 24 hours (early warning) and 72 hours (notification) via the CRA Single Reporting Platform. This requires operational reporting processes, clear internal responsibilities, and ideally a functioning PSIRT or equivalent structure.
Does the CRA also apply to SMEs and small software companies?
Yes. The Cyber Resilience Act does not provide a general exemption for SMEs or small software companies. There are targeted relief provisions for micro-enterprises on certain notification and sanction aspects, but no full scope exemption. Manufacturers of any size placing products with digital elements on the EU market are generally in scope.
What is an SBOM and why is it relevant for the CRA?
An SBOM (Software Bill of Materials) is a machine-readable inventory of all components in a software product. The CRA requires manufacturers to maintain an SBOM as part of their technical documentation and to demonstrably use it in vulnerability handling. Common formats are CycloneDX (from version 1.6) and SPDX (from version 3.0.1), with a retention obligation of typically 10 years.
The content on this website provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and does not constitute legal advice. Blackfort Technology provides technical/organizational IT-security and compliance consulting, not legal services.