
Last updated: 2026-07-18
The Cyber Resilience Act (Regulation (EU) 2024/2847) does not take effect on a single cut-off date. Instead it phases in its obligations in a staggered way over several years – and that is precisely where the most common mistake happens. Confusing the date of entry into force with the date of application leads either to premature panic or to dangerous procrastination. This article places every deadline between 2024 and 2027 in context, explains what actually applies on each date, and shows what manufacturers should prepare by when.
The crucial distinction first: Entry into force (10 December 2024) is not the same as application. Entry into force alone does not make any manufacturer obligation enforceable. Never cite 2024 or 2025 as a „compliance date“ – the substantive obligations only bite in 2026 and 2027 (Art. 71(2)).
The four decisive dates
The CRA was adopted on 23 October 2024 and published in the Official Journal of the EU on 20 November 2024. Twenty days later – on 10 December 2024 – it entered into force under Art. 71(1). The regulation legally exists from that point, but the obligations for economic operators only become effective at three later moments.
10 December 2024 – entry into force (Art. 71(1))
The starting point of the transition periods. The regulation is valid EU law, but no manufacturer obligation is yet enforceable. Fines, CE-marking duties or reporting obligations cannot be asserted on this date. It is a date for planning – not for implementation.
11 June 2026 – Chapter IV: notified bodies (Art. 35–51)
The rules for conformity-assessment bodies apply first. From this day, bodies can be designated as „notified bodies“ so that they stand ready when manufacturers later need third-party assessment (relevant above all for the „important – Class II“ product category and critical products). For most manufacturers this is not an immediate duty to act, but a signal that the assessment market is spinning up.
11 September 2026 – reporting obligations (Art. 14)
From this day, manufacturers must report actively exploited vulnerabilities and severe incidents – via the Single Reporting Platform to the coordinating CSIRT and ENISA. A three-stage cascade applies: early warning within 24 hours, notification within 72 hours, and a final report (for vulnerabilities ≤ 14 days after a fix is available; for severe incidents within one month). Importantly: this duty also covers products already on the market. More detail in our article on the CRA reporting obligation from September 2026.
11 December 2027 – general application
The real headline deadline. From here the essential requirements of Annex I, the duty to carry out conformity assessment, the EU Declaration of Conformity and the CE marking apply. Without conforming implementation, products with digital elements may generally no longer be made available on the EU market after this date.
Timeline at a glance
| Date | Event | What applies / what to do |
|---|---|---|
| 23 Oct 2024 | Regulation adopted | Text final – no obligations yet |
| 20 Nov 2024 | Published in the Official Journal | Starts the 20-day clock |
| 10 Dec 2024 | Entry into force (Art. 71(1)) | Transition periods running – no enforceable obligation |
| 11 Jun 2026 | Chapter IV (notified bodies) | Conformity-assessment bodies can be designated |
| 11 Sep 2026 | Reporting obligations (Art. 14) | 24h/72h/14-day cascade – also for existing products |
| 11 Dec 2027 | General application | Annex I, conformity assessment, CE marking |
Neighbouring deadlines for context
The CRA does not stand alone. Three neighbouring legal acts help you plan the timeline realistically:
- RED Delegated Regulation (EU) 2022/30: Activates the cybersecurity requirements of the Radio Equipment Directive from 1 August 2025 and is repealed on 11 December 2027 when the CRA applies. That creates an interim window from 1 Aug 2025 to 11 Dec 2027. If you build radio products, develop to CRA standard right away to avoid rework.
- Machinery Regulation (EU) 2023/1230: Applies from 20 January 2027. Machinery makers with connected products comply with both frameworks; a Cybersecurity Act certificate can give a presumption of conformity for the Machinery Regulation's cybersecurity requirements.
- NIS2 (Directive (EU) 2022/2555): For standalone SaaS / pure cloud offerings that are not integral remote data processing of a product, NIS2 generally applies rather than the CRA.
Recommended preparation roadmap
The following sequence is general organisational and technical guidance – not legal advice. It follows the staggered timeline:
- Now to mid-2025 – scope & classification. Determine whether your products are „products with digital elements“ and which class they fall into (default, important Class I/II, critical). The applicability check is the sensible starting point.
- 2025 to mid-2026 – build processes. Establish vulnerability handling, a coordinated vulnerability disclosure (CVD) policy, secure update distribution and an SBOM in a machine-readable format. Define the support period (at least 5 years or the expected use time).
- By 11 September 2026 – reporting readiness. Set up reporting channels for the Single Reporting Platform and rehearse the 24h/72h/14-day cascade – including for products already shipped.
- 2026 to 2027 – achieve conformity. Produce the technical documentation (Annex VII), carry out the appropriate conformity assessment, secure capacity at a notified body early where needed (Class II/critical), and prepare the EU Declaration of Conformity and CE marking.
- By 11 December 2027 – general application. From this day, newly made-available products must be conforming and carry the CE marking.
The most common trap: entry into force ≠ application. There are three years between 10 Dec 2024 and 11 Dec 2027 – but building vulnerability handling, documentation and conformity assessment takes that time. Starting only in 2027 is too late. For a compact overview of the whole act, see our CRA overview.
Frequently asked questions
When did the CRA enter into force?+
What is the most important CRA deadline?+
When do the CRA reporting obligations start?+
Why should 2024 or 2025 not be cited as the compliance date?+
How do the CRA, the RED Delegated Regulation and the Machinery Regulation line up in time?+
Sources
- https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng
- https://digital-strategy.ec.europa.eu/en/policies/cra-summary
- https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Cyber_Resilience_Act/cyber_resilience_act_node.html
- https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202402847
This content provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and does not constitute legal advice (no legal services within the meaning of the German RDG).