CRA: Software compliance on the rise, first steps toward 2027
Why the CRA starts earlier than expected
Many organizations associate the Cyber Resilience Act (CRA) mainly with new products placed on the market from 2027 onward. However, this overlooks an important fact: the first CRA obligations already apply from September 2026.
Mandatory reporting from September 2026
From September 2026, Article 14 of the CRA requires manufacturers to report cybersecurity incidents and actively exploited vulnerabilities. These obligations apply not only to new products, but also to existing products with digital elements, including:
- embedded software
- mobile applications
- server side software essential for a product’s functionality
Clear timelines, strict expectations
Once a manufacturer reaches reasonable certainty that a serious issue exists, reporting timelines apply:
- Early warning within 24 hours
- Follow up reporting within 72 hours
The focus is not on perfect software, but on preparedness and control.
Preparation is essential
Although the 2026 obligations are event driven, practical preparation is key. Knowing where and how to report, understanding product market presence, and having clear internal decision flows are crucial to act calmly and compliantly when a signal arises.
Looking toward full CRA compliance
The steps taken for 2026 are not temporary. They form the foundation for full CRA compliance from December 2027 onward, when vulnerability handling becomes a permanent, regulated product process.
Download our full CRA whitepaper (via button here below)
or
Book a one-hour session with one of the members of our CRA working group. Together, we identify the current status of your product and outline the steps needed to make it compliant and ready for the future.
