The Clock Is Ticking
The CRA has a staggered enforcement timeline. Understanding these deadlines is critical for planning your compliance roadmap.
Key Dates
September 2026 โ Reporting Obligations Begin
- Must report actively exploited vulnerabilities to ENISA within 24 hours
- Must report severe incidents within 72 hours
- Requires established vulnerability handling processes
December 2027 โ Full Enforcement
- All CRA requirements become mandatory
- Products must meet essential cybersecurity requirements
- CE marking required for market access
- SBOM documentation mandatory
- Security update obligations active
Your Compliance Roadmap
Now โ June 2026 (Preparation Phase)
Month 1-2: Product Classification
โโโ Identify all products with digital elements
โโโ Classify: Default, Important Class I/II, Critical
โโโ Document product boundaries and digital interfaces
Month 3-4: Gap Analysis
โโโ Assess current security practices against CRA requirements
โโโ Identify missing processes (SBOM, vulnerability handling, etc.)
โโโ Estimate remediation effort and budget
Month 5-8: Implementation
โโโ Implement SBOM generation in CI/CD pipelines
โโโ Establish coordinated vulnerability disclosure
โโโ Set up incident reporting procedures
โโโ Security-by-design training for development teams
Month 9-12: Testing & Documentation
โโโ Internal conformity assessment (default products)
โโโ Prepare technical documentation
โโโ Conduct security testing and penetration testing
โโโ Engage third-party assessors if requiredJune 2026 โ September 2026 (Reporting Readiness)
Focus: Ensure vulnerability reporting infrastructure is operational.
# Incident reporting SLA tracker
class CRAReportingTracker:
DEADLINES = {
"actively_exploited_vulnerability": timedelta(hours=24),
"severe_incident": timedelta(hours=72),
"vulnerability_assessment": timedelta(days=14),
"final_report": timedelta(days=30),
}
async def report_vulnerability(self, vuln):
# Early warning to ENISA
await self.submit_to_enisa(
type="early_warning",
vulnerability=vuln,
deadline=self.DEADLINES["actively_exploited_vulnerability"],
)
# Schedule follow-up reports
await self.schedule_followup(vuln)September 2026 โ December 2027 (Progressive Compliance)
Progressively implement remaining requirements:
- Security testing automation
- Product lifecycle security management
- CE marking preparation
- Third-party assessment (if Class II or Critical)
Cost of Non-Compliance
| Violation | Maximum Fine |
|---|---|
| Essential requirements violation | โฌ15M or 2.5% global turnover |
| Other CRA obligations | โฌ10M or 2% global turnover |
| Incorrect/incomplete information | โฌ5M or 1% global turnover |
Industry Impact
Based on assessments Iโve conducted:
- Average compliance cost: โฌ200K-2M per product line (depending on classification)
- Timeline to achieve compliance: 12-18 months for most organizations
- Biggest gap: SBOM generation and vulnerability handling processes
Start now. September 2026 is closer than you think.
Need a CRA compliance roadmap for your organization? I help teams plan and execute cybersecurity regulation compliance. Get in touch.