Gallery

Contacts

405 W. Greenlawn Ave Lansing, Michigan 48910

contact@techjacksolutions.com

+1-616-320-4064

Twitter Facebook-f Pinterest-p Instagram
Skip to content
S
Regulation Daily Brief

EU Cyber Resilience Act: June 11 Milestone Opens 90-Day Sprint to Mandatory Vulnerability Reporting

3 min read Hoganlovells Partial S
Today marks the entry into application of the EU Cyber Resilience Act's conformity assessment body notification framework, the starting gun for the 90-day window before September 11, when mandatory vulnerability and incident reporting obligations activate. Teams that haven't started the CRA readiness process are starting late.
eu-cra cyber-resilience-act eu-ai-act conformity-assessment vulnerability-reporting enisa product-security compliance-deadline eu-ai-act
CRA vulnerability reporting deadline, 92 days

Key Takeaways

  • June 11, 2026 activates the CRA's CAB notification framework, EU member states can now formally begin accrediting third-party cybersecurity auditors (18-month mark from December 10, 2024 entry into force).
  • September 11, 2026 is the next hard deadline: mandatory vulnerability and incident reporting to ENISA activates for all manufacturers and software publishers with EU-connected-digital-element products (21-month mark).
  • December 11, 2027 is full compliance: CE marking, SBOM requirements, and design-phase security obligations (36-month mark).
  • Teams relying on the December 2027 date as their "CRA deadline" are already behind on the September reporting obligation, it activates independently.

Timeline

2024-11-20 CRA published in EU Official Journal
2024-12-10 CRA enters into force (Day 0 for all phase-in calculations)
2026-06-11 TODAY, CAB notification framework enters into application (18 months)
2026-09-11 Mandatory vulnerability and incident reporting to ENISA activates (21 months)
2027-12-11 Full compliance: CE marking, SBOM, design-phase requirements (36 months)

Compliance Deadline

September 11, 2026
90 days remaining
EntityEU, ENISA
JurisdictionEU
PenaltyCRA enforcement authority per designated national market surveillance authorities

Three deadlines. One regulation. The clock started today.

The EU Cyber Resilience Act (CRA), published in the Official Journal on November 20, 2024
and in force since December 10, 2024, is running a phased application schedule derived
directly from its published Article 69 timeline. June 11, 2026, today, is the 18-month
mark: EU member states may now formally designate notifying authorities to begin accrediting
Conformity Assessment Bodies (CABs) for third-party cybersecurity audits. That’s the
institutional machinery activating. The compliance deadlines that directly affect
manufacturers and software publishers are what follows from it.

September 11 is the one to calendar now.

That’s when the CRA’s mandatory vulnerability and incident reporting obligations activate –
21 months from the regulation’s December 10, 2024 entry into force. Any manufacturer or
software publisher with products on the EU market that contain digital elements will be
required to report actively exploited vulnerabilities and significant incidents to ENISA. The CRA establishes tiered rapid reporting requirements for actively exploited
vulnerabilities; legal analysts have cited a 24-hour early-warning requirement to ENISA as
part of the tiered structure, though teams should verify the specific hour-count thresholds
against
Article 14 of the regulation’s official text before building that figure into
compliance programs.

Who This Affects

Manufacturers of connected products (EU market)
Begin vulnerability reporting infrastructure build now, September 11 is 92 days from today; the CAB accreditation process starting today is the infrastructure your September compliance depends on
Software publishers with EU digital-element products
Audit whether your products fall within CRA scope; legacy product inclusion is a live interpretation question, engage counsel on continued-activity and modification thresholds
Conformity Assessment Bodies
Member states may now submit CAB notifications; begin accreditation preparation immediately if not already in process

December 11, 2027 is the full compliance deadline, CE marking, Software Bill of Materials
(SBOM), and design-phase security requirements. That’s 36 months from entry into force.

Why it matters. The CRA covers connected hardware and software products with digital
elements. That’s a wide scope. It isn’t limited to obvious cybersecurity products, it
reaches connected consumer devices, enterprise software, and industrial systems. Legal
analysts, including those at Hogan Lovells, interpret the CRA’s coverage as extending to
legacy products already on the market, subject to conditions including continued activity
or modification, though teams should verify this interpretation with their own counsel,
since the source for this reading is dead and the official text governs.

Today’s milestone is the institutional step. Don’t mistake it for the compliance deadline. Its significance is what it starts: the 90-day window before September 11 is now open.

Context. The CRA has been underrepresented in compliance calendars relative to the EU
AI Act, partly because its headline deadline is still 18 months out. But the vulnerability
reporting obligation that activates in September operates independently of the December
2027 full compliance date. Organizations that treat December 2027 as the “CRA deadline”
and haven’t built the September reporting infrastructure are going to find themselves
non-compliant on a legally active obligation three months from now.

Unanswered Questions

  • Does the CRA's legacy product inclusion interpretation (Hogan Lovells reading) hold for your specific product category, verify against Article 69 and your counsel's assessment?
  • What is the specific hour-count threshold for the early-warning reporting stage under Article 14 for actively exploited vulnerabilities, confirm against official text before operationalizing?
  • How many EU member states will complete CAB accreditation before September 11, and what does an enforcement gap between legal obligation and enforcement infrastructure mean for your compliance posture?

What to watch. The real question is whether EU member states will complete CAB
accreditation in time for the September reporting framework to have functioning oversight
infrastructure. If member states lag on notifying authority designation, the enforcement
apparatus won’t be fully operational by September 11, but the legal obligations will be. That gap doesn’t reduce compliance risk; it only reduces the immediate enforcement
probability.

Don’t expect the September deadline to move. It’s structural, not discretionary, it’s
derived directly from the regulation’s own phased application schedule, not from Commission
guidance that can be revised.

The organizations that treat today as a starting gun will be ready in September. The ones
that treat it as a calendar note probably won’t be.

Related Resources

EU AI Act Compliance Hub

More coverage of SEC

5
Regulation Deep Dive Jun 11
What NIST's Guardrail Incompleteness Proof Requires of Your AI Risk Program
Regulation Jun 11
NIST Proof: No Finite AI Guardrail Set Is Universally Robust, What Compliance Teams Must...
Technology Deep Dive Jun 11
The Infrastructure Beneath Codex: Where the Real Agentic AI Moat Is Being Built
Technology Jun 11
OpenAI Acquires Ona to Build Secure Cloud Execution for Long-Running Codex Agents
Markets Deep Dive Jun 10
OpenAI Said "May Be a While." What That Language Means for Investors Tracking the...
View Source
More Regulation intelligence
View all Regulation
Deep Dive Available EU AI Act Article 50 Is Final: What Compliance Teams Must Do...

Stay ahead on Regulation

Get verified AI intelligence delivered daily. No hype, no speculation, just what matters.

Explore the AI News Hub