Important dates to have in mind

rmorillo24 · May 7, 2025, 10:30am

Dates affecting you

11 December 2025

To help economic operators perform their product classification, the European Commission will adopt technical descriptions of the categories of products with digital elements. (Article 7)

11 September 2026

From this date, you need to carry out your reporting obligations for actively exploited vulnerabilities and severe incidents impacting the security of your products with digital elements. (Recital 126)

11 December 2026

If your product is considered a “high-risk product”, you need a notified body for an external conformity assessment. The member states shall ensure by this date a sufficient number of notified bodies that carry out conformity assessments. (Recital 10)

11 December 2027

All your products with digital elements are regulated by the CRA now and need to fulfill the essential cybersecurity requirements and declare conformity. (Article 71)

Products placed on the market before December 11, 2027, are only required to report incidents, handle vulnerabilities and provide security updates (Article 14). They don’t need to meet CRA’s broader security design and compliance rules unless new features or other modifications changing the risk assessment are made to the product after that date (Article 69)

Dates when regulators will update

With the CRA enacted and an adoption period extending until 11 December 2027, regulation and standardization groups are still in the process of establishing a solid foundation for building products based on industry standards

On 17 April 2024, the EU Commission published a draft standardization request for European Standards Organizations to support Union policy on cybersecurity requirements for products with digital elements. In response, CENELEC and ENISA are working on the adoption of supporting standards for the 41 standardization requests issued by the EU.

According to CENELEC, the first drafts of supporting standards are expected by the end of 2025, with final adoption of standardization requests in August 2026.

Meanwhile, by 11 December 2025, the EU Commission will adopt a technical description of product categories to help manufacturers assess where their products fit (Article 7.4)

Also, by 11 December 2025, the EU Commission will define the terms and conditions for Computer Security Incident Response Teams (CSIRTs), which each EU member state must establish to manage cybersecurity incident notifications (Article 14.9).

If you are a manufacturer, you will be required to notify your designated CSIRT of any exploited vulnerabilities or information security incidents involving your product.

Topic	Replies	Views
🔍 What Is the EU Cyber Resilience Act and Who Needs to Comply? Understanding the CRA	38	May 5, 2025
What is the Cyber Resilience Act and why should we care? Understanding the CRA	26	May 1, 2025
How the CRA changes vulnerability response Vulnerability Handling & Incident Response	5	April 23, 2025
Internal Control: How to Prepare a Solid Declaration of Conformity Compliance Processes & Certification	7	May 2, 2025
Is my product covered by CRA? Understanding the CRA	9	May 2, 2025