CRA

【EU Cyber】Mandatory EU CRA Reporting for Digital Products Starts September 11, 2026.

/in ,

New Reporting Obligations Under the EU Cyber Resilience Act (CRA)

The Cyber Resilience Act is no longer a distant concept—it is a fast-approaching reality. Manufacturers must act now to integrate robust reporting workflows and secure certification to ensure their products remain compliant and competitive in the European market by September 2026.

1. Mandatory Reporting Deadline Set for September 2026

Starting from September 11, 2026, manufacturers of “products with digital elements” will be legally required to report actively exploited vulnerabilities and severe security incidents. This marks a significant shift in the EU’s regulatory landscape, making cybersecurity certification a prerequisite for market access.

2. The “Early Warning” Mechanism: Strict 24/72-Hour Timelines

The CRA introduces a tiered reporting structure to ensure rapid response to cyber threats:

  • Within 24 Hours: An “early warning” must be submitted after becoming aware of an actively exploited vulnerability or a severe incident.
  • Within 72 Hours: A detailed “full notification” must follow the initial warning.
  • Final Report: Must be submitted within 14 days after a corrective measure is available (for vulnerabilities) or within one month (for severe incidents).

3. Launch of the Single Reporting Platform (SRP)

To streamline compliance, ENISA is developing a Single Reporting Platform (SRP).

  • Manufacturers only need to report once through this centralized portal.
  • The notification will be automatically shared with the relevant Computer Security Incident Response Teams (CSIRTs) and ENISA, reducing administrative burdens for companies operating across multiple EU member states.
  • ENISA will launch the CRA Single Reporting Platform (SRP) by September 11, 2026, following a pre-launch testing phase.

4. Focus on “Actively Exploited” Vulnerabilities

The regulation specifically targets vulnerabilities that are being exploited in the wild. By mandating the disclosure of these flaws, the CRA aims to prevent localized security breaches from escalating into EU-wide systemic crises through synchronized information sharing among CSIRTs.


Role of THE ONE

As the deadline approaches, cybersecurity certification companies play a vital role in helping manufacturers bridge the compliance gap:

  • Compliance Audits: Evaluating whether a product’s design and its manufacturer’s vulnerability management processes meet CRA standards.
  • Incident Response Readiness: Assisting firms in establishing the technical capabilities needed to detect and report incidents within the 24/72-hour windows.
  • Technical Documentation: Ensuring that the “Correction Measures” and final reports meet the legal requirements for transparency and safety.

Official update from the European Commission : https://digital-strategy.ec.europa.eu/en/policies/cra-reporting

For further inquiries, please contact:
Email:Charles.liao@theonelab.co
Phone:(02)8601-2828