CRA

【EU Cyber】The EU Cyber Resilience Act’s New Enforcement Phase.

/in ,

The ONE reminds all manufacturers and brands exporting to the EU market:

Do not focus solely on pre-market CRA compliance; more importantly, do not overlook the risks of post-market surveillance and random inspections.

The EU has recently completed a significant step in the CRA market surveillance cooperation mechanism, indicating that the Cyber Resilience Act (CRA) is progressing from a legal text toward practical enforcement and international coordination.

According to the latest official EU update, the CRA Administrative Cooperation Group (AdCo) has held its first meeting and elected its Chair and Vice-Chairs.
The EU clearly stated that this is a vital development in preparing for CRA enforcement.
The CRA adopts a post-market surveillance model, meaning that once a product enters the EU market, competent authorities can monitor the market, demand improvements, or even take restrictive measures.

For enterprises, this means the challenge is no longer just about “whether a product can be launched,” but rather: Whether you have established robust vulnerability management mechanisms, incident response processes, technical documentation maintenance, support period management, and the capability to handle post-market inspections.


The CRA’s requirements for reporting vulnerabilities and significant incidents will apply from September 11, 2026.
Enterprises will be required to submit an “early warning” within 24 hours of becoming aware of an issue, followed by a formal notification within 72 hours.

The ONE offers CRA consultancy services to help clients prepare in advance:
— From scope assessment and gap analysis,
— To technical documentation planning, vulnerability handling processes, incident reporting workflows, and post-market surveillance readiness.

We believe that the earlier you deploy, the better you can mitigate the risks of inspections, requests for supplementary documentation, or even impacts on your sales performance in the EU market.

If your company is preparing for CRA implementation, you are welcome to contact The ONE.
We can assist you in systematically meeting the latest CRA requirements, ensuring you are fully prepared for both product launch and post-market management.


Official update from the European Commission: https://digital-strategy.ec.europa.eu/en/news/cyber-resilience-act-eu-market-surveillance-group-elects-new-chair-and-vice-chair


For further inquiries, please contact:
Email:Charles.liao@theonelab.co
Phone:(02)8601-2828

CRA

【EU Cyber】EU Cyber Resilience Act Article 14 Takes Effect in 2026

/in ,

Mandatory Vulnerability Reporting Is Approaching — Are Manufacturers Ready?

As the European Union moves closer to full enforcement of the Cyber Resilience Act (CRA), manufacturers of digital products should be aware of a critical obligation that will take effect earlier than many expect.

Under Article 14 of the CRA, mandatory vulnerability and cybersecurity incident reporting obligations will enter into force on September 11, 2026, well ahead of the Act’s full applicability in 2027.

From that date onward, manufacturers placing products with digital elements on the EU market will be legally required to detect, assess, and report certain vulnerabilities and actively exploited cybersecurity incidents within strict and enforceable timelines.

What CRA Article 14 Requires

Once a manufacturer becomes aware of either:

  • an actively exploited vulnerability, or
  • a severe cybersecurity incident,

Article 14 triggers a staged reporting obligation:

  • Within 24 hours: submission of an early warning notification
  • Within 72 hours: submission of a formal vulnerability or incident notification
  • Within 14 or 30 days (depending on the case): submission of a final, comprehensive report, including:
    • impact assessment
    • mitigation measures taken or planned
    • follow-up risk control actions

These obligations apply regardless of product certification status or time on the market and are mandatory, not optional.

What Manufacturers Should Do Now

Although the reporting obligation begins in 2026, practical preparation must start well in advance. Manufacturers are strongly advised to:

  • Establish a vulnerability monitoring and intake process
  • Define clear internal criteria for determining reportable vulnerabilities
  • Set up incident response and escalation workflows
  • Prepare technical documentation and reporting templates
  • Identify responsible roles for communication with EU authorities

Without these elements in place, meeting the 24-hour and 72-hour reporting deadlines will be extremely difficult in real-world incident scenarios.

How We Support CRA Article 14 Compliance

To help manufacturers move from regulatory awareness to operational readiness, we provide dedicated CRA Article 14 support services, including:

  • Vulnerability reporting workflow and governance design
  • Incident response and escalation process consulting
  • CRA-aligned reporting documentation and templates
  • Ongoing advisory and notification support services

Our goal is to reduce compliance risk while enabling engineering and product teams to remain focused on development and innovation.

The CRA clock is already ticking.
Manufacturers that prepare early will avoid last-minute disruption and regulatory exposure when Article 14 reporting becomes mandatory in 2026.

For more information on CRA Article 14 readiness and support services, please contact:
📧 Charles.liao@theonelab.co