CRA

【EU CRA】 Reporting Guide: Mandatory 24-Hour Notification Starts September 11, 2026

/in , /by

As the European Union moves toward the full implementation of the Cyber Resilience Act (CRA), the European Commission has clarified the mandatory reporting obligations for products with digital elements. Starting September 11, 2026, manufacturers must comply with rigorous timelines for reporting actively exploited vulnerabilities and severe security incidents.

1. The “24-Hour” Compliance Challenge

Under the CRA, the window for reporting is exceptionally narrow. Manufacturers must implement a multi-stage notification process:

  • Early Warning (24 Hours): Within 24 hours of becoming aware of an actively exploited vulnerability or a severe incident, an initial alert must be submitted.
  • Full Notification (72 Hours): A detailed analysis of the incident/vulnerability must follow the early warning.
  • Final Report: For vulnerabilities, a report is due 14 days after a corrective measure (patch) is available; for severe incidents, the deadline is one month.

2. Centralized Compliance via the Single Reporting Platform (SRP)

To streamline the process, ENISA is developing the CRA Single Reporting Platform (SRP).

  • One-Stop Reporting: Manufacturers will report only once through the SRP. The notification is automatically routed to the relevant Computer Security Incident Response Team (CSIRT) and ENISA simultaneously.
  • Operational Timeline: The platform will be fully operational by September 11, 2026. A testing phase will precede the launch, allowing manufacturers to dry-run their reporting pipelines.

3. Critical Implications for Product Certification

From a certification perspective, “Compliance” now extends beyond the physical product to the manufacturer’s operational lifecycle:

  • Vulnerability Management Audits: During the conformity assessment process, manufacturers must demonstrate they have the internal infrastructure to detect and report incidents within the 24-hour threshold.
  • SBOM and Supply Chain Transparency: Rapid reporting is impossible without a comprehensive Software Bill of Materials (SBOM). Certification will increasingly depend on a manufacturer’s ability to map their software supply chain accurately.
  • Cross-Border Information Sharing: While information is generally shared across EU member states immediately, a delegated act adopted in December 2025 allows CSIRTs to delay dissemination under specific cybersecurity grounds to prevent further exploitation.

如有任何問題,歡迎聯繫我們
電郵:Charles.liao@theonelab.co
電話:(02)8601-2828

CRA

【EU CRA】歐盟 CRA 網路韌性法案通報機制將於 2026 年 9 月 11 日上路

/in , /by

隨著《歐盟網路韌性法案》(Cyber Resilience Act, CRA)的推動,歐盟委員會近日進一步明確了受管制產品(含數位元素產品)的強制性漏洞通報規則。自 2026 年 9 月 11 日起,所有在歐盟市場銷售的數位產品製造商,將面臨極其嚴格的網路安全漏洞與事故通報義務。

一、 嚴苛的「24小時」通報時效

CRA 要求製造商在發現「已被積極利用的漏洞(Actively Exploited Vulnerabilities)」或「嚴重安全事故」時,必須履行階梯式通報義務:

  • 24小時內: 提交「早期預警(Early Warning)」。
  • 72小時內: 提交「完整通知(Full Notification)」。
  • 最終報告: 對於漏洞,須在採取修正措施後 14 天內提交;對於事故,則須在 1 個月內提交報告。

二、 單一通報平台(SRP)正式定案

為簡化流程,歐盟網路暨資訊安全局(ENISA)正在開發**「CRA 單一通報平台(Single Reporting Platform, SRP)」**。

  • 製造商只需透過該平台通報一次,資訊將自動分發至該企業主要據點國家的電腦安全事件應變小組(CSIRT)及 ENISA。
  • 該平台預計於 2026 年 9 月 11 日前正式啟用,在此之前將進行測試。這代表企業必須在未來 18 個月內,將其內部的漏洞監測與通報系統與此外部平台完成對接。

三、 對認證體系與製造商的影響

身為認證服務供應商,我們觀察到 CRA 不僅是「事後通報」,更強調「事前合規」:

  1. 漏洞監控能力: 企業若無法證明其具備 24 小時內的偵測與反應能力,將難以通過產品的安全性符合性評估(Conformity Assessment)。
  2. 供應鏈透明度: 製造商必須對其產品中所使用的軟體元件(SBOM)有完整掌握,才能在漏洞發生時迅速判斷是否屬於通報範圍。
  3. 區域分發限制: 在特殊情況下,若擴散資訊可能威脅網路安全,CSIRT 有權延遲向其他成員國分發通報資訊(依據 2025 年 12 月通過的授權法案)。

如有任何問題,歡迎聯繫我們
電郵:Charles.liao@theonelab.co
電話:(02)8601-2828

CRA

【EU Cyber】Mandatory EU CRA Reporting for Digital Products Starts September 11, 2026.

/in , /by

New Reporting Obligations Under the EU Cyber Resilience Act (CRA)

The Cyber Resilience Act is no longer a distant concept—it is a fast-approaching reality. Manufacturers must act now to integrate robust reporting workflows and secure certification to ensure their products remain compliant and competitive in the European market by September 2026.

1. Mandatory Reporting Deadline Set for September 2026

Starting from September 11, 2026, manufacturers of “products with digital elements” will be legally required to report actively exploited vulnerabilities and severe security incidents. This marks a significant shift in the EU’s regulatory landscape, making cybersecurity certification a prerequisite for market access.

2. The “Early Warning” Mechanism: Strict 24/72-Hour Timelines

The CRA introduces a tiered reporting structure to ensure rapid response to cyber threats:

  • Within 24 Hours: An “early warning” must be submitted after becoming aware of an actively exploited vulnerability or a severe incident.
  • Within 72 Hours: A detailed “full notification” must follow the initial warning.
  • Final Report: Must be submitted within 14 days after a corrective measure is available (for vulnerabilities) or within one month (for severe incidents).

3. Launch of the Single Reporting Platform (SRP)

To streamline compliance, ENISA is developing a Single Reporting Platform (SRP).

  • Manufacturers only need to report once through this centralized portal.
  • The notification will be automatically shared with the relevant Computer Security Incident Response Teams (CSIRTs) and ENISA, reducing administrative burdens for companies operating across multiple EU member states.
  • ENISA will launch the CRA Single Reporting Platform (SRP) by September 11, 2026, following a pre-launch testing phase.

4. Focus on “Actively Exploited” Vulnerabilities

The regulation specifically targets vulnerabilities that are being exploited in the wild. By mandating the disclosure of these flaws, the CRA aims to prevent localized security breaches from escalating into EU-wide systemic crises through synchronized information sharing among CSIRTs.


Role of THE ONE

As the deadline approaches, cybersecurity certification companies play a vital role in helping manufacturers bridge the compliance gap:

  • Compliance Audits: Evaluating whether a product’s design and its manufacturer’s vulnerability management processes meet CRA standards.
  • Incident Response Readiness: Assisting firms in establishing the technical capabilities needed to detect and report incidents within the 24/72-hour windows.
  • Technical Documentation: Ensuring that the “Correction Measures” and final reports meet the legal requirements for transparency and safety.

Official update from the European Commission : https://digital-strategy.ec.europa.eu/en/policies/cra-reporting

For further inquiries, please contact:
Email:Charles.liao@theonelab.co
Phone:(02)8601-2828

CRA

【EU Cyber】The EU Cyber Resilience Act’s New Enforcement Phase.

/in , /by

The ONE reminds all manufacturers and brands exporting to the EU market:

Do not focus solely on pre-market CRA compliance; more importantly, do not overlook the risks of post-market surveillance and random inspections.

The EU has recently completed a significant step in the CRA market surveillance cooperation mechanism, indicating that the Cyber Resilience Act (CRA) is progressing from a legal text toward practical enforcement and international coordination.

According to the latest official EU update, the CRA Administrative Cooperation Group (AdCo) has held its first meeting and elected its Chair and Vice-Chairs.
The EU clearly stated that this is a vital development in preparing for CRA enforcement.
The CRA adopts a post-market surveillance model, meaning that once a product enters the EU market, competent authorities can monitor the market, demand improvements, or even take restrictive measures.

For enterprises, this means the challenge is no longer just about “whether a product can be launched,” but rather: Whether you have established robust vulnerability management mechanisms, incident response processes, technical documentation maintenance, support period management, and the capability to handle post-market inspections.


The CRA’s requirements for reporting vulnerabilities and significant incidents will apply from September 11, 2026.
Enterprises will be required to submit an “early warning” within 24 hours of becoming aware of an issue, followed by a formal notification within 72 hours.

The ONE offers CRA consultancy services to help clients prepare in advance:
— From scope assessment and gap analysis,
— To technical documentation planning, vulnerability handling processes, incident reporting workflows, and post-market surveillance readiness.

We believe that the earlier you deploy, the better you can mitigate the risks of inspections, requests for supplementary documentation, or even impacts on your sales performance in the EU market.

If your company is preparing for CRA implementation, you are welcome to contact The ONE.
We can assist you in systematically meeting the latest CRA requirements, ensuring you are fully prepared for both product launch and post-market management.


Official update from the European Commission: https://digital-strategy.ec.europa.eu/en/news/cyber-resilience-act-eu-market-surveillance-group-elects-new-chair-and-vice-chair


For further inquiries, please contact:
Email:Charles.liao@theonelab.co
Phone:(02)8601-2828

CRA

【EU Cyber】EU Cyber Resilience Act Article 14 Takes Effect in 2026

/in , /by

Mandatory Vulnerability Reporting Is Approaching — Are Manufacturers Ready?

As the European Union moves closer to full enforcement of the Cyber Resilience Act (CRA), manufacturers of digital products should be aware of a critical obligation that will take effect earlier than many expect.

Under Article 14 of the CRA, mandatory vulnerability and cybersecurity incident reporting obligations will enter into force on September 11, 2026, well ahead of the Act’s full applicability in 2027.

From that date onward, manufacturers placing products with digital elements on the EU market will be legally required to detect, assess, and report certain vulnerabilities and actively exploited cybersecurity incidents within strict and enforceable timelines.

What CRA Article 14 Requires

Once a manufacturer becomes aware of either:

  • an actively exploited vulnerability, or
  • a severe cybersecurity incident,

Article 14 triggers a staged reporting obligation:

  • Within 24 hours: submission of an early warning notification
  • Within 72 hours: submission of a formal vulnerability or incident notification
  • Within 14 or 30 days (depending on the case): submission of a final, comprehensive report, including:
    • impact assessment
    • mitigation measures taken or planned
    • follow-up risk control actions

These obligations apply regardless of product certification status or time on the market and are mandatory, not optional.

What Manufacturers Should Do Now

Although the reporting obligation begins in 2026, practical preparation must start well in advance. Manufacturers are strongly advised to:

  • Establish a vulnerability monitoring and intake process
  • Define clear internal criteria for determining reportable vulnerabilities
  • Set up incident response and escalation workflows
  • Prepare technical documentation and reporting templates
  • Identify responsible roles for communication with EU authorities

Without these elements in place, meeting the 24-hour and 72-hour reporting deadlines will be extremely difficult in real-world incident scenarios.

How We Support CRA Article 14 Compliance

To help manufacturers move from regulatory awareness to operational readiness, we provide dedicated CRA Article 14 support services, including:

  • Vulnerability reporting workflow and governance design
  • Incident response and escalation process consulting
  • CRA-aligned reporting documentation and templates
  • Ongoing advisory and notification support services

Our goal is to reduce compliance risk while enabling engineering and product teams to remain focused on development and innovation.

The CRA clock is already ticking.
Manufacturers that prepare early will avoid last-minute disruption and regulatory exposure when Article 14 reporting becomes mandatory in 2026.

For more information on CRA Article 14 readiness and support services, please contact:
📧 Charles.liao@theonelab.co