CRA

【EU Cyber】EU Cyber Resilience Act Article 14 Takes Effect in 2026

/in ,

Mandatory Vulnerability Reporting Is Approaching — Are Manufacturers Ready?

As the European Union moves closer to full enforcement of the Cyber Resilience Act (CRA), manufacturers of digital products should be aware of a critical obligation that will take effect earlier than many expect.

Under Article 14 of the CRA, mandatory vulnerability and cybersecurity incident reporting obligations will enter into force on September 11, 2026, well ahead of the Act’s full applicability in 2027.

From that date onward, manufacturers placing products with digital elements on the EU market will be legally required to detect, assess, and report certain vulnerabilities and actively exploited cybersecurity incidents within strict and enforceable timelines.

What CRA Article 14 Requires

Once a manufacturer becomes aware of either:

  • an actively exploited vulnerability, or
  • a severe cybersecurity incident,

Article 14 triggers a staged reporting obligation:

  • Within 24 hours: submission of an early warning notification
  • Within 72 hours: submission of a formal vulnerability or incident notification
  • Within 14 or 30 days (depending on the case): submission of a final, comprehensive report, including:
    • impact assessment
    • mitigation measures taken or planned
    • follow-up risk control actions

These obligations apply regardless of product certification status or time on the market and are mandatory, not optional.

What Manufacturers Should Do Now

Although the reporting obligation begins in 2026, practical preparation must start well in advance. Manufacturers are strongly advised to:

  • Establish a vulnerability monitoring and intake process
  • Define clear internal criteria for determining reportable vulnerabilities
  • Set up incident response and escalation workflows
  • Prepare technical documentation and reporting templates
  • Identify responsible roles for communication with EU authorities

Without these elements in place, meeting the 24-hour and 72-hour reporting deadlines will be extremely difficult in real-world incident scenarios.

How We Support CRA Article 14 Compliance

To help manufacturers move from regulatory awareness to operational readiness, we provide dedicated CRA Article 14 support services, including:

  • Vulnerability reporting workflow and governance design
  • Incident response and escalation process consulting
  • CRA-aligned reporting documentation and templates
  • Ongoing advisory and notification support services

Our goal is to reduce compliance risk while enabling engineering and product teams to remain focused on development and innovation.

The CRA clock is already ticking.
Manufacturers that prepare early will avoid last-minute disruption and regulatory exposure when Article 14 reporting becomes mandatory in 2026.

For more information on CRA Article 14 readiness and support services, please contact:
📧 Charles.liao@theonelab.co