What changed · 2026-07-03
10 weeks until CRA reporting becomes law: the honest readiness check
On 11 September 2026 the 24-hour reporting clock starts applying to every manufacturer selling software into the EU. What is actually required on day one — and what can safely wait until 2027.
What applies on 11 September 2026 (and only this)
One thing: Art. 14 reporting. If you become aware of an actively exploited vulnerability in your product, or a severe incident affecting its security, you must file an early warning within 24 hours, a notification within 72 hours, and a final report after remediation — via the ENISA Single Reporting Platform.
Everything else — SBOM, CE marking, technical file, Declaration of Conformity — applies from 11 December 2027. If a vendor tells you otherwise, they're selling urgency.
The day-one minimum, honestly
- ▸A way to become aware: dependency vulnerability monitoring wired to a channel someone reads (this is also why an SBOM helps before it's mandatory — you can't monitor what you haven't enumerated).
- ▸A named reporter + backup with a written one-page process.
- ▸SRP registration as soon as your national flow opens.
- ▸A pre-drafted early warning so the 24 hours are spent investigating, not writing.
What this is NOT
You do not need certification, a notified body, a compliance department or a six-figure platform to meet the September deadline. You need a process that four bullet points describe — and the discipline to have set it up before the incident, not during.
Where does your product stand overall? The free Risk Check gives you the verdict and the prioritized gap list in 3 minutes.
Get the next one in your inbox
Same-day analysis when the EU moves — nothing else, no spam.
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.