The September 2026 CRA Deadline: What Manufacturers Must Do Right Now

Most companies treating the CRA as a 2027 problem are already behind. According to the 2026 CRA Awareness and Readiness Report from OpenSSF and Linux Foundation Research, 66% of software producers surveyed remain unfamiliar with the regulation — and that figure has risen year-over-year. The first enforcement date is not December 2027. It is 11 September 2026, when Article 14 vulnerability reporting obligations become legally binding. From that date, if a vulnerability in your product is being actively exploited, you are required to file an early warning through the ENISA Single Reporting Platform within 24 hours of becoming aware of it. Miss that window, and you are already non-compliant — with penalty exposure of up to €15 million or 2.5% of global annual turnover, whichever is higher.

What Exactly Must You Start Doing in September 2026?

The reporting obligation is triggered by two conditions, either of which requires action:

• An actively exploited vulnerability in any of your in-scope products, regardless of severity
• A severe incident affecting the security of your products — for example, a significant breach or systemic compromise

Once either condition is met, a three-stage reporting cascade begins:

Stage 1 — Early Warning: Within 24 Hours

Submit an early warning through the ENISA Single Reporting Platform confirming your awareness of an actively exploited vulnerability. You are not required to provide full technical details at this stage. The purpose is to flag that you are aware and managing the situation. The SRP will automatically route the report to your national CSIRT coordinator and to ENISA simultaneously.

Stage 2 — Full Notification: Within 72 Hours

Submit a full notification including technical details of the vulnerability, an initial severity assessment (using CVSS or equivalent), affected products and versions, and any available mitigations or workarounds. This report must be accurate and complete — rushed or inaccurate reports can trigger Tier 3 penalties for providing incorrect information.

Stage 3 — Final Report: Within 14 Days of Issuing a Fix

Once you have issued a security update or workaround, submit a final report to ENISA within 14 days, or one month in the case of a severe incident. This closes the reporting loop and must include a comprehensive vulnerability description, root cause analysis, impact assessment, and a full account of the remediation steps taken.

One Detail Most Teams Miss: It Applies to Existing Products Too

The September 2026 reporting obligations not only apply to products launched after that date. Under CRA Article 69(3), they apply to all products with digital elements already placed on the EU market, including products shipped years before the CRA existed. If a vulnerability in a product you released in 2021 is being actively exploited in September 2026, you are required to report it. This catches many teams off guard: your scope for this obligation is your entire active product catalogue, not just your next release.

A second detail worth locking in: the 24-hour clock starts at reasonable belief of active exploitation, not confirmed forensic evidence. If your monitoring flags credible signals of exploitation, you cannot wait for certainty before submitting the early warning. Waiting for confirmation is how organisations will miss the window.

Why This Is Harder Than It Sounds

Most organisations do not have a tested, 24-hour vulnerability notification process. Building one requires:

The Other Deadlines in the Frame

September 2026 is the most urgent date, but it is not the only one. By 30 August 2026, harmonised standards covering vulnerability handling (Type A/horizontal) and product security (Type B) are expected to be published — giving manufacturers their first authoritative compliance benchmarks. Full product conformity for all categories does not apply until 11 December 2027, but organisations that wait for the standards before starting work will have very little implementation runway.

This means that with less than 100 days until the reporting deadline and the harmonised standards landing just two weeks before it, the summer of 2026 is a period of compressed, parallel compliance activity. Starting this journey now is not early. It is the last moment to avoid being caught without a tested process when the clock starts.

Sources

1. Regulation (EU) 2024/2847 — Cyber Resilience Act (EUR-Lex, official legislative text)
   https://eur-lex.europa.eu/eli/reg/2024/2847/2024-11-20

2. 2026 CRA Awareness and Readiness Report — OpenSSF / Linux Foundation Research
   https://openssf.org/blog/2026/05/18/taking-stock-of-the-state-of-european-cyber-resilience-act-cra-compliance-an-urgent-wake-up-call-for-the-open-source-ecosystem/

3. Cyber Resilience Act — Summary of the legislative text (European Commission)
   https://digital-strategy.ec.europa.eu/en/policies/cra-summary

4. Cyber Resilience Act — ENISA (Single Reporting Platform)
   https://www.enisa.europa.eu/topics/cyber-resilience-act