The Cyber Resilience Act becomes concrete: From September 2026, manufacturers must report actively exploited vulnerabilities and serious security incidents within hours.
The EU Cyber Resilience Act (CRA) entered into force on December 10, 2024. Many companies have so far viewed the regulation as an abstract requirement. That changes now: On September 11, 2026, the first operational obligation takes effect. Manufacturers of products with digital elements, which includes nearly every IoT device, must then report actively exploited vulnerabilities and serious security incidents to the competent authorities. The deadlines are tight: an early warning within 24 hours, a complete notification within 72 hours, and a final report within 14 days at the latest.
Our position is clear: Companies that do not start building the necessary processes now risk losing market access for their products from September 2026. The reporting obligation is the first operational test for CRA compliance. It applies not only to new devices but to the entire product portfolio already on the market.
The reporting obligation requires manufacturers to provide a structured response to actively exploited vulnerabilities and serious security incidents, with defined deadlines and reporting channels.
The CRA distinguishes two reporting triggers: actively exploited vulnerabilities and serious security incidents. A vulnerability is considered actively exploited if an attacker is already using it in a system. A serious security incident occurs when the incident significantly affects the security of the product or its users. The report is submitted to the national CSIRT (Computer Security Incident Response Team) of the member state where the manufacturer is established, as well as to the EU agency ENISA.
The reporting deadlines are staggered: An early warning must be submitted within 24 hours of becoming aware of the incident. It contains initial information about the incident and the measures taken. A complete notification follows within 72 hours. It includes a detailed description of the vulnerability or incident, the affected products, and the impact. A final report must be submitted within 14 days at the latest. It documents the root cause analysis and the remedial measures taken.
We consider these deadlines ambitious but necessary. They force manufacturers to professionalize their incident response processes. A manual process based on emails and phone calls will not meet these requirements. Automated detection and reporting systems that can deliver a qualified assessment within a few hours are essential.
The reporting obligation applies not only to new products but to the entire product portfolio already on the market.
A widespread misconception is that the CRA only applies to products developed after the deadline. The opposite is true: The reporting obligation from September 2026 applies to all products with digital elements that are on the market at the time of the incident. This includes devices developed and shipped years ago. Manufacturers must therefore maintain processes for detecting and reporting vulnerabilities and incidents for their existing products as well.
This regulation has far-reaching consequences. Many IoT manufacturers no longer have active vulnerability monitoring for older products. They assume these products are at the end of their lifecycle. However, the CRA requires manufacturers to provide security updates and manage vulnerabilities for the entire expected product lifespan. The expected product lifespan is not the planned one but the actual usage period, which is often significantly longer.
Our position: Manufacturers must now conduct an inventory of their product portfolios. For each product with digital elements, they must clarify whether it is still on the market, what vulnerabilities are known, and what the incident response process looks like for that product. Without this process, the product becomes a risk to the company's entire market access from September 2026.
Non-compliance with the reporting obligation risks market access restrictions, fines, and liability risks for manufacturers.
The CRA provides a graduated sanctions system. The most severe consequence is the withdrawal of market access. Competent authorities can remove products from the market if the manufacturer fails to meet its reporting obligations. This effectively means a sales ban for the affected products across the entire EU. In addition, fines of up to 15 million euros or 2.5 percent of the company's worldwide annual turnover may be imposed, whichever is higher.
Furthermore, liability risks arise. If a manufacturer fails to report an actively exploited vulnerability and this causes damage to users, the manufacturer can be held civilly liable. The burden of proof shifts: The manufacturer must demonstrate that it has fulfilled its due diligence obligations. Without documented reporting processes, this proof is difficult to provide.
We consider the sanctions appropriate. The CRA transforms cybersecurity from an optional quality feature into a mandatory product obligation with a duty of proof throughout the entire lifecycle. Those who ignore this obligation endanger not only the security of their customers but also their own market position.
Manufacturers should now build processes for vulnerability management and incident response that can be activated within hours.
Preparing for the reporting obligation requires concrete measures. The first step is to establish an incident response team that is available around the clock. This team must be able to assess an incoming report within 24 hours and send an early warning. This requires defined escalation paths, checklists, and templates for reports to the authorities.
A central tool is the Software Bill of Materials (SBOM). An SBOM lists all components of a product, including open-source libraries and third-party software. It enables immediate verification of whether a product is affected when a vulnerability becomes known. The CRA requires the creation and maintenance of an SBOM as part of vulnerability management.
In addition, we recommend implementing automated vulnerability scanning that continuously monitors the entire product portfolio. Security-by-design principles should be integrated into the development process to prevent vulnerabilities from the outset. This includes regular penetration tests, code reviews, and the use of secure programming practices.
Another important point is documentation. The CRA requires manufacturers to be able to demonstrate their security measures. This means that all processes, decisions, and reports must be documented without gaps. A security incident that is not documented is considered not reported.
September 2026 is the first milestone, but not the last: From December 2027, all affected products must be placed on the EU market with proven CRA conformity.
The reporting obligation from September 2026 is the first operational test. The second major milestone follows on December 11, 2027. From that date, products with digital elements may only be placed on the EU market if they demonstrate CRA conformity. This means manufacturers must subject their products to a conformity assessment, typically through an internal or external review. Conformity is documented by an EU declaration of conformity and CE marking.
We advise manufacturers to understand preparation for the CRA as a continuous process. The reporting obligation is the first step. Those who build processes for vulnerability management and incident response now create the foundation for the later conformity assessment. Those who wait until deadlines approach risk time pressure and potential market access restrictions.
The CRA is not a temporary phenomenon. It establishes a permanent legal framework for cybersecurity in the EU. Manufacturers that adapt early secure not only their market access but also a competitive advantage. Cybersecurity is increasingly becoming a purchasing criterion for customers and business partners.