Back to Insights
Security 8 min read

The EU Cyber Resilience Act (CRA): deadlines, what it means for SMBs and public bodies, and a 2026–2027 roadmap

The EU Cyber Resilience Act is now law. First hard deadline 11 September 2026, full compliance 11 December 2027 — what it means for SMBs, public bodies and any organisation, plus a practical roadmap.

Iulian — CyberBuild
Founder & lead engineer
June 25, 2026
The EU Cyber Resilience Act (CRA): deadlines, what it means for SMBs and public bodies, and a 2026–2027 roadmap

The short version

The EU Cyber Resilience Act (CRA, Regulation (EU) 2024/2847) is now law. It sets mandatory cybersecurity rules for almost every product with digital elements sold in the EU — hardware, software, firmware and connected services. It entered into force on 10 December 2024 and applies in stages, with the first hard deadline on 11 September 2026 and full compliance from 11 December 2027.

If your organisation makes, resells or even just buys connected products or software, the CRA touches you. Here is what matters, by date and by audience.

The deadlines that matter

| Date | What applies | | --- | --- | | 10 Dec 2024 | CRA entered into force | | 11 Jun 2026 | Rules for conformity assessment bodies; Member States designate authorities | | 11 Sep 2026 | Reporting obligations start — manufacturers report actively exploited vulnerabilities and severe incidents | | 11 Dec 2027 | Full compliance — all essential requirements, conformity assessment and CE marking |

From 11 September 2026, a manufacturer that becomes aware of an actively exploited vulnerability or a severe incident must send:

  • an early warning within 24 hours,
  • a fuller notification within 72 hours,
  • a final report within 14 days (vulnerabilities, once a fix is available) or within one month (severe incidents),

to the national CSIRT and ENISA, through the CRA single reporting platform. This applies even to products already on the market — legacy products are not exempt from reporting.

Who is in scope

The CRA covers products with digital elements: IoT and connected hardware, routers and smart devices, standalone software and firmware, and remote data-processing solutions (cloud and web apps tied to a product).

Roles carry different duties:

  • Manufacturers carry the main obligations: secure-by-design, vulnerability handling, security updates, technical documentation, conformity assessment and CE marking.
  • Importers and distributors must verify compliance before selling, refuse non-compliant products and cooperate with authorities.
  • Open-source stewards and non-commercial open-source developers are exempt from the administrative fines.

About 90% of products fall in a default class where the manufacturer self-assesses. The rest are "important" or "critical", with stricter assessment — critical products need an external audit.

The penalties

  • Up to €15 million or 2.5% of worldwide annual turnover for breaching the essential requirements.
  • Up to €10 million or 2% for incorrect or incomplete information.
  • Up to €5 million or 1% for failing to cooperate with authorities.

What it means for SMBs

There are two ways the CRA reaches an SMB:

If you build or sell anything digital — a connected product, a piece of software, firmware, a SaaS or web app placed on the EU market — you are likely a manufacturer under the CRA. You will need secure-by-design development, a software bill of materials (SBOM), a vulnerability-handling and update process, technical documentation and (from Dec 2027) CE marking. The reporting duty starts earlier, in September 2026.

If you only buy and use connected products and software, you are not directly obligated, but the CRA still helps you: from 2027, products on the EU market must meet a baseline. Start asking vendors whether their roadmap is CRA-ready, and make CRA/CE compliance a line in your procurement.

What it means for public administrations

Most municipalities are buyers, so the practical work is procurement: require CRA-compliant, CE-marked products and ask suppliers for their compliance timeline. But a public body that develops or commissions its own software (citizen portals, apps) can fall in scope as a manufacturer. The CRA also sits next to NIS2, which already covers many public bodies — treat them as one programme, not two.

What it means for any organisation

  • You depend on connected products and software whether you build them or not. A weak component is your risk too.
  • Vendor due diligence, an asset inventory and a vulnerability-handling process are now baseline expectations, not nice-to-haves.

A practical roadmap

Now → mid-2026 — map and classify

  1. Inventory every product with digital elements you make, resell or rely on.
  2. Determine your role for each: manufacturer, importer, distributor or user.
  3. Run a gap analysis against the essential requirements.

By 11 September 2026 — get reporting-ready (if you are a manufacturer) 4. Stand up a vulnerability-handling and incident process with the 24h / 72h / 14-day cascade. 5. Set up monitoring for actively exploited vulnerabilities and prepare to file through the CRA platform.

2026 → 2027 — engineer for compliance 6. Adopt secure-by-design, keep an SBOM, define a security-update policy and write the technical documentation. 7. Choose the right conformity route (self-assessment, "important", or "critical" external audit) and prepare CE marking.

By 11 December 2027 — full compliance 8. Every new product placed on the EU market must meet the CRA in full.

Not sure where you stand?

The hardest part is usually the first one: working out whether the CRA treats you as a manufacturer, and which products are in scope. That assessment is exactly what our free 30-minute call covers — we map your products, your role and your nearest deadline, and tell you what to do first.

This article is a practical summary, not legal advice. The binding text is Regulation (EU) 2024/2847. Dates and guidance can be updated — check the official sources before you act.

Want the full checklist?

We send you the practical RO/EN version used in real projects for SMBs, municipalities and EU teams.

Want to discuss?

Free 30-min call — no obligations.

Book call