CRA reporting by September 2026 - Are you ready?

Urs Fässler

The Cyber Resilience Act (CRA) is a major milestone in securing embedded systems against cyber threats. While most provisions must be implemented by 2027, reporting obligations take effect from 11 September 2026. As a manufacturer, what are your responsibilities, and which devices are affected?

The CRA aims to enhance the cybersecurity of products with digital elements within the European Union. This applies to both private users and companies, as well as to protecting critical infrastructure. Manufacturers must ensure that every device sold after 11 December 2027 is secure through measures such as monitoring for security issues and providing regular security updates.

While this may seem burdensome at first, the CRA not only increases security and user trust. It also acts as a catalyst to improve product quality, accelerate innovation cycles, and open new markets.

For Every Device Ever Sold

Reporting obligations apply to all devices subject to the CRA, whether already sold or still in development. Devices placed on the market after 11 December 2027 are subject to the full CRA obligations (cra.orcwg.org/faq).

For devices already on the market or sold before 11 December 2027, reporting obligations are limited to actively exploited vulnerabilities and severe incidents affecting product security. Manufacturers must report such occurrences as soon as they become aware of them, whether through their own monitoring or external notifications.

cra timeline

Some products in the field may be quite old. Investigating or fixing security issues on these devices can be challenging due to unavailable tools, outdated dependencies, or lost knowledge. For this reason, manufacturers are not required to investigate problems for products sold before 11 December 2027.

Reporting

Manufacturers must notify both the relevant authorities and affected users. If manufacturers fail to inform users promptly, the authorities will step in to provide this information. To avoid negative publicity, manufacturers are strongly advised to handle notifications themselves.

Next Steps: Your CRA Action Plan

The CRA’s reporting obligations are your chance to build trust and refine your processes. Start by auditing your products, setting up a security contact point, and defining how you’ll handle vulnerability reports. Use the transition period to embed security into your development lifecycle. It’s mandatory by December 2027, but early adopters will stand out.

Portrait of Urs Fässler

Need help?

Let’s talk - I specialize in CRA-ready embedded systems, CI/CD, and sustainable software processes.