Summary

The EU Cyber Resilience Act (CRA) introduces a phased implementation timeline with specific deadlines for different provisions, ensuring stakeholders have sufficient time to adapt while progressively enhancing cybersecurity across the Union.

Relevant CRA Provisions

Recitals: Recital 126, Recital 80, Recital 92, Recital 124

Articles: Article 70, Article 52, Article 9, Article 12, Article 8

Detailed Explanation

The CRA’s implementation is structured in phases to allow economic operators time to adapt to new requirements. Key dates include:

  • 11 September 2026: Application of reporting obligations concerning actively exploited vulnerabilities and severe incidents, and provisions on notification of conformity assessment bodies.
  • 11 June 2026: Application of provisions on notification of conformity assessment bodies.
  • 11 December 2027: General application of the Regulation, including the applicability of Directive (EU) 2020/1828 to representative actions concerning infringements of the CRA.
  • 11 September 2028: The Commission must submit a report assessing the effectiveness of the single reporting platform and the impact of cybersecurity-related grounds on its effectiveness.
  • 11 December 2030 and every four years thereafter: The Commission shall submit a report on the evaluation and review of the Regulation.

During the transitional period, the development of harmonised standards is crucial, especially for important products with digital elements under class I, to enable manufacturers to perform conformity assessments via internal control procedures and avoid bottlenecks.

Obligations for Stakeholders

Stakeholders, including manufacturers, distributors, importers, and open-source software stewards, must prepare for the phased implementation of the CRA. Key obligations include:

  • Adhering to the specified deadlines for reporting obligations and conformity assessments.
  • Ensuring compliance with essential cybersecurity requirements for high-risk AI systems and critical products with digital elements.
  • Participating in stakeholder consultations organised by the Commission to provide views on the implementation of the Regulation.
  • Cooperating with market surveillance authorities and other relevant bodies to ensure effective implementation and enforcement of the CRA.