Summary

The EU Cyber Resilience Act (CRA) introduces a phased timeline for compliance, with various provisions becoming effective at different dates. This article outlines the key compliance dates and deadlines for stakeholders to meet the new requirements.

Relevant CRA Provisions

• Recital (126)
• Article 35
• Article 69
• Recital (124)
• Article 52
• Recital (80)
• Article 33
• Recital (85)

Detailed Explanation

The CRA sets out a staggered timeline for the implementation of its provisions to allow stakeholders sufficient time to adapt. Key dates include:

• 11 September 2026: Reporting obligations concerning actively exploited vulnerabilities and severe incidents having an impact on the security of products with digital elements become effective.
• 11 June 2026: Provisions on notification of conformity assessment bodies become effective.
• 11 December 2026: Member States must ensure a sufficient number of notified bodies are available to carry out conformity assessments.
• 11 December 2027: The majority of the CRA’s provisions come into effect, including market surveillance and control of products with digital elements, and the applicability of Directive (EU) 2020/1828 for representative actions concerning infringements of the CRA.
• 11 June 2028: EU type-examination certificates and approval decisions issued regarding cybersecurity requirements for products with digital elements that are subject to Union harmonisation legislation other than the CRA remain valid until this date, unless they expire before that date or unless otherwise specified.

Obligations for Stakeholders

Stakeholders must prepare for the CRA’s implementation by the specified dates:

• Manufacturers, Distributors, Importers: Must comply with the CRA’s requirements by 11 December 2027, including reporting obligations for vulnerabilities and incidents from 11 September 2026.
• Open Source Software Stewards: Must comply with their obligations under Article 24 by 11 December 2027, with market surveillance authorities ensuring compliance.
• Member States: Must notify the Commission and other Member States of authorised conformity assessment bodies by 11 June 2026 and ensure sufficient notified bodies by 11 December 2026.
• Market Surveillance Authorities: Must be designated and operational by 11 December 2027, with responsibilities including market surveillance, cooperation with other authorities, and providing guidance to economic operators.
• Microenterprises and Small Enterprises: May use simplified technical documentation formats as specified by the Commission, with support measures and guidance provided to facilitate compliance.