Summary

The Cyber Resilience Act (CRA) includes a phased timeline for implementation, with specific provisions coming into effect at different dates. Key milestones include the application of reporting obligations for actively exploited vulnerabilities and severe incidents, the notification of conformity assessment bodies, and the general application of the Regulation.

Relevant CRA Provisions

  • Recital (126): Provides the timeline for the general application of the Regulation and exceptions for specific obligations.
  • Recital (124): Specifies the applicability of Directive (EU) 2020/1828 to representative actions concerning infringements of the CRA.
  • Article 69: Details transitional provisions, including the validity of existing certificates and the conditions under which pre-existing products are subject to the Regulation.
  • Recital (80): Emphasizes the importance of developing harmonized standards during the transitional period.
  • Recital (85): Defines the term “reasonable period” in relation to the publication of harmonized standards.
  • Article 65: Confirms the application of Directive (EU) 2020/1828 to representative actions against infringements of the CRA.
  • Recital (30): Discusses the alignment of essential cybersecurity requirements with existing regulations and the need for guidance during the transitional period.

Detailed Explanation

The CRA introduces a staggered implementation timeline to allow economic operators sufficient time to adapt to its requirements. Key dates include:

  • 11 September 2026: Reporting obligations concerning actively exploited vulnerabilities and severe incidents come into effect.
  • 11 June 2026: Provisions on the notification of conformity assessment bodies apply.
  • 11 December 2027: The general application of the CRA, including most provisions and the applicability of Directive (EU) 2020/1828 to representative actions.
  • 11 June 2028: EU type-examination certificates and approval decisions regarding cybersecurity requirements remain valid unless they expire earlier or are otherwise specified.

During the transitional period, the development of harmonized standards is crucial for effective implementation, particularly for important products with digital elements. The “reasonable period” for the publication of these standards is defined as not exceeding one year after the deadline for drafting a European standard.

Obligations for Stakeholders

Stakeholders, including manufacturers, distributors, importers, and open-source software stewards, must prepare for the following obligations:

  • Comply with reporting obligations for actively exploited vulnerabilities and severe incidents from 11 September 2026.
  • Adhere to the notification requirements for conformity assessment bodies from 11 June 2026.
  • Ensure full compliance with the CRA’s provisions from 11 December 2027.
  • Monitor and adapt to the development of harmonized standards during the transitional period.
  • Be aware of the continued validity of existing certificates and approval decisions until 11 June 2028, unless otherwise specified.