Skip to main content

CRA Timeline: Key Dates Your Software Business Needs to Know

Alright, let's talk dates. The Cyber Resilience Act isn't just happening overnight. You have some time to prepare your games, apps, and software tools, but some parts kick in sooner than others. Mark these on your calendar.

  • Act in Force: December 10, 2024 The CRA officially became EU law twenty days after its publication (Article 71 Paragraph 1).

  • Early Obligations (Sooner than you think) - September 11, 2026: This is a big one for you. The mandatory reporting obligations for actively exploited vulnerabilities and severe incidents Article 14 begin Article 71 Paragraph 2. This applies even to software already on the market before the CRA fully applies (Article 69 Paragraph 3).

  • Full Application: December 11, 2027 This is when the bulk of the CRA requirements hit. From this date, most new software products with digital elements placed on the EU market must comply with all essential cybersecurity and vulnerability handling requirements (Article 71 Paragraph 2).

  • Legacy Software: If you placed your software on the market before December 11, 2027, it generally does not need to meet the full CRA requirements unless you make a substantial modification to it after this date (Article 69 Paragraph 2). However, the reporting obligation for vulnerabilities (Article 14) applies regardless from September 11, 2026.

Key Takeway

That September 2026 deadline for reporting is crucial.

Important Dates For You

  • Regulation Entry into Force: 11 December 2024
  • Reporting Obligations (Article 14) Apply: 11 September 2026
  • Full CRA Application: 11 December 2027