Regulatory deadlines
Key dates under the EU Cyber Resilience Act.
CRA enters into force
Regulation (EU) 2024/2847 published in the Official Journal and enters into force. The clock starts.
Vulnerability reporting & notification obligations (Art. 14)
Manufacturers must report actively exploited vulnerabilities and severe incidents to ENISA: 24-hour early warning, 72-hour notification, 14-day final report. The ENISA single reporting platform must be operational by this date.
Learn more about Art. 14 obligationsConformity assessment body notification obligations
Obligations relating to notification of conformity assessment bodies apply. Relevant for manufacturers requiring third-party conformity assessment (Important Class II, Critical products).
Full regulation applies
All CRA obligations apply to all in-scope products with digital elements. All tools, assessment workflows, documentation, and vulnerability-handling processes must be in place.
Ready to go deeper?
Explore the full obligations library, understand your role, or view the regulatory timeline.