CRA reporting requirement from September 2026: What manufacturers need to know now

On September 11, 2026, the first binding obligation of theCyber Resilience ActIn force: the obligation to report actively exploited vulnerabilities. For manufacturers of digital products, this means: Anyone who does not have a functioning reporting process by then risks fines of up to 15 million euros. This article explains exactly what to expect — and how to prepare now.

What is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act is the first EU regulation to set mandatory cybersecurity requirements for products with digital elements. The regulation came into force on December 10, 2024 and will be implemented gradually until December 2027.

The CRA has a clear goal: Manufacturers should build cybersecurity into their products from the start - not as an afterthought. This applies to both hardware (smartphones, IoT devices, smart home systems, firewalls) and pure software products (apps, accounting software, games).

Important: The CRA applies to all products sold on the EU market - regardless of where the manufacturer is based. A US company that sells software in the EU is subject to the same obligations as a German medium-sized company.

The CRA reporting requirement: What applies from September 11, 2026

The reporting requirement under Article 14 CRA is the first requirement to be activated. From this date, manufacturers must report two types of events:

1. Actively exploited vulnerabilities in their products

2. Serious security incidents that affect the security of a product

The reporting deadlines are staggered:

• Within 24 hours: early warning to the relevant national CSIRT and to theENISA

• Within 72 hours: Complete vulnerability notification with technical assessment, severity and affected products

• Within 14 days: Final report with root cause analysis, actions taken and recommendations

Reporting is carried out via the CRA Single Reporting Platform (CRA-SRP), which is currently being set up by ENISA. ThisBSIwill act as the market monitoring authority in Germany and will set up the national reporting platform by August 2026.

Crucial: The 24-hour period begins when the vulnerability becomes known - not when it is confirmed. Anyone who first checks internally and then reports may already be in default.

Which products are affected?

The CRA has a broad scope. All “products with digital elements” made available on the EU market are affected:

• Network-connected hardware: smartphones, routers, smart home devices, wearables, industrial control systems

• Pure software products: mobile apps, desktop applications, operating systems, firmware

• B2B software: ERP systems, cloud management tools, security software

• IoT devices: sensors, cameras, connected home appliances

The CRA distinguishes between three risk categories:

• Standard products (Standard category): Self-assessment by the manufacturer is sufficient

• Important products (Category I): Harmonized standards or third-party testing required

• Critical products (Category II): Mandatory third-party testing by a notified body

Exceptions:

• Non-commercial open source software (commercial use falls under the CRA)

• Medical devices (own regulation via MDR)

• Military and defense products

• Motor vehicles (own regulation via UN R155/R156)

Who has to report? Obligations for manufacturers, importers and dealers

The main responsibility lies with the manufacturer. But the CRA defines obligations for the entire supply chain:

Manufacturer:

• Bear full responsibility for the cybersecurity of their products

• Must report vulnerabilities and incidents within deadlines

• Must provide security updates for at least 5 years

• Must create a Software Bill of Materials (SBOM).

Importers:

• Must ensure imported products are CRA compliant

• Liable if you use products withoutCE markingbring into the market

Dealer:

• Obligation to test: May only sell compliant products

• Must inform the market surveillance authority if vulnerabilities are known

The role of the open source steward is new: Organizations that systematically provide open source software for commercial purposes must demonstrate a cybersecurity strategy and cooperate with the authorities.

Step by step: How to prepare for the reporting requirement

The reporting requirement will come into effect in less than seven months. You should take these seven steps now:

1. Inventory: Which products are covered by the CRA?

Capture all products with digital elements in your portfolio. Assign each product to a risk category (Standard, Category I, Category II). Document the assessment.

2. Create Software Bill of Materials (SBOM).

For each product, list all software components — your own and third-party. The SBOM is the basis for systematic vulnerability management and is prescribed by the CRA. It must be available to the BSI upon request.

3. Build vulnerability management

Implement processes for vulnerability detection, assessment and escalation. Define clear responsibilities: Who monitors CVE databases? Who evaluates the relevance of your own products? Who decides on the escalation?

4. Define reporting process

Determine: Who will report? Through which channel? Who approves the report? The 24-hour deadline leaves no room for lengthy voting sessions. The process must also work outside of business hours.

5. Prepare technical connection

ENISA is currently building the CRA Single Reporting Platform (CRA-SRP). As soon as the platform is available, you must register and ensure the technical connection. Have your IT team ready.

6. Train the team

Train your incident response team on CRA deadlines. Everyone involved needs to know what to do if a vulnerability is actively exploited — and how quickly.

7. Test the reporting process

Simulate the emergency before it occurs. Conduct a tabletop exercise: Vulnerability becomes known — can you achieve early warning in 24 hours? Where is the problem?

Fines and sanctions for violations

The CRA has three levels of fines:

• Up to €15 million or 2.5% of global annual turnover: for breaches of essential cybersecurity requirements

• Up to €10 million or 2% of annual turnover: for violations of other obligations (including reporting requirements)

• Up to €5 million or 1% of annual turnover: for incorrect or incomplete information

In addition, the BSI, as a market surveillance authority, can:

• Prohibit the sale of a product

• Order a callback

• Withdraw the CE marking

The financial risks are significant — but the reputational damage of a public product recall is often more serious.

CRA,NIS2andDORA— how is everything connected?

With CRA, NIS2 and DORA, three EU regulations will affect companies at the same time in 2026. The demarcation:

• CRA: Applies to products — Manufacturers must deliver secure products and report vulnerabilities

• NIS2: Affects organizations — operators of critical infrastructure must secure their own IT

• DORA: Affects the financial sector — banks and insurers must demonstrate digital operational resilience

The overlap lies in the reporting requirements: all three regulations require the reporting of security incidents within strict deadlines. Companies that both manufacture products and operate critical infrastructure must be CRA and NIS2 compliant in parallel.

Our advice: Build an integrated compliance approach. A common incident response framework that covers CRA, NIS2 and, if necessary, DORA saves effort and reduces sources of error.

The most important CRA deadlines at a glance

• December 10, 2024: CRA enacted

• June 11, 2026: Conformity assessment bodies are authorized

• September 11, 2026: Vulnerability and incident reporting requirements come into effect

• December 11, 2027: All CRA requirements apply in full (including CE marking, technical documentation, conformity assessment)

• From placing on the market: At least 5 years of security updates from the manufacturer

Frequently asked questions

When does the CRA reporting requirement apply?

Starting September 11, 2026, manufacturers will be required to report actively exploited vulnerabilities and serious security incidents.

Which products are covered by the Cyber Resilience Act?

All products with digital elements sold on the EU market — from smart home devices to software to industrial controls.

How quickly must a vulnerability be reported?

Early warning within 24 hours, full report within 72 hours, final report within 14 days.

Where does the report have to be made?

Via ENISA's CRA-Single Reporting Platform (CRA-SRP) to the responsible national CSIRT and to ENISA.

What happens if there are violations of the CRA reporting requirement?

Fines of up to 10 million euros or 2% of annual worldwide turnover. Additionally: product recalls or sales bans.

Are open source projects affected by the CRA?

Non-commercial open source software is excluded. Commercial use of open source falls under the CRA. New: The role of the open source steward.

What is an SBOM and why do I need it for the CRA?

A software bill of materials lists all software components of a product. The CRA requires its creation - it must be able to be made available to the BSI upon request.

Conclusion

The CRA reporting requirement is not a distant future issue — it will take effect in less than seven months. The 24-hour deadline for early warning leaves no room for improvisation. Anyone who does not set up a functioning vulnerability and reporting process now not only risks fines, but also the loss of trust from their customers.

Act now: Start by inventorying your products and building your reporting process.

Need assistance with CRA compliance? ADVISORI accompanies you from the impact analysis through the development of vulnerability management to the connection to the reporting platform. Talk to us.

Next step: Free initial consultation

Would you like to implement these topics strategically in your company? Our experts will be happy to advise you - without obligation and in a practical manner.Arrange an initial consultation now →