The Cyber Resilience Act Also Affects Your Installed Base
From September 11, 2026, a new obligation applies that many companies still underestimate. Anyone selling connected products in the EU must report actively exploited vulnerabilities and serious security incidents to the authorities within hours going forward. The Cyber Resilience Act makes cybersecurity a product requirement. It affects not only new devices but also products that have long been on the market.
Key Points at a Glance
- The Deadline: From September 11, 2026, manufacturers must report actively exploited vulnerabilities and serious incidents. The remaining obligations follow on December 11, 2027.
- The Deadlines: Early warning within 24 hours, full report within 72 hours, final report no later than 14 days after a countermeasure becomes available.
- The Core: Cybersecurity becomes a product characteristic with CE marking. Every product with digital elements placed on the EU market is affected.
What the Cyber Resilience Act Requires
The Cyber Resilience Act, Regulation (EU) 2024/2847, for the first time establishes cybersecurity as a mandatory characteristic of products. Covered is everything that contains digital elements and connects directly or indirectly to a device or network-from industrial controls to smart household appliances to pure software. For such products, fundamental security requirements will apply over the entire lifecycle going forward.
Concretely, this means: Manufacturers must design their products securely, remediate known vulnerabilities, and supply security updates over a defined period. They must maintain a vulnerability management process and demonstrate compliance with the requirements. Only then may they affix the CE marking, which until now stood for safety in the physical sense and now also encompasses digital security.
This shifts responsibility under the CRA. No longer does the operator alone bear the risk of insecure software-the manufacturer who places the product on the market does. Cybersecurity shifts from a downstream operational topic to a prerequisite for market access.
September 11, 2026
The CRA timeline is staggered. The first hard deadline is the reporting obligation. From September 11, 2026, manufacturers must report actively exploited vulnerabilities and serious security incidents that affect the security of their products. The further obligations, such as the ongoing remediation of vulnerabilities and full compliance, only take effect on December 11, 2027.
Reporting obligation for actively exploited vulnerabilities takes effect
Cyber Resilience Act (EU 2024/2847)
The notification process runs through a central platform, the Single Reporting Platform. It is sent to the responsible national CSIRT as well as the European agency ENISA. The deadlines are tight. An initial early warning is due within 24 hours, a complete report within 72 hours. A final report follows no later than 14 days after a countermeasure is available, and within one month for serious incidents.
What matters is the scope. The reporting obligation also applies to products that entered the market before December 11, 2027. So if you shipped a connected device years ago that is still in operation, you must report actively exploited vulnerabilities on it starting September 2026. The installed base does not fall outside the obligation.
Who It Affects
The circle of those affected is broader than many anticipate. It covers manufacturers of hardware and software equally, from the sensor through network components to the application. Importers and distributors also carry obligations if they bring products with digital elements to the EU market or make them available. Pure origin outside the EU offers no protection once a product is sold here.
For many companies, the CRA is thus a topic they had not previously had on their radar. Anyone who regards themselves as a pure software or device manufacturer and not as a classic cybersecurity company is nevertheless held to account. The question is not whether a product is affected, but whether it has digital elements and is placed on the market in the EU.
What Now Belongs on the Leadership Agenda
The first step is an honest stocktaking. Which products with digital elements does the company place on the market, which of them are still in the field, and who within the company is even responsible? Without this overview, it is impossible to fulfill the reporting obligation or plan for full compliance later.
The second step is the reporting process. By September 2026, a procedure must be in place that detects an exploited vulnerability, assesses it, and reports it via the platform in a timely manner. This requires clear responsibilities, a designated interface to the authorities, and the technical ability to even detect an incident in time. Anyone who only begins building the process after a case becomes known will miss the 24-hour early warning.
The third step is strategic. The CRA is not a one-off compliance project but a permanent product responsibility with update obligations through 2027 and beyond. This belongs on the executive level because it touches product planning, development budgets, and supplier contracts. Cybersecurity becomes part of product strategy, not an addendum to IT.
Distinction from NIS2 and DORA
The CRA is often thrown into the same pot as NIS2 and DORA, but it pursues a different approach. NIS2 and DORA regulate operators, that is, organizations that must operate and protect IT. The CRA regulates the product itself and addresses the manufacturer that places it on the market.
The three regulatory frameworks interlock. An operator subject to NIS2 purchases products that will in future fall under the CRA. Product security under the CRA thus supports the supply chain security that NIS2 requires from the operator. Anyone who considers the three frameworks separately fails to recognize that together they create a continuous security claim from the component to operations.
Frequently Asked Questions
Each question is closed. Tapping unlocks the answer.
When Does the CRA’s Reporting Obligation Apply?
From September 11, 2026. From this date, manufacturers must report actively exploited vulnerabilities and serious security incidents. The remaining obligations take effect on December 11, 2027.
What Deadlines Apply to a Report?
An early warning within 24 hours, a complete report within 72 hours, and a final report no later than 14 days after a countermeasure becomes available, or within one month in the case of serious incidents.
Does the CRA Also Apply to Products That Have Already Been Sold?
Yes. The reporting obligation from September 2026 also applies to products that entered the market before December 11, 2027 and continue to be used. The installed base does not fall outside the obligation.
Who Besides the Manufacturer Is Obligated?
Importers and distributors also carry obligations if they place products with digital elements on the EU market or make them available. Origin outside the EU does not exempt from the requirements.
How Does the CRA Relate to NIS2?
The CRA regulates the product and the manufacturer; NIS2 regulates the operator. The two complement each other: Secure products under the CRA support the supply chain security that NIS2 requires from the operator.
Editor’s Picks
Editor’s PickWhat Is NIS2? Definition, Obligations, and LiabilityEditor’s PickWhen a Phone Call Halted Car Production
More from the MBF Media Network
cloudmagazinKRITIS in the Cloud: What Secures the MigrationMyBusinessFutureThe AI oversight in Germany now has an addressDigital ChiefsThe AI writes the code. Who is liable for it?




