EU Cyber Resilience Act: Complete Implementation Timeline 2025-2027

The EU Cyber Resilience Act (Regulation 2024/2847) represents the most significant cybersecurity legislation for products with digital elements (PDEs) in the European Union. With enforcement beginning in 2025 and full compliance required by December 2027, manufacturers need to understand the timeline and prepare accordingly.

This guide breaks down each milestone, provides actionable preparation checklists, and offers industry-specific guidance to help you navigate the compliance journey.

Phase 1: Now Until September 2026

This is your preparation window. While there are no enforcement obligations yet, this period is critical for building the foundations of compliance.

What You Should Be Doing Now

1. Product Inventory and Classification

Start by cataloging every product with digital elements you place on the EU market:

• Consumer IoT devices (smart home, wearables, appliances)
• Industrial equipment with network connectivity
• Software products sold or distributed in the EU
• Embedded systems and firmware

For each product, determine its CRA classification (Default, Important Class I, Important Class II, or Critical) as this affects your conformity assessment requirements.

2. SBOM Infrastructure

Software Bills of Materials are mandatory under the CRA. Build your SBOM capability now:

• Integrate SBOM generation into your CI/CD pipeline
• Choose a standard format (CycloneDX or SPDX)
• Ensure coverage of transitive dependencies
• Establish SBOM storage and version tracking

3. Vulnerability Monitoring Setup

Before the September 2026 deadline, establish your vulnerability detection capability:

• Subscribe to vulnerability databases (NVD, OSV, vendor advisories)
• Implement automated scanning of your SBOM components
• Create internal escalation procedures
• Test your notification workflows

Phase 1 Preparation Checklist

PHASE 1 CHECKLIST (Now - September 2026)

PRODUCT INVENTORY:
[ ] Complete list of PDEs sold in EU
[ ] CRA classification for each product
[ ] Identify products requiring third-party assessment
[ ] Document current support period commitments

SBOM FOUNDATION:
[ ] SBOM generation tool selected and integrated
[ ] Format standardized (CycloneDX/SPDX)
[ ] Transitive dependency coverage verified
[ ] Version-controlled SBOM storage established

VULNERABILITY READINESS:
[ ] Monitoring systems in place
[ ] Internal escalation procedures documented
[ ] ENISA notification templates prepared
[ ] Test incident response workflow

DOCUMENTATION BASELINE:
[ ] Existing technical documentation audited
[ ] Gap analysis against Annex VII requirements
[ ] Risk assessment methodology selected
[ ] Documentation templates created

Phase 2: September 2026 - Vulnerability Reporting Active

The first major compliance deadline arrives in September 2026, when vulnerability reporting obligations take effect for all manufacturers.

The 24-Hour Rule

From September 2026, any actively exploited vulnerability in your products must be reported to ENISA within 24 hours of discovery. This is not a suggestion; it's a legal requirement.

The reporting timeline breaks down as follows:

What "Actively Exploited" Means

A vulnerability is considered actively exploited when there is reliable evidence that malicious code has been executed by an attacker on a system without permission of the system owner. This includes:

• Confirmed attacks in the wild
• Proof-of-concept with evidence of active use
• Exploitation reported by security researchers
• Detection in honeypots or threat intelligence feeds

Preparing Your Vulnerability Workflow

To meet these strict deadlines, you need robust processes:

Internal Detection

• Security monitoring on deployed products
• Bug bounty program responses
• Internal security testing discoveries

External Sources

• CVE database alerts
• Vendor security advisories
• Customer-reported issues
• Security researcher disclosures

Escalation Path

• Define who can trigger a 24-hour notification
• Pre-approve notification templates
• Establish weekend/holiday coverage
• Create backup contacts for key personnel

Phase 2 Checklist

PHASE 2 CHECKLIST (September 2026 Active)

ENISA REPORTING:
[ ] ENISA notification account registered
[ ] Templates approved and ready
[ ] 24/7 escalation path established
[ ] Legal review of notification process completed

VULNERABILITY MANAGEMENT:
[ ] Active monitoring for all products
[ ] CVE/NVD integration operational
[ ] Internal security advisory process active
[ ] Customer notification templates ready

COORDINATION:
[ ] Security team trained on CRA requirements
[ ] Management escalation procedures documented
[ ] Legal team briefed on reporting obligations
[ ] PR/communications prepared for disclosures

Phase 3: December 2027 - Full Compliance

By December 2027, all products with digital elements placed on the EU market must fully comply with CRA requirements. This is the hard deadline, and non-compliant products cannot be legally sold in the EU after this date.

Essential Cybersecurity Requirements (Annex I)

Every compliant product must demonstrate:

Security by Design

• Appropriate security level based on risk assessment
• Protection against unauthorized access
• Confidentiality of stored, transmitted, and processed data
• Integrity of data, commands, and configurations
• Availability of essential functions

Secure Defaults

• Products delivered in secure configuration
• Default passwords prohibited (unique per device required)
• Minimal attack surface out of the box
• Security features enabled by default

Update Capability

• Secure and reliable update mechanism
• Separate security updates from feature updates
• User-controlled update preferences
• Update verification and rollback capability

Vulnerability Management

• Process for identifying and documenting vulnerabilities
• Timely remediation of discovered vulnerabilities
• Free security updates for support period
• Coordinated vulnerability disclosure policy

Technical Documentation (Annex VII)

Every product needs a comprehensive technical file that includes:

Phase 3 Checklist

PHASE 3 CHECKLIST (December 2027 Deadline)

PRODUCT COMPLIANCE:
[ ] All products meet Annex I requirements
[ ] Conformity assessments completed
[ ] CE marking applied correctly
[ ] EU Declaration of Conformity prepared

TECHNICAL FILE:
[ ] Risk assessment documentation complete
[ ] SBOM current and validated
[ ] Conformity evidence organized
[ ] Support period declared (minimum 5 years)

MARKET PLACEMENT:
[ ] Products registered where required
[ ] Importer/distributor chain informed
[ ] Customer-facing documentation updated
[ ] Support infrastructure ready

ONGOING PROCESSES:
[ ] Vulnerability monitoring active
[ ] Update mechanism operational
[ ] Incident response tested
[ ] Annual review scheduled

Product Classification Deep Dive

Your conformity assessment obligations depend on your product classification:

Default Category

Examples: Simple consumer IoT, basic software applications, non-network devices

Assessment: Self-assessment based on internal control

• No third-party involvement required
• You document compliance internally
• Most cost-effective path

Important Class I

Examples: Identity management software, VPNs, network management tools, password managers, browsers

Assessment: Choice of self-assessment with harmonized standards OR third-party assessment

• If harmonized standards exist and you follow them: self-assessment
• Otherwise: third-party certification body required

Important Class II

Examples: Firewalls, intrusion detection systems, tamper-resistant microprocessors, secure elements

Assessment: Mandatory third-party assessment

• Must use accredited conformity assessment body
• Higher scrutiny and documentation requirements
• Plan for longer assessment timelines

Critical Category

Examples: Smart meters, industrial control systems, hardware security modules (HSMs)

Assessment: EU-type examination required

• Most stringent requirements
• Notified body involvement mandatory
• Expect 6-12 months for assessment process

Industry-Specific Guidance

Consumer Electronics Manufacturers

Timeline priority: Focus on SBOM automation first. Consumer products typically have complex supply chains with multiple component vendors.

Key challenge: Managing firmware updates across diverse device populations. Establish OTA update infrastructure early.

Quick win: Start with one product line as a pilot for CRA compliance, then scale processes to your full portfolio.

Software Publishers

Timeline priority: Vulnerability reporting processes are most critical. Software vulnerabilities are discovered more frequently than hardware issues.

Key challenge: Tracking dependencies in modern software stacks with hundreds of transitive dependencies.

Quick win: Integrate SBOM generation into existing CI/CD pipelines. This provides immediate value for security and compliance.

Industrial Equipment Makers

Timeline priority: Product classification and third-party assessment planning. Industrial products often fall into Important Class II or Critical categories.

Key challenge: Long product lifecycles (10-20 years) meeting 5-year minimum support requirements.

Quick win: Document existing security features. Industrial equipment often has security measures that just need formal documentation.

IoT Device Manufacturers

Timeline priority: Secure update mechanisms and default credential elimination.

Key challenge: Resource-constrained devices may struggle with security update requirements.

Quick win: Address default password issue immediately. It's a clear CRA violation and relatively straightforward to fix.

Common Pitfalls to Avoid

Starting Too Late

The December 2027 deadline seems far away, but:

• Technical file preparation takes 6-12 months
• Third-party assessments can take 3-6 months
• Process changes need time to embed
• Supply chain updates require coordination

Underestimating SBOM Requirements

A simple list of direct dependencies is not sufficient. The CRA requires:

• Complete transitive dependencies
• Accurate version information
• Machine-readable format
• Regular updates as products change

Ignoring the Support Period

The minimum 5-year support commitment means:

• Security updates for at least 5 years
• Vulnerability response for 5 years
• Documentation retention for 5 years
• Budget and resource planning accordingly

How CRA Evidence Helps

CRA Evidence provides a complete platform for managing your CRA compliance journey:

• SBOM Management: Upload, validate, and maintain SBOMs with TR-03183 quality scoring
• Vulnerability Tracking: Automatic scanning with ENISA deadline tracking and 24-hour alerts
• Technical File Export: Generate Annex VII-compliant documentation bundles
• Compliance Dashboard: Track readiness across your entire product portfolio
• Audit Trail: Full traceability for conformity assessments and vulnerability responses

The December 2027 deadline may seem distant, but building compliant processes takes time. Start your CRA readiness assessment today.

Classification: Determine your product category with our product classification guide.

SBOM: Build your SBOM infrastructure with our SBOM requirements guide.

Reporting: Learn about the 24-hour rule in our ENISA vulnerability reporting guide.

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel.