preloader

· security compliance eu cyber-resilience-act vulnerability-management

EU Cyber Resilience Act Mandatory Vulnerability Reporting Starts in September 2026

Source: Hogan Lovells

The EU Cyber Resilience Act entered into force on 11 December 2024, but its obligations roll out in stages. The first hard deadline affecting day-to-day operations lands on 11 September 2026, when manufacturers of products with digital elements must begin reporting actively exploited vulnerabilities and serious cybersecurity incidents to the European single reporting platform. This applies to any software or hardware product placed on the EU market, from consumer IoT devices to B2B enterprise software and complex industrial systems.

What the September deadline requires

The reporting obligations are precise and carry tight timelines:

  • 24 hours: Submit an initial early warning upon becoming aware of an actively exploited vulnerability or a severe incident impacting the security of a product
  • 72 hours: Provide additional information as it becomes available, including a preliminary assessment of the vulnerability and its severity
  • 14 days: Submit a final vulnerability report after a security update or workaround is made available
  • 1 month: Submit a final incident report with a full description and remediation steps

Reports go to the competent national authority and, in parallel, to ENISA via the single reporting platform. The obligation covers both vulnerabilities your own development team discovers and vulnerabilities disclosed to you by third parties, including through coordinated disclosure programmes.

The scope is broader than most companies realise

The CRA covers every product that contains software or firmware and is connected to a network or another device, including products connected only indirectly. The regulation explicitly lists examples such as smart home devices, network equipment, operating systems, browsers, password managers, VPNs, firewalls, and software development tools. Products sold under a software-as-a-service model are not automatically excluded if they include a locally installed component.

Companies that neither manufacture nor place products on the market themselves, but integrate third-party components into products they sell, must also track the vulnerability status of those components and report incidents affecting the integrated product.

Penalties for non-compliance

Failing to meet the incident and vulnerability reporting obligations can result in fines of up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher. Non-compliance with the broader essential cybersecurity requirements, which apply fully from December 2027, carries fines of up to €15 million or 2.5% turnover. Providing incorrect, incomplete, or misleading information carries fines up to €5 million or 1% of global turnover.

What to do before September

The 11 September deadline is 102 days away. Organisations that have not yet started CRA preparation should focus on three things immediately.

Map your product portfolio against CRA scope. Determine which products fall under the regulation, whether they are sold in the EU or to customers who may resell into the EU, and which product category they belong to. The CRA distinguishes between default products, important products in two classes, and critical products, each with different conformity assessment requirements from December 2027.

Build a vulnerability response process. The 24-hour initial report window is short. Organisations need a defined process for receiving vulnerability reports, triaging them, escalating to security staff, and triggering the notification workflow. This cannot be improvised in real time. If you receive a coordinated disclosure from an external researcher at 17:00 on a Friday and the product is actively exploited, you have until 17:00 Saturday to file the initial report.

Identify your national competent authority. Each EU member state is designating a national authority to receive CRA reports. The ENISA single reporting platform is also being stood up for cross-border coordination. You need to know which authority to notify and how to access the platform before the obligation starts.

If you want to assess your CRA readiness, map your product portfolio against the regulation’s scope, or design a vulnerability response and reporting process before September, contact Excello Digital. We work with software and hardware vendors across Europe to translate regulatory obligations into operational procedures that can actually be executed under pressure.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!