The reporting obligations under the Cyber Resilience Act (CRA) will begin applying on 11 September 2026, marking the first operational milestone of the EU's product cybersecurity regulation. From that date, manufacturers of products with digital elements — a category that spans connected hardware, software, and their remote data processing components — must report actively exploited vulnerabilities to the designated national Computer Security Incident Response Teams (CSIRTs) and to ENISA.
The reporting structure follows a tiered timeline that will be familiar to organisations already operating under NIS2. Manufacturers must submit an early warning within 24 hours of becoming aware that a vulnerability in their product is being actively exploited, followed by a vulnerability notification within 72 hours providing technical detail and an initial assessment of severity. A final report is due within 14 days, setting out the root cause, remediation measures, and any remaining exposure. The framework was formalised through Delegated Regulation 2026/881, published in the Official Journal on 20 April 2026.
The CRA's reporting obligations are distinct from — but will frequently overlap with — those under the GDPR and NIS2. A vulnerability that is actively exploited to access personal data may simultaneously trigger CRA reporting (to CSIRTs and ENISA), NIS2 incident notification (to competent authorities), and GDPR breach notification (to supervisory authorities and, where applicable, data subjects). Organisations that manufacture or distribute connected products will need to ensure that their incident response procedures can handle concurrent reporting across multiple regulatory frameworks without contradiction or delay.
Full compliance with the CRA's broader requirements — including conformity assessments, technical documentation, and vulnerability handling processes — is required by December 2027. However, the September 2026 reporting obligation is not contingent on those later requirements and applies independently.
Acompli perspective: September 2026 is four months away, and the CRA reporting clock starts regardless of whether organisations have completed their broader compliance programmes. The immediate priority is to ensure that vulnerability monitoring and incident response procedures are in place and tested. For organisations that also fall within scope of the GDPR and NIS2, the challenge is coordination: one incident, three reporting regimes, three sets of timelines and recipients. A structured risk management framework that maps obligations to incident types — and records of processing that identify which products process personal data — will be essential for avoiding gaps and contradictions when reporting under pressure.