Table of Contents
What are the mandatory vulnerability reporting requirements for EU devices?
Manufacturers operating within the EU market must urgently prepare for the Cyber Resilience Act (CRA), as mandatory reporting for active vulnerabilities begins on September 11, 2026. The following guide outlines your obligations, critical deadlines, and necessary compliance steps to navigate this new legal framework effectively.
The Cyber Resilience Act (CRA) Legal Framework
The EU Cyber Resilience Act (CRA) establishes a unified cybersecurity standard for products with digital elements sold within the EU. This regulation obligates manufacturers to ensure security throughout a product’s entire lifecycle, from design to end-of-life support. The law officially entered into force in December 2024, initiating a transition period that requires immediate attention from compliance teams.
These regulations apply broadly to any product connecting directly or indirectly to a device or network. This definition encompasses networked hardware like smartphones, firewalls, and industrial control systems, as well as standalone software such as mobile apps and games. Notably, non-commercial open-source software remains exempt from these requirements.
Critical Compliance Deadlines
Implementation occurs in phases, with two dates demanding your focus. The most pressing deadline is September 11, 2026, when the obligation to report actively exploited vulnerabilities and severe security incidents begins. Following this, manufacturers must meet all CRA requirements, including conformity assessments, by December 11, 2027.
To facilitate this process, Conformity Assessment Bodies (CABs) will commence operations around June 11, 2026. These accredited, independent laboratories will conduct preliminary product testing, allowing manufacturers to secure external certification before the final enforcement date.
Mandatory Reporting Protocols
Starting September 11, 2026, you must report security gaps to authorities rapidly. The EU Agency for Cybersecurity (ENISA) is developing a Single Reporting Platform (SRP) to centralize these submissions. Manufacturers must submit an early warning within 24 hours of becoming aware of an actively exploited vulnerability or severe incident, followed by a detailed notification within 72 hours.
This reporting duty applies to all manufacturers of connected devices and software. Experts emphasize that internal processes for detecting and documenting these incidents must be operational well before the deadline to ensure accurate and timely submissions.
Strategic Preparation and Software Bills of Materials (SBOM)
Compliance requires a granular understanding of your software supply chain. Your team must generate a comprehensive Software Bill of Materials (SBOM) for every networked product. This inventory lists all programs, libraries, and dependencies with exact version numbers, licensing details, and authorship information.
Current assessments reveal that many manufacturer SBOMs lack necessary context regarding vulnerabilities or rely on incomplete data from suppliers. An incomplete SBOM renders your documentation unusable for EU regulatory standards. Identifying potential attack vectors early allows your development team to remediate flaws before they trigger a mandatory report.
Conformity Assessments and Automation
For approximately 90% of connected products, a self-declaration of conformity suffices. This document affirms that your product meets CRA standards and includes a detailed risk assessment. However, “critical” and “highly critical” products—such as industrial control systems and specific IoT devices—require external auditing by a CAB.
Meeting these standards demands automation. Manual documentation cannot sustain the requirement to implement, evaluate, and verify security measures across a product’s lifecycle. Manufacturers must integrate security-by-design principles, automated risk management, and continuous update protocols immediately to manage the workload these new laws impose.