1.3 Deadlines & Timelines
CRA Timeline
The Cyber Resilience Act (Regulation (EU) 2024/2847) was published in the Official Journal of the EU on 20 November 2024 and entered into force on 10 December 2024.
Critical Deadlines
| Date | Requirement | Status |
|---|---|---|
| 10.12.2024 | Entry into force of the CRA | Completed |
| 11.06.2026 | Conformity assessment bodies must be designated | Preparation |
| 11.09.2026 | Reporting obligations take effect – Art. 14 CRA (actively exploited vulnerabilities, severe incidents) | ACTION REQUIRED |
| 11.12.2027 | Full applicability – all requirements incl. conformity assessment, CE marking, technical documentation | ACTION REQUIRED |
REPORTING OBLIGATION FROM 11.09.2026
From 11 September 2026, actively exploited vulnerabilities must be reported to ENISA / the competent national authority within 24 hours. The incident response process must be fully operational by this date.
Detailed Timeline
Phase 1: Preparation (until 11.06.2026)
- Create product catalogue and carry out CRA classification
- Establish and validate SBOM processes
- Create and test incident response playbook
- Prepare ENISA notification templates
- Implement CVE monitoring workflows
Phase 2: Reporting Obligations (from 11.09.2026)
- Reporting processes must be operational
- Utilise ENISA Single Reporting Platform (SRP)
- 24h early warning for actively exploited vulnerabilities
- 72h notification with detailed assessment
- 14d final report
Phase 3: Full Conformity (from 11.12.2027)
- Technical documentation in accordance with Annex VII complete
- EU declaration of conformity (Annex V) per product
- CE marking
- Conformity assessment carried out
- Support period declared and published
- SBOM available for every shipped product
- User information provided in accordance with Annex II
NIS2 Timeline
| Date | Requirement |
|---|---|
| 17.10.2024 | NIS2 transposition deadline for Member States |
| Ongoing | Reporting obligations pursuant to Art. 23 NIS2 for significant security incidents |
Internal Implementation Timeline
| Quarter | Measures |
|---|---|
| Q1 2026 | Build compliance documentation, validate SBOM processes |
| Q2 2026 | Test incident response playbook, finalise ENISA notification templates |
| Q3 2026 | Reporting obligations operational (Deadline: 11.09.2026) |
| Q4 2026 | Begin technical documentation per product |
| Q1-Q2 2027 | Prepare conformity assessment, create EU DoC |
| Q3 2027 | Trial run conformity assessment, prepare CE marking |
| Q4 2027 | Full conformity (Deadline: 11.12.2027) |