Key deadlines and reporting requirements for the EU Cyber Resilience Act (CRA)
Jun 12, 2026 | 1 min read
Subscribe to the blog newsletter
Get answers from the Community
Key deadlines
September 11, 2026
CRA enforcement begins
Starting September 11, 2026, manufacturers, importers, and distributors must notify ENISA and designated national CSIRTs of actively exploited vulnerabilities and severe security incidents. Here’s what needs to be in place by September 11, 2026.
- Vulnerability monitoring and processes aligned with Article 14
- SBOM-driven visibility
- Reporting workflows and timelines
- Disclosure and update processes
Important vulnerability reporting timelines
Reporting timelines are triggered the moment you become aware of an actively exploited vulnerability or severe security incident.
24 hours: File an early warning with ENISA and national
72 hours: Submit triage report including a resolution path
14 days: Submit final report after remediation is available
December 11, 2027
Full EU CRA product conformity required
Three additional obligations come due in 2027.
- CE marking
- Full conformity assessment
- Harmonized standard compliance
How Black Duck can help
Black Duck provides tools designed to meet the stringent requirements of the CRA.
- Black Duck® SCA identifies third-party risk and clearly indicates when a vulnerability in the EUVD is exploitable, allowing companies to meet their 24-hour reporting requirements.
- Coverity® Static Analysis identifies first-party risks that could become third-party risks if not properly addressed prior to shipping a product with digital elements to a customer within a supply chain.
- Defensics® Fuzzing identifies first- and third-party risk associated with cyber-physical devices, assemblies and subassemblies, and spare parts.
By helping teams identify open source and third-party components, track vulnerabilities, and establish repeatable processes for managing software risk, Black Duck supports the foundational practices needed to meet CRA vulnerability management and reporting obligations.
Continue Reading
Polaris release update: Streamlined workflows, stronger governance, smarter detection
Apr 14, 2026 | 8 min read
Decoding AI-enabled dev: Top concerns, hidden benefits, and smart investment strategies
Mar 31, 2026 | 4 min read
Navigating the AI frontier: Risks, benefits, and uncharted territory in code development
Jan 22, 2026 | 3 min read
Bridging the divide: Why friction between dev and security persists (and how to fix it)
Dec 16, 2025 | 4 min read
