Is Your Organization Ready for the EU Cyber Resilience Act?

EU CRA Vulnerability Reporting Checklist

The EU Cyber Resilience Act (CRA) is changing the game for software and hardware products sold in the EU. Starting September 11, 2026, manufacturers, importers, and distributors must report actively exploited vulnerabilities and severe security incidents to ENISA and recognized national CSIRTs or face significant penalties. From security by design to vulnerability handling and ongoing maintenance, CRA reporting requirements cover obligations across the entire product life cycle.

Our checklist navigates the requirements and deadlines to help you prepare with confidence.

Download the report now

Download the checklist to learn

  • The mandatory reporting timelines for exploited vulnerabilities and severe security incidents
  • The requirements for Software Bill of Materials generation and management
  • The vulnerability monitoring criteria and key documentation and reporting practices
  • How Black Duck solutions can help you maintain CRA compliance

 

EU CRA Vulnerability Reporting Checklist: Sept '26 Obligations thumbnail