EU CRA milestones — 11 June 2026 CAB notification, 11 September 2026 Article 14 reporting obligations

Two CRA enforcement milestones fall within the next 120 days. Chapter IV provisions on notification of Conformity Assessment Bodies (CABs) become applicable on 11 June 2026 — manufacturers seeking CRA conformity certification for critical digital products will be able to use designated CABs from that date, and Member States must have designated notifying authorities by then. Article 14 reporting obligations (manufacturers reporting actively-exploited vulnerabilities and severe security incidents to national CSIRTs within 24 hours, with a 72-hour notification for the incident report) apply from 11 September 2026. First standardisation deliverables (horizontal and product-specific standards) are expected Q3 2026. The Q4 2026 delegated act on EUCC presumption of conformity with CRA requirements is pending. Full application of CRA is 11 December 2027 (EC CRA implementation factpage).

Per W2 horizon research, Delegated Regulation (EU) 2026/881 on delayed dissemination of sensitive notifications was published in April 2026 and specifies the circumstances under which a CSIRT may delay public disclosure of a vulnerability notification on cybersecurity grounds — the underlying delegated act is referenced from the EC implementation factpage above but not separately re-fetched in this run; defenders relying on the exact text should consult the EUR-Lex publication. Swiss product manufacturers supplying EU markets and operators of digital infrastructure procuring connected products need to verify their supply chain for CRA-scope products before September 2026; Swiss public-sector procurement frameworks should explicitly verify CRA-conformity attestation for connected products at acquisition.