EU Cyber Resilience Act — 11 June notifying-authority deadline, then September reporting obligations [SINGLE-SOURCE]

The Cyber Resilience Act reaches its first hard operational milestones. By 11 June 2026 (Chapter IV entry into application) member states must designate the national notifying authorities that assess and register conformity-assessment bodies for products with digital elements in the "important" and "critical" classes; until enough CABs are notified into NANDO (expected through December 2026), third-party conformity assessment cannot proceed at scale. From 11 September 2026 the Article 14 reporting obligations begin — manufacturers must report actively-exploited vulnerabilities and severe incidents via the ENISA Single Reporting Platform. For public-sector procurement teams this is a near-term planning input: factor CRA conformity status into product-selection criteria now, because the certification pipeline it depends on is only just being stood up.