EU Cyber Resilience Act — 75 days to the 11 September vulnerability/incident-reporting obligation

CRA Article 28 (conformity-body notification) entered force on 11 June 2026; the next binding milestone — mandatory vulnerability/incident reporting by manufacturers to ENISA's Single Reporting Platform — activates 11 September 2026, now ~75 days out (ENISA SRP). ENISA has not yet published a dry-run schedule, stating guidance is due June–August (Crowell & Moring). For Swiss readers the practical action is procurement-side: Swiss manufacturers selling digital products into the EU fall in scope, and Swiss public-sector procurement teams should add CRA compliance attestations to vendor specs and confirm in-scope suppliers can meet the 24/72-hour SRP reporting flow before it binds.