ctipilot.ch

EU Cyber Resilience Act

policy · policy:eu-cyber-resilience-act single-sourcesingle-source-national-cert

EU product-security regulation; first hard deadline (designation of notifying authorities) fell on 11 June 2026, with the CRA Single Reporting Platform following on 11 September 2026. Tracked for its direct compliance impact on European software and hardware vendors.

Aliases: CRA

Coverage timeline
4
first 2026-05-09 → last 2026-06-29
Peak priority
notable
4 notable
Sources cited
4
3 hosts
Sections touched
3
active-threats, research, weekly-policy
Co-occurring entities
2
see Related entities below

Story timeline

  1. 2026-06-29EU Cyber Resilience Act — 75 days to the 11 September vulnerability/incident-reporting obligation
    weekly-policy
  2. 2026-06-10EU Cyber Resilience Act reaches its first hard deadline — notifying-authority designation due 11 June
    active-threats
  3. 2026-05-25EU Cyber Resilience Act — 11 June notifying-authority deadline, then September reporting obligations
    weekly-policy
  4. 2026-05-09ENISA expands CVE Root: four new European organisations onboarded as CVE Numbering Authorities
    research

Where this entity is cited

  • weekly-policy2
  • research1
  • active-threats1

Source distribution

  • enisa.europa.eu2 (50%)
  • crowell.com1 (25%)
  • digital-strategy.ec.europa.eu1 (25%)

Related entities

Entries about EU Cyber Resilience Act (4)

2026-06-29 · view entry permalink →

NOTABLE

EU Cyber Resilience Act — 75 days to the 11 September vulnerability/incident-reporting obligation

CRA Article 28 (conformity-body notification) entered force on 11 June 2026; the next binding milestone — mandatory vulnerability/incident reporting by manufacturers to ENISA's Single Reporting Platform — activates 11 September 2026, now ~75 days out (ENISA SRP). ENISA has not yet published a dry-run schedule, stating guidance is due June–August (Crowell & Moring). For Swiss readers the practical action is procurement-side: Swiss manufacturers selling digital products into the EU fall in scope, and Swiss public-sector procurement teams should add CRA compliance attestations to vendor specs and confirm in-scope suppliers can meet the 24/72-hour SRP reporting flow before it binds.

policy29 Jun 00:21Zmulti-sourceOpen finding ↗

2026-06-10 · view entry permalink →

NOTABLE

EU Cyber Resilience Act reaches its first hard deadline — notifying-authority designation due 11 June

UPDATE (originally covered 2026-W23 weekly): 11 June 2026 is the CRA's first mandatory operational milestone: under Chapter IV, member states must have designated the national authority responsible for notifying conformity-assessment bodies (CABs) for higher-risk product classes (European Commission, 2026-06-10). This is the upstream gate for the September 2026 incident-reporting obligations (Article 14) and full CRA applicability in December 2027; manufacturers of Class II/III products can now begin engaging notified CABs.

No Commission communiqué naming specific member-state designations had been published as of this brief — the confirmed fact is the regulatory deadline itself. Public-sector procurement of connected devices is directly downstream of this milestone. [SINGLE-SOURCE]

threat10 Jun 05:00Zsingle-sourceOpen finding ↗

2026-05-25 · view entry permalink →

NOTABLE

EU Cyber Resilience Act — 11 June notifying-authority deadline, then September reporting obligations

The Cyber Resilience Act reaches its first hard operational milestones. By 11 June 2026 (Chapter IV entry into application) member states must designate the national notifying authorities that assess and register conformity-assessment bodies for products with digital elements in the "important" and "critical" classes; until enough CABs are notified into NANDO (expected through December 2026), third-party conformity assessment cannot proceed at scale. From 11 September 2026 the Article 14 reporting obligations begin — manufacturers must report actively-exploited vulnerabilities and severe incidents via the ENISA Single Reporting Platform. For public-sector procurement teams this is a near-term planning input: factor CRA conformity status into product-selection criteria now, because the certification pipeline it depends on is only just being stood up.

policy25 May 05:00Zsingle-sourceOpen finding ↗

Earlier coverage (1)