Every company selling a networked device, connected component, or software product into the European Union faces a binding new deadline: beginning September 11, 2026, manufacturers must file an early warning with EU cybersecurity authorities within 24 hours of detecting an actively exploited vulnerability in any product on the EU market. Today, June 11, marks the first formal milestone in the CRA's phased rollout — the date on which national authorities were required to designate conformity assessment bodies under the law's Chapter IV — and the window to complete the internal pipeline work that makes 24-hour compliance possible is now measured in weeks, not months.
The regulation driving this change is the EU Cyber Resilience Act (Regulation EU 2024/2847), which entered into force on December 10, 2024, and covers virtually any hardware or software product that connects directly or indirectly to a device or network. Consumer smart speakers, home routers, industrial control systems, enterprise software suites, and connected vehicle telematics units are all in scope. Non-compliance can result in product withdrawal from the EU's 450-million-person single market and financial penalties of up to €15 million or 2.5% of global annual turnover, whichever is higher.
The most immediate challenge for vendors is not what the regulation requires — the requirements are now clearly documented — but whether the internal engineering, legal, and security operations infrastructure exists to meet a 24-hour notification clock that starts the moment an organization becomes aware of an exploitation, not when it has confirmed or analyzed it.
CRA Vulnerability Reporting: What the 24-Hour Pipeline Requires
Under Article 14 of the CRA, manufacturers must submit notifications through the ENISA Single Reporting Platform (SRP), a centralized EU web portal that routes each submission simultaneously to the national Computer Security Incident Response Team (CSIRT) of the manufacturer's main EU establishment and to ENISA itself. Manufacturers submit once; the SRP handles cross-border routing, automatically disseminating the notification to CSIRTs in every member state where the affected product is available.
The reporting timeline follows a three-stage ladder. The 24-hour early warning contains preliminary information on the affected product, the nature of the vulnerability, and potential impact — submitted the moment the manufacturer becomes aware of active exploitation. The 72-hour full notification adds more detailed technical information as it becomes available, including an expanded impact assessment and initial remediation plan. The 14-day final report, required for actively exploited vulnerabilities, delivers comprehensive root cause analysis, implemented mitigations, and planned security updates. Severe incidents receive a 30-day window for the final report.
The platform is not yet operational for mandatory reporting, but ENISA has confirmed it will be live by September 11, 2026 and that registration instructions, training materials, and dry-run support will be provided during June 2026 — making this month the practical onboarding window. Critically, ENISA has confirmed that no API will be provided at the platform's launch: initial mandatory reporting will require manual submission through the web portal, not automated pipeline integration.
That constraint matters because of how the 24-hour clock actually works. It starts at the moment of awareness — not at the point of confirmed exploitation or completed triage. A customer support ticket describing behavior consistent with a known vulnerability, or an alert from a threat intelligence feed flagging exploitation in the wild, can legally begin the reporting countdown before an internal security team has had time to verify the claim. For organizations without automated Software Bill of Materials (SBOM) monitoring correlated against live vulnerability feeds — specifically the European Vulnerability Database launched by ENISA in May 2025 under the NIS2 Directive, or the U.S. Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog — meeting that clock in practice is structurally unlikely.
Who Is in Scope Under EU Cyber Resilience Act Compliance Rules
The CRA's reach is deliberately global. The regulation covers any product with digital elements — defined as hardware or software whose intended and foreseeable use includes direct or indirect connection to a device or network — made available on the EU market, regardless of where the manufacturer is headquartered or where the product is manufactured. A US company selling a smart home router in Germany, a South Korean chip manufacturer whose components are integrated into EU-market devices, and a Canadian software vendor whose enterprise security tool is licensed to European businesses are all subject to the same September 11 reporting obligation.
The categories covered are broad: consumer IoT devices including smart speakers, cameras, wearables, and home routers; connected vehicle telematics and in-vehicle software; industrial control systems with network interfaces; enterprise software including productivity suites and on-premises security tools; and embedded software shipped as part of larger systems. Open-source software developed entirely outside commercial contexts is carved out, but companies that commercialize or maintain open-source components as part of a product are generally treated as manufacturers for CRA purposes — a distinction clarified in draft guidance the European Commission published for stakeholder feedback in March 2026.
The motivation for this breadth is well-documented in the threat landscape. Forescout's 2026 Riskiest Connected Devices research found that routers and switches now average nearly 32 vulnerabilities per device and account for roughly one-third of the most critical vulnerabilities in enterprise networks. The Aisuru botnet, first identified in late 2024 and tracked through 2025, grew to launch distributed denial-of-service attacks exceeding 29.7 terabits per second sourced from an estimated 300,000 to 700,000 compromised consumer routers, digital video recorders, and IP cameras — devices that reached that scale because their manufacturers had no legal obligation to report or remediate the unpatched vulnerabilities being exploited.
Cybersecurity Experts' Unresolved Concerns About 24-Hour Disclosure
The 24-hour notification window was never uncontroversial. In October 2023, a coalition letter signed by representatives of Google, the Electronic Frontier Foundation, ESET, Rapid7, Bugcrowd, Trend Micro, the CyberPeace Institute, and European Digital Rights warned EU policymakers that requiring disclosure of unpatched vulnerabilities to government agencies within 24 hours of exploitation was counterproductive and would create real-time databases of software with unmitigated vulnerabilities in the possession of potentially dozens of government agencies.
Katie Moussouris, CEO of Luta Security and a widely cited expert on vulnerability disclosure policy, warned that governments do not possess the expertise to develop fixes for vulnerabilities themselves, and that mandatory premature reporting would interfere with the coordinated remediation process that typically requires weeks or months to complete safely. The concern was structural: traditional coordinated vulnerability disclosure practices require a suppression window of 60 to 120 days before public disclosure, so that vendors can develop, test, and deploy patches before attackers can use the disclosure to target unpatched systems. A 24-hour government notification requirement runs concurrently with that window, meaning the information exists in government systems long before a patch is available.
The European Commission's response to these concerns was partial rather than complete. The final CRA text retained the 24-hour window but added a mechanism under Article 14(9) by which CSIRTs may, in exceptional circumstances and on cybersecurity-related grounds, delay the dissemination of notifications to other member states. A delegated act specifying the terms and conditions for applying that delay was adopted on December 11, 2025. The EFF's position is that this withholding provision, while an improvement, does not eliminate the fundamental risk of government agencies accumulating unpatched vulnerability information that could be misused for surveillance or offensive purposes.
ENISA Single Reporting Platform: What Vendors Must Build Now
With 92 days until the September 11 deadline, compliance professionals and security operations teams point to a specific set of pre-work tasks that cannot be left to September.
Product inventory and scope determination. Every organization selling products into the EU must have a current, complete map of which products qualify as products with digital elements under the CRA definition. Scope ambiguity is not a defense against enforcement.
SBOM generation in machine-readable format. The CRA requires a Software Bill of Materials for every in-scope product, in standardized machine-readable formats — specifically CycloneDX or SPDX. The SBOM is not just a compliance document: it is the mechanism that makes 24-hour vulnerability detection possible. When a new CVE appears in a widely used library, an up-to-date SBOM correlated against the European Vulnerability Database or the CISA Known Exploited Vulnerabilities catalog can identify affected products within hours. Without an automated SBOM-based monitoring system, manual triage cannot reliably complete within the 24-hour awareness-to-submission window.
Detection and triage pipeline construction. The internal workflow must connect vulnerability intelligence feeds, product asset inventory, and an escalation path to a designated reporting officer with pre-configured SRP credentials. The 24-hour clock is unforgiving: ENISA can detect a missed initial notification in real time when a CSIRT in another country files a report on the same vulnerability before the manufacturer does.
SRP registration and dry-run practice. ENISA's registration and onboarding materials are being published this month. Organizations should register as early as possible and run tabletop exercises simulating a live exploited-vulnerability scenario before September, not after the first real incident arrives.
Cross-jurisdictional playbook alignment. For companies operating in both the US and EU markets, the CRA's 24-hour notification obligation and CISA's remediation timelines operate under different frameworks, different granularity requirements, and different regulatory recipients. Legal, communications, and security teams need agreed disclosure playbooks that satisfy both regimes simultaneously without inadvertently triggering a conflict — for instance, a situation where disclosing to ENISA before a patch is ready complicates a coordinated remediation process involving US authorities.
IoT Cybersecurity Regulation 2026: Broader Timeline and Intersecting Rules
The September 11 deadline does not stand alone. The CRA's phased timeline runs through December 2027, when the regulation's full requirements — secure-by-design engineering, CE marking indicating product conformity, formal conformity assessments for higher-risk product categories, and mandatory security update commitments for products' expected support periods of generally a minimum of five years — come fully into force. Products placed on the EU market after December 11, 2027 without a CE marking demonstrating CRA compliance cannot legally remain on sale.
The CRA sits alongside, and does not replace, the NIS2 Directive, which focuses on network and information systems of operators of essential services rather than on the products themselves. It also intersects with GDPR when a vulnerability or incident involves personal data — in such cases, GDPR's separate 72-hour notification to data protection authorities runs in parallel with the CRA's reporting ladder, not as a substitute for it.
The OpenSSF and Linux Foundation Research 2026 CRA Awareness and Readiness Report, the most current industry-level readiness assessment available, found that 66% of survey respondents remain unfamiliar with the CRA — a proportion that has grown from 62% unfamiliar in 2025. OpenSSF described the finding as a sobering reality check and noted that over half of European small and medium-sized enterprises remain unaware of a regulation that applies to them. The finding is operationally significant: an organization that does not know the CRA applies to it cannot have built the detection and triage infrastructure the 24-hour deadline requires.
The EU's regulatory posture on product cybersecurity is increasingly shared by other jurisdictions. The UK's Product Security and Telecommunications Infrastructure Act came into force in 2024. US regulators have pushed harder on software vendors following high-profile supply chain incidents. For manufacturers selling globally, September 11, 2026 is not only a European compliance date — it is the first hard enforcement point in a convergence of global product security standards that shows no sign of reversing.
Frequently Asked Questions
What products does the EU Cyber Resilience Act cover?
The CRA covers any hardware or software product whose intended or foreseeable use includes a direct or indirect connection to a device or network — what the regulation calls "products with digital elements." This includes consumer IoT devices, enterprise software, industrial control systems, and connected vehicle components sold on the EU market, regardless of where the manufacturer is based. Products with their own dedicated EU safety regimes, such as medical devices and civil aviation equipment, are excluded.
What is the fine for not complying with the EU Cyber Resilience Act?
Non-compliance with the CRA's most serious requirements — including failure to meet the mandatory reporting obligations that begin September 11, 2026 — can result in financial penalties of up to €15 million or 2.5% of global annual turnover for the preceding financial year, whichever is higher. Market surveillance authorities can also require non-compliant products to be withdrawn from the EU market entirely.
When does the EU Cyber Resilience Act's 24-hour vulnerability reporting requirement start?
The 24-hour early warning obligation begins on September 11, 2026, under Article 14 of the CRA. From that date, manufacturers must submit a preliminary notification to ENISA and the relevant national CSIRT within 24 hours of becoming aware that a vulnerability in one of their products is being actively exploited. A 72-hour full notification and a 14-day final report follow. ENISA's Single Reporting Platform is expected to begin onboarding manufacturers during June 2026.
Does the EU Cyber Resilience Act apply to companies outside the European Union?
Yes. The CRA applies to any manufacturer whose products are made available on the EU market, regardless of where the company is headquartered or where production occurs. Non-EU manufacturers must designate an authorized EU representative who can interface with the ENISA Single Reporting Platform and national CSIRTs. The regulation's global reach is comparable to the GDPR's extraterritorial effect on data processing — compliance is a condition of EU market access, not of EU domicile.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
