The implementation timeline for the Cyber Resilience Act (CRA) is outlined primarily in Recital (126). Here are the key milestones and deadlines for compliance:
11 June 2026: The provisions on the notification of conformity assessment bodies will apply from this date.
11 September 2026: The reporting obligations concerning actively exploited vulnerabilities and severe incidents impacting the security of products with digital elements will come into effect.
11 December 2027: The general application of the Regulation will begin, giving economic operators sufficient time to adapt to the requirements set out in the CRA.
These dates provide a structured timeline for stakeholders to prepare for and comply with the new requirements introduced by the CRA.