The EU Cyber Resilience Act has two deadlines that matter. December 2027 is when full product conformity is required. But 11 September 2026 is when the vulnerability reporting obligations under Article 14 come into force - and that date applies to products already on the market, not only those released after the legislation takes effect.
With five months remaining, it is worth being precise about what “compliant” means on that date, and what infrastructure needs to be operational before it arrives.
What September 2026 Is - and Isn't
The September deadline does not require manufacturers to have completed conformity assessments, affixed CE marking, or produced full technical documentation under Annex VII. Those obligations follow in December 2027.
What it does require is that any manufacturer, importer, or distributor of products with digital elements sold in the EU has a functioning vulnerability handling process capable of meeting Article 14's reporting obligations the moment they become aware of an actively exploited vulnerability. The clock does not wait for infrastructure to be built.
The Two Articles That Matter
Article 13 - the VDP requirement
Article 13 mandates that manufacturers provide a publicly accessible, secure channel through which security researchers and customers can report potential vulnerabilities. This is the Coordinated Vulnerability Disclosure policy (VDP) - formerly a best practice under ISO/IEC 29147, now a legal requirement.
The VDP is not merely an administrative obligation. It is the primary intake mechanism through which a manufacturer may first learn that one of their products is being actively exploited. Without it, the first trigger for Article 14 may arrive with no warning and no process to handle it.
Article 14 - the reporting cascade
Once a manufacturer becomes aware that a vulnerability in their product is being actively exploited in the field, the following sequence is mandatory:
- Within 24 hours: submit an early warning to the CRA Single Reporting Platform, which routes it to ENISA centrally and to the relevant national CSIRT.
- Within 72 hours: submit a detailed technical notification covering the severity, scope, indicators of compromise, and known affected versions.
- Within 14 days (for vulnerabilities) or 30 days (for significant incidents): submit a final report covering root cause, fix or mitigation, and the disclosure strategy.
Disclosure strategy is not an afterthought - it must be communicated to authorities as part of the final report, and it must balance transparency against the risk of assisting threat actors.
What “Operational” Actually Means
Meeting these obligations on paper is straightforward. Meeting them under pressure, at 2am, on a product that shipped three years ago, is the operational challenge.
Manufacturers who will comply reliably by September 2026 will have:
A tested intake process. The VDP is live, publicly accessible, and staffed. Submissions are triaged within defined SLAs. Researchers receive acknowledgment within 48 hours per ISO/IEC 29147 best practice.
Defined triage authority. Someone has the explicit authority to declare active exploitation and initiate the Article 14 reporting cascade without requiring C-level sign-off. Waiting for legal approval during a 24-hour window is how deadlines are missed.
Pre-built report templates. The early warning and detailed notification forms are drafted, tested, and ready. The login credentials for the Single Reporting Platform are verified. The relevant national CSIRT contact is documented.
An audit trail. Every report received, every triage decision made, every communication sent - timestamped and retained. This is the evidence that the process functioned as required.
The SME Gap
For large organisations with established PSIRTs, much of the above may already exist in some form. For the majority of SMEs selling hardware or software into the EU market - the manufacturers of routers, industrial controllers, connected devices, firmware-embedded products - none of it does.
Building a compliant VDP, structured intake, triage workflow, authority reporting mechanism, and audit trail in-house requires months of engineering and legal alignment. For organisations starting from zero today, five months is tight.
How CVD Portal Addresses the Gap
CVD Portal was built specifically for this problem. It provides the full Article 13 and 14 compliance infrastructure as a service, free to get started.
A manufacturer registering today receives a branded vulnerability disclosure portal at yourcompany.cvdportal.com, with structured intake, automated 48-hour acknowledgment tracking, CVSS-based triage workflow, ENISA-aligned report generation for the 24-hour and 72-hour obligations, full audit trail, and CSAF 2.0 advisory generation for coordinated public disclosure.
The goal is to remove the infrastructure barrier entirely - so that the September 2026 deadline is a process readiness question, not an engineering project.
The Bottom Line
September 2026 is not a soft milestone. It is the date on which Article 14 becomes enforceable, on every product with digital elements currently in use across the EU market. Organisations that are not operationally ready on that date are exposed - regardless of where they stand on the broader December 2027 conformity timeline.
Five months is enough time to get there. It is not enough time to leave it until later.