Live timer11 September 2026 CESTFree to embed

CRA Article 14 applies on 11 September 2026

From this date, every manufacturer placing a product with digital elements on the EU market must report actively exploited vulnerabilities and severe incidents to ENISA and the relevant national CSIRT on fixed deadlines. It is the first CRA obligation to bite, 15 months ahead of the rest of the regulation. This counter ticks down in real time. Embed it on your compliance dashboard.

56
Days
01
Hours
15
Minutes
08
Seconds

Drop this on your compliance dashboard

Paste the snippet below into any page that supports HTML. The widget loads in an iframe, weighs under 20 KB, sets no cookies, and updates every second.

<iframe src="https://cvdportal.com/embed/countdown" width="600" height="200" style="border:0;max-width:100%" loading="lazy" title="EU CRA Article 14 countdown"></iframe>

Default size is 600 by 200 pixels. The widget is responsive and scales to its container.

What changes on 11 September 2026

Article 14 obliges every manufacturer of products with digital elements to notify ENISA and the relevant CSIRT of any actively exploited vulnerability or severe incident affecting the security of the product. The cascade is an early warning within 24 hours, an intermediate notification within 72 hours, and a final report within 14 days for an actively exploited vulnerability or one month for a severe incident.

Article 14 is the only substantive obligation that moves this early. Under Article 71(2) the Regulation applies from 11 December 2027, and the sole derogations are Article 14 from 11 September 2026 and Chapter IV on notified bodies from 11 June 2026. So Article 14 comes 15 months ahead of the rest.

Everything else arrives on 11 December 2027, including placing on the market, CE marking, conformity assessment, and the Article 13 manufacturer obligations such as the coordinated vulnerability disclosure policy and the security contact. In practice the CVD process needs to be running before September 2026 anyway, because Article 14 reporting depends on it.

Get Article 13 ready in an afternoon

CRA Portal runs the Article 13 intake and the Article 14 cascade for EU manufacturers. The free tier covers Article 13. Reporting and Enterprise add the 24h / 72h / final report workflow.

CRA deadline briefing

A short email on the Cyber Resilience Act reporting obligations and the run-up to 11 September 2026.

We use your email only to send the briefing. Unsubscribe any time with one click.