CRA Enforcement Tracker
Every announced enforcement action under the EU Cyber Resilience Act, every ENISA guidance update, every Member State authority designation, every harmonised standard published in support of the regulation. Filterable by country, type, and year. Updated weekly. Free to republish with attribution.
| Date | Country | Type | Event | Article |
|---|---|---|---|---|
Anchor date | EU EU-wide | Anchor date | CRA becomes fully applicable to all products with digital elements All remaining obligations apply, including essential cybersecurity requirements in Annex I, conformity assessment under Article 32, and CE marking of products with digital elements. Manufacturers must have completed conformity assessment before placing products on the market. Source: EUR-Lex (Article 71(2)) | Article 71(2) |
Anchor date | EU EU-wide | Anchor date | Articles 13 (CVD) and 14 (incident and vulnerability reporting) become applicable Manufacturers of products with digital elements placed on the EU market must operate a coordinated vulnerability disclosure policy and a single point of contact (Article 13), and must report actively exploited vulnerabilities and significant incidents to ENISA and the relevant national CSIRT on the 24h / 72h / final-report cadence (Article 14). Source: EUR-Lex (Article 71(2)) | Articles 13, 14 |
| EU EU-wide | Standard | CEN-CENELEC JTC 13 publishes work programme for harmonised CRA standards JTC 13 publishes its work programme detailing the harmonised standards under development for CRA Annex I essential requirements, with target publication dates ahead of full applicability in December 2027. | n/a | |
| EU EU-wide | Guidance | ENISA launches the European Union Vulnerability Database (EUVD) ENISA launches the EUVD as required under NIS2 Article 12, providing a public catalogue of vulnerabilities with European context. The EUVD will integrate with the CRA Single Reporting Platform once Article 14 reporting becomes applicable in September 2026. Source: EUVD (ENISA) | Article 16 (EUVD interaction) | |
| FR France | Guidance | ANSSI publishes CRA implementation guidance for French manufacturers L'Agence nationale de la sécurité des systèmes d'information (ANSSI) publishes guidance for French manufacturers on CRA scope, the Article 13 SPOC requirement, and the upcoming Article 14 reporting workflow. ANSSI is the expected national CSIRT recipient under Article 14. Source: ANSSI CRA page | n/a | |
| DE Germany | Guidance | BSI signals lead role for CRA market surveillance and conformity assessment in Germany The Bundesamt für Sicherheit in der Informationstechnik (BSI) publishes guidance positioning itself as the expected lead authority for CRA market surveillance and conformity assessment in Germany, pending formal national legislation transposing supervisory powers. Source: BSI CRA page | n/a | |
| EU EU-wide | Guidance | ENISA publishes CRA overview and FAQ on its dedicated topic page ENISA opens a dedicated Cyber Resilience Act topic page summarising the regulation, the application timetable, and the agency's role in the Single Reporting Platform and the European vulnerability database (EUVD). Source: ENISA topic page | n/a | |
Anchor date | EU EU-wide | Anchor date | Regulation (EU) 2024/2847 enters into force The Cyber Resilience Act enters into force across the European Union. Most substantive obligations apply later (see September 2026 and December 2027 anchors), but the legal framework is now binding on Member States for transposition and on the Commission for delegated and implementing acts. Source: EUR-Lex (Official Journal) | Article 71 (entry into force) |
| EU EU-wide | Standard | Commission issues standardisation request M/606 to CEN-CENELEC for harmonised CRA standards The European Commission issues a formal standardisation request to CEN-CENELEC (JTC 13) to develop harmonised European standards supporting the essential cybersecurity requirements in Annex I of the CRA. Compliance with these standards will provide a presumption of conformity under Article 27. | Article 27 (presumption of conformity) | |
| EU EU-wide | Guidance | CRA text published in the Official Journal of the European Union Regulation (EU) 2024/2847 of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements is published in the OJ, locking in the 20-day countdown to entry into force. Source: EUR-Lex OJ L 2024/2847 | n/a | |
| EU EU-wide | Guidance | Council of the EU formally adopts the Cyber Resilience Act The Council adopts the CRA after the European Parliament's plenary vote in March 2024, completing the ordinary legislative procedure. Final text proceeds to OJ publication and signature. Source: Council of the EU press release | n/a | |
| EU EU-wide | Guidance | European Parliament adopts CRA at first reading MEPs approve the trilogue-agreed text by a wide margin, clearing the final political hurdle before Council adoption. Key amendments included the carve-out for open-source software stewards and the staged application timetable. | n/a |
Methodology
An entry is included when one of the following has occurred: a formal enforcement action by an EU or Member State authority under the CRA, an ENISA or Commission guidance or FAQ publication, a Member State designation of an NCA or CSIRT with CRA scope, a harmonised standard published or referenced under Article 27, a delegated or implementing act adopted under the CRA, or a court decision touching CRA scope.
Each entry cites an official source as the primary reference (Official Journal, ENISA, the European Commission, a national authority, or a national publication). Reputable trade press is accepted only as a secondary corroborating source.
Anchor dates (entry into force, Article 13 and 14 applicability, full applicability) are included as a navigation aid and are visually flagged so they are not confused with actual events. All dates are the date of the underlying event, not the date the entry was added.
To suggest an entry or flag an error, email [email protected] with a working source URL. Corrections are made in place and the dataset's last-updated date is bumped.
Run Article 13 and 14 in CVD Portal
CVD Portal runs the Article 13 coordinated disclosure intake and the Article 14 reporting cascade for EU manufacturers. Free tier covers Article 13. Pro and Enterprise add the 24h / 72h / final report workflow for Article 14.