News & Updates

The EU Cyber Resilience Act is becoming a primary driver of security investment decisions across Europe.

Board-Level Focus on CRA Compliance

According to Red Hat's 2026 State of Cloud-Native Security Report, 64% of organizations expect the CRA to be a primary influence on their 2026 security investments.

SME Readiness Gaps Widening

At the CRA Europe 2026 conference held in Bucharest, Romania, discussions highlighted a widening gap between regulatory requirements and operational readiness — particularly for small and medium-sized enterprises.

• Translating requirements into day-to-day workflows
• Resourcing consistent execution across engineering and governance
• SBOM generation and maintenance
• End-of-life product security obligations
• Incident reporting structures

As reported by Cyprus Mail, smaller businesses face challenges not in understanding the regulation, but in having the governance structures and engineering capacity to consistently deliver on it.

“For many smaller businesses, the challenge lies not in understanding the regulation, but in having the governance structures and engineering capacity to consistently deliver on it.”

Two Areas to Watch: EOL Devices and Open Source

End-of-Life Devices

Cisco's policy analysis highlights that neither the CRA nor NIS2 directly addresses how to manage devices once their lifecycle expires. With 40% of the top targeted vulnerabilities in 2025 impacting end-of-life devices — often unpatchable — this gap poses significant risks. Cisco advocates for explicit European-level guidance on managing obsolete devices.

Open Source Liability

The CRA deliberately excludes open-source software from liability obligations to avoid chilling effects on the ecosystem. However, this exclusion does not negate responsibility. Manufacturers who commercialize products using open-source code still bear full obligation — they must still generate SBOMs, track vulnerabilities, and be transparent about security practices related to their open-source dependencies.

How CVD Portal Can Help

CVD Portal helps SME manufacturers meet CRA Article 13 requirements with a free vulnerability disclosure portal that includes:

• Branded security contact at yourcompany.cvdportal.com
• Automated 48-hour acknowledgment tracking
• Full audit trail for compliance documentation
• ENISA-aligned reporting when needed

As the European Union continues to strengthen its digital market, stakeholders are reminded that the first critical compliance milestone of the Cyber Resilience Act (CRA) is approaching. Effective 11 September 2026, manufacturers of products with digital elements (PDEs) will be legally obligated to report actively exploited vulnerabilities to ENISA and national Computer Security Incident Response Teams (CSIRTs).

To ensure a high level of cybersecurity across the Union, manufacturers must establish robust internal mechanisms to detect, assess, and report these vulnerabilities within the stringent regulatory timeframes. Industry actors are encouraged to utilize this transitional period to align their operational capabilities with the forthcoming legal obligations.

In support of the implementation of the Cyber Resilience Act (Regulation EU 2024/2847), the European Commission has published draft guidelines clarifying the categorization and compliance expectations for products with digital elements (PDEs).

This documentation provides essential operational clarity on vulnerability handling requirements, risk assessment methodologies, and the delineation of product classes. The Commission has opened a public consultation period, inviting feedback from manufacturers, cybersecurity researchers, and standardisation bodies until 31 March 2026. Stakeholders are highly encouraged to participate to ensure the guidelines remain practical and effective.

The European Union Agency for Cybersecurity (ENISA) announces the commencement of the pilot testing phase for the Single Reporting Platform (SRP). Mandated by the CRA, the SRP will serve as the centralized infrastructure for manufacturers to submit early warnings and incident notifications regarding actively exploited vulnerabilities and severe security incidents.

The testing phase aims to evaluate the platform's scalability, security, and interoperability with national CSIRT networks. ENISA invites selected manufacturers and vulnerability disclosure platforms to participate in the pilot, ensuring the SRP is fully optimized and operational prior to the enforcement of reporting obligations in September 2026.

Under Article 10 of the Cyber Resilience Act, the implementation of a Coordinated Vulnerability Disclosure (CVD) policy is no longer an optional best practice, but a strict legal requirement for all manufacturers of PDEs.

To foster a collaborative security ecosystem, manufacturers must provide a publicly accessible, secure, and clear channel—such as dedicated CVD portals—allowing independent security researchers to report potential vulnerabilities. Organizations must systematically process these reports, coordinate mitigation strategies, and ensure timely remediation. The formalization of CVD represents a cornerstone of the Union’s proactive approach to cyber resilience.

The European Commission, in consultation with cybersecurity authorities, has released updated clarifications regarding the regulatory treatment of free and open-source software (FOSS) under the CRA.

The framework explicitly differentiates between commercial manufacturers and "Open Source Stewards"—non-profit foundations or entities providing sustained support for open-source projects. To avoid stifling digital innovation while ensuring ecosystem security, Open Source Stewards are subject to a tailored, light-touch regulatory regime. These entities are required to facilitate security policies and vulnerability handling procedures without bearing the full conformity assessment burden placed on commercial entities.

As part of the CRA’s incident reporting framework, manufacturers must adapt their security operations to meet strict notification timelines. Upon becoming aware of an actively exploited vulnerability or an incident with severe impact, entities are legally bound to submit an "early warning" within 24 hours.

Furthermore, a comprehensive incident notification detailing the technical scope and proposed mitigation measures must follow within 72 hours. ENISA strongly advises organizations to integrate these timeframes into their incident response playbooks and automate their triaging processes to ensure seamless compliance and minimize the window of exposure for European consumers.

The European standardisation organisations, CEN and CENELEC, report significant progress in drafting the harmonised standards requested by the European Commission for the Cyber Resilience Act.

These standards will provide the technical specifications necessary for manufacturers to meet the essential cybersecurity requirements outlined in the legislation. Adherence to these harmonised standards will grant manufacturers a "presumption of conformity," streamlining the process of obtaining the CE mark. ENISA continues to support CEN and CENELEC in ensuring these standards reflect state-of-the-art security practices, particularly in cryptography, software updates, and vulnerability management.

Effective 11 June 2026, the legal framework governing "Notified Bodies" under the CRA will officially commence. These independent, third-party conformity assessment bodies will play a vital role in auditing and certifying "important" and "critical" products with digital elements before they enter the EU market.

Given the anticipated high volume of certification requests, ENISA urges Member States to expedite the accreditation of national Notified Bodies. Manufacturers of highly critical products are advised to begin their conformity assessment preparations immediately to avoid supply chain bottlenecks during the transition period leading up to full CRA applicability in December 2027.

Manufacturers are reminded that the CRA’s vulnerability reporting obligations, taking effect in September 2026, apply to all products with digital elements currently active on the Union market—not merely new products introduced after the legislation's entry into force.

If a vulnerability is actively exploited in a legacy product that remains in its support lifecycle after the September 2026 deadline, the manufacturer is legally required to report it via the Single Reporting Platform. ENISA recommends that organizations conduct comprehensive audits of their active product portfolios and update their end-of-life (EOL) and vulnerability disclosure policies accordingly.

In alignment with the NIS2 Directive and the Cyber Resilience Act, ENISA is currently advancing the integration of the European Vulnerability Database (EUVD) with the newly established CRA Single Reporting Platform (SRP).

This strategic integration will eliminate fragmented reporting silos, allowing vulnerability intelligence to flow securely between manufacturers, national CSIRTs, and European regulatory bodies. By creating a unified ecosystem for vulnerability disclosure and threat intelligence, the Union aims to drastically reduce response times to critical zero-day vulnerabilities and enhance the collective situational awareness of the European digital single market.