As the European Union continues to strengthen its digital market, stakeholders are reminded that the first critical compliance milestone of the Cyber Resilience Act (CRA) is approaching. Effective 11 September 2026, manufacturers of products with digital elements (PDEs) will be legally obligated to report actively exploited vulnerabilities to ENISA and national Computer Security Incident Response Teams (CSIRTs).
To ensure a high level of cybersecurity across the Union, manufacturers must establish robust internal mechanisms to detect, assess, and report these vulnerabilities within the stringent regulatory timeframes. Industry actors are encouraged to utilize this transitional period to align their operational capabilities with the forthcoming legal obligations.