A common misreading of the EU Cyber Resilience Act is that all of its obligations arrive on a single date. They do not. The reporting duties under Article 14 come into force on 11 September 2026, more than a year before full product conformity is required in December 2027, and they apply to products that are already on the EU market and still supported.
The obligation is conditional rather than continuous. It activates when a manufacturer becomes aware that one of its products is being actively exploited, or that a severe incident has affected the product's security. The deadline runs from the moment of awareness, which makes reliable intake and escalation a prerequisite rather than an afterthought.
The duty rests primarily on the manufacturer, with importers and distributors carrying backstop responsibilities to surface problems and inform authorities. Crucially, products placed on the market before September 2026 are in scope, so the reporting regime applies to the entire supported install base from day one.
This is the first article in a six-part series on CRA reporting, covering when the duty begins, what must be reported, where reports go, on what timeline, and how to build the internal process that makes it work.
Read the full guide on our blog.
Read More