Phase 01T+0
Vulnerability Detected
TegmenSoft telemetry engine detects active in-the-wild exploitation and scores severity.
Regulation (EU) 2024/2847
Cyber Resilience Act — the new European standard for IoT
The CRA is the first horizontal EU regulation mandating that all products with digital elements meet cybersecurity requirements from design to post-sale lifecycle. It entered into force on December 10, 2024; reporting obligations begin September 11, 2026, and full compliance is required by December 11, 2027.
September 11, 2026 — Article 14 Reporting
—GÜN
——SAAT
——DK
——SN
Full Compliance
11.12.2027
Max Penalty
€15M / 2.5%
Standard
EN 18031
Authority
ENISA
Article 14
Three-tier mandatory reporting cycle
Active exploitation detection triggers a three-phase notification process starting with a 24-hour early warning to the ENISA Single Reporting Platform and extending up to 14 days.
Phase 02T+≤ 24h
Early Warning
An early warning notification including affected member states is automatically sent to ENISA SRP.
Phase 03T+≤ 72h
Full Notification
A full report including exploitation details, affected product lines, and mitigation steps is submitted.
Phase 04T+≤ 14d
Final Report
After corrective measures are published, vulnerability disclosure, CVSS and security update details are reported.
Obligations
Five core competencies every manufacturer must have
The CRA forces manufacturers to restructure not just in reporting, but also in design, documentation, and lifecycle management.
Secure by Design
Products must meet security requirements from the design phase. Default settings must be secure with unpredictable passwords.
CE Marking
CRA-scoped products can only bear the CE mark and be placed on the EU market after conformity assessment is completed.
SBOM Obligation
Manufacturers must document all software components (SPDX/CycloneDX) used in the product and present them upon request.
Support Period
Products' support period must be clearly declared, and security updates must be provided free of charge during this period.
Market Surveillance
Member state authorities have the power to withdraw non-compliant products from the market, impose bans, and issue penalties.
Timeline
CRA enforcement process and critical milestones
The official Cyber Resilience Act timeline and what each phase means for manufacturers.
December 10, 2024
Entry into Force
Cyber Resilience Act (Regulation (EU) 2024/2847) published in the EU Official Journal and entered into force.
January 2025
Standardization Request
European Commission submitted a formal request to CEN-CENELEC for the development of harmonized standards.
September 11, 2026
Reporting Obligation Begins
24-hour ENISA SRP notification requirement for actively exploited vulnerabilities becomes legally binding.
November 2026
Harmonized Standards
EN 18031 family and other harmonized standards are published; compliance path clarifies for manufacturers.
December 11, 2027
Full Compliance
CRA requirements and CE marking obligations become fully mandatory for all products with digital elements.
Breaking Point: 11.09.2026 from this date, reporting actively exploited vulnerabilities to ENISA SRP within 24 hours becomes a legal prerequisite. Manual processes cannot meet this threshold — automation is mandatory.
Risk Classification
Same SDK for every risk class, different audit depth
The CRA divides products into four risk classes. While audit intensity varies, SBOM, vulnerability reporting, and secure OTA are common technical requirements across all classes.
DEFAULT
Default
Example
Smart home devices, consumer IoT, smart toys
Audit
Self-assessment (Module A) sufficient
IMPORTANT
Important — Class I
Example
Authentication systems, VPNs, network management tools
Audit
Notified Body involvement may be required
IMPORTANT
Important — Class II
Example
Industrial firewalls, operating systems, microprocessors
Audit
Third-party examination (Type Examination) mandatory
CRITICAL
Critical
Example
Smart meters, HSM modules, smart cards, health hardware
Audit
Full authorized audit under EUCC
Let's assess your company's CRA readiness level together.
In a 30-minute technical discovery call, we analyze your current product portfolio, identify missing controls, and prepare a customized compliance roadmap.
Schedule Discovery Call