EU Regulation

EU Cyber Resilience Act: 9 months until your products need a security passport

The CRA entered into force one year ago. Reporting obligations start September 2026. Penalties up to €15M.

December 14, 2025 4 min read

One year ago, the EU Cyber Resilience Act entered into force. You have 9 months until vulnerability reporting becomes mandatory. 2 years until products need CE security marking. Penalties: up to €15 million or 2.5% of global turnover.

Timeline

  • Dec 2024: Entered into force.
  • Sep 2026: 24-hour vulnerability reporting to ENISA mandatory.
  • Dec 2027: Full compliance. CE marking required.

Core requirements

  1. Security by design
  2. Default security (no default passwords)
  3. Vulnerability handling processes
  4. SBOM — Software Bill of Materials
  5. 5-year minimum security update support
  6. 24-hour exploited vulnerability reporting

What to do in 9 months

  1. Build SBOM process. Syft, CycloneDX, SPDX.
  2. Establish vulnerability disclosure program.
  3. Set up 24-hour reporting workflow.
  4. Audit product security baseline.
  5. Start CE marking preparation.