CRA Implementation Timeline
Key dates and milestones for Cyber Resilience Act compliance from 2024 to 2027
Current Status: CRA is now in force (December 2024). You have approximately 3 years to achieve full compliance before the December 2027 deadline.
Time Until Full CRA Compliance
Until December 11, 2027 - Full CRA Compliance Deadline
Complete CRA Implementation Timeline
Follow the key dates and milestones from adoption to full compliance
CRA Adopted by Council
European Council formally adopts the Cyber Resilience Act
CRA Published
Official publication in EU Official Journal
CRA Enters into Force
Regulation becomes legally binding - preparation period begins
Standardization Request Issued
European Commission requests development of 41 harmonized standards
Conformity Assessment Bodies Authorized
Third-party assessment bodies authorized to certify product compliance
Vulnerability Handling Standard Deadline
Harmonized standards for vulnerability handling must be adopted
Mandatory Vulnerability Reporting
Manufacturers must report actively exploited vulnerabilities and severe incidents
Vertical Standards Deadline
All product-specific vertical standards must be adopted
Harmonized Standards Complete
Final deadline for all CRA harmonized standards adoption
Full CRA Compliance Required
All CRA obligations become mandatory - products must comply to enter EU market
Your CRA Preparation Roadmap
What you should focus on during each phase leading up to full compliance
Preparation Phase
Start building CRA readiness
- Conduct initial product assessment
- Begin security by design implementation
- Establish vulnerability management processes
- Monitor harmonized standards development
Implementation Phase
Implement core requirements
- Complete technical documentation
- Implement essential cybersecurity requirements
- Set up conformity assessment processes
- Prepare vulnerability reporting systems
Compliance Phase
Achieve full compliance
- Undergo conformity assessment
- Complete CE marking documentation
- Launch vulnerability reporting
- Final compliance verification
Don't Miss These Critical Deadlines
Mark your calendar for these make-or-break dates
September 11, 2026
Vulnerability Reporting Starts
You must report actively exploited vulnerabilities and severe security incidents without delay. Set up your reporting systems before this date.
December 11, 2027
Full Compliance Deadline
All CRA requirements become mandatory. Products that don't comply cannot enter the EU market. No extensions will be granted.
Don't Wait Until 2027
Starting early gives you time to address unexpected challenges, test your compliance measures, and avoid the last-minute rush when conformity assessment bodies may be overwhelmed.
Harmonized Standards Development
Track the development of technical standards that will define specific compliance requirements
41 Standards Being Developed
15 Horizontal Standards
Each aligned with one Essential Cybersecurity Requirement from Annex I, applicable across all product categories
26 Vertical Standards
Tailored to specific product categories like IoT devices, industrial systems, consumer electronics
Security by Design
Standards for implementing security from product conception
Vulnerability Handling
Process standards for managing security vulnerabilities
Risk Assessment
Methodologies for cybersecurity risk evaluation
What Should You Do Now?
Based on where we are in the timeline, here are your immediate priorities
Official Source
Regulation (EU) 2024/2847 - Cyber Resilience Act
Implementation timeline and transitional provisions for cybersecurity requirements of products with digital elements.
View on EUR-Lex