EU Cyber Resilience Act — Full Application

What this countdown tracks

The clock above counts down to the full application date of the EU Cyber Resilience Act (CRA) on Saturday, December 11, 2027. From this date, mandatory cybersecurity essential requirements, conformity-assessment obligations, and incident-reporting duties bind manufacturers, importers, and distributors of products with digital elements placed on the EU market — with fines up to €15 million or 2.5% of worldwide turnover.

About this regulation

The Cyber Resilience Act, formally Regulation (EU) 2024/2847, was adopted on 23 October 2024 and entered into force on 11 December 2024. Its full application begins three years later — December 11, 2027 — except for incident-reporting duties (which kick in earlier, on 11 September 2026) and a few specific provisions. The regulation covers any product with digital elements (PDE) — hardware or software — that connects directly or indirectly to a device or network.

The CRA establishes essential cybersecurity requirements across the product lifecycle: secure-by-design and secure-by-default development, vulnerability handling, automatic security updates by default, and a 24-month minimum security-update support period (with sectoral exceptions). For "important" and "critical" PDE classes, third-party conformity assessment is required. Manufacturers must produce a CE mark indicating conformity. The European Commission's CRA Expert Group, ENISA, and CEN/CENELEC are operationalizing technical standards under the Joint Technical Specification process.

What changes

From December 11, 2027:

• All in-scope products require CE marking with cybersecurity assessment.
• Manufacturers must publish a Software Bill of Materials (SBOM) covering top-level dependencies.
• Free and open-source software stewards face new obligations under the open-source-steward category.
• Mandatory disclosure to ENISA and the relevant CSIRT within 24 hours of awareness for actively-exploited vulnerabilities.
• Market-surveillance authorities can order recalls or withdrawals.

Past milestones

• December 11, 2024: CRA enters into force after Council adoption.
• October 2024: Council formally adopts the regulation after EP vote.
• March 2024: European Parliament adopts the trilogue text in plenary.
• November 2023: Trilogue political agreement on open-source carve-out.
• September 2022: Commission publishes the original CRA proposal.

How to follow

Official text and guidance publish at digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act and on the ENISA website (enisa.europa.eu). Implementing acts are tracked via the EUR-Lex CRA portal. Industry coverage from Politico Pro, MLex, Euractiv, and the Linux Foundation's CRA dashboard.

Related countdowns

Pair this with peer EU regulatory pages: EU AI Act enforcement 2026, EU AI Act phase 2 2027, EU Pay Transparency 2026, EU Data Act design obligations 2026, EU EUDR application 2026, and EU MiCA transitional period end 2026.

FAQ

When does the CRA become fully applicable? December 11, 2027. Where does it apply? Any product with digital elements placed on the EU single market, regardless of where the manufacturer is established. Why does the CRA matter? It is the first horizontal cybersecurity law for connected products globally and sets a de facto worldwide standard via the "Brussels effect." What about open-source software? The CRA includes carve-outs for non-commercial open-source software; commercial OSS faces tailored obligations through the open-source-steward category.