CRA Compliance Roadmap 2025–2027 — Key Dates

Three key dates everyone gets wrong

11 Jun 2026

Chapter IV (notified bodies) applies — Art. 71(2)

11 Sept 2026

Article 14 vulnerability reporting applies — Art. 71(2)

11 Dec 2027

Full application of substantive obligations — Art. 71(2)

The CRA timeline, milestone by milestone

Every date that follows comes from the regulation itself. Dates are verified against the published text in OJ L of 20 November 2024.

20 November 2024 — Publication in the Official Journal

Regulation (EU) 2024/2847 published in OJ L (ELI: http://data.europa.eu/eli/reg/2024/2847/oj).

10 December 2024 — Entry into force

Twentieth day after publication (Art. 71(1)). Delegated-act power conferred for an initial period of five years (Art. 61(2)). Reference date for several downstream obligations on the Commission.

11 December 2025 — Commission implementing and delegated acts due

Implementing act specifying the technical description of Annex III and Annex IV product categories (Art. 7(4)). Delegated act on the conditions for delaying dissemination of vulnerability notifications on cybersecurity-related grounds (Art. 14(9)).

11 June 2026 — Chapter IV applies (notified bodies)

Articles 35–51 apply: Member States may begin notifying conformity assessment bodies via NANDO. Bodies can begin operating two weeks after notification when accredited, or two months without accreditation (Art. 43(5)).

11 September 2026 — Article 14 reporting applies

Manufacturers must notify actively exploited vulnerabilities and severe incidents via the single reporting platform: 24h early warning, 72h notification, 14-day final report (1 month for incidents). Applies retroactively to products placed before 11 December 2027 (Art. 69(3)).

11 December 2026 — Notified-body availability target

Member States shall strive to ensure a sufficient number of notified bodies in the Union to carry out conformity assessments (Art. 35(2)). This is a soft target on Member States, not on manufacturers.

11 December 2027 — Full application

The substantive regime starts: Articles 13, 31, 32, 28, 30 and all Annex I requirements. CE marking required for any product placed on the market from this date forward. Products placed before this date are not retroactively covered, unless substantially modified (Art. 69(2)).

11 June 2028 — Transitional certificates expire

EU type-examination certificates and approval decisions issued under cybersecurity rules in other Union harmonisation legislation remain valid until 11 June 2028, unless they expire earlier (Art. 69(1)).

11 September 2028 — First single-reporting-platform review

The Commission shall submit a report to the European Parliament and the Council on the effectiveness of the single reporting platform, including the application of cybersecurity-related grounds for delaying dissemination (Art. 70(2)).

11 December 2027 — Representative actions effective

Directive (EU) 2020/1828 on representative actions becomes applicable to CRA infringements that harm collective interests of consumers from 11 December 2027 (Recital 124 / Art. 65).

11 December 2030 — First Commission evaluation report

First evaluation and review report of the regulation to the European Parliament and the Council, and every four years thereafter (Art. 70(1)).

Common mistakes

❌

STAGGERED DATES MISSED

“We will start CRA work in mid-2027”

Too late. Article 14 reporting kicks in on 11 September 2026 — fifteen months before the main application date — and even applies to products you placed on the market before then (Art. 69(3)). Vulnerability handling processes, single point of contact and coordinated vulnerability disclosure policy need to exist by that earlier date.

❌

STANDARDS DEPENDENCY

“We will wait for the final harmonised standards”

The harmonised standardisation request under Art. 27 is in progress and references in the Official Journal are expected during the transitional period (Recital 80). If standards are delayed, the Commission may adopt common specifications by implementing act as a fallback (Art. 27(2)). You cannot wait indefinitely — 11 December 2027 does not move.

❌

LEGACY PRODUCT MYTH

“Our existing product line is grandfathered forever”

Only partly. Article 69(2) exempts products placed on the market before 11 December 2027 from the substantive regime — but only until they are substantially modified. From then on, the product is treated as new and the full regime applies. And Article 14 reporting applies to legacy in-scope products from 11 September 2026 (Art. 69(3)).

Does the CRA apply to your product?

Four-question self-check. If you answer YES to all four, your product is in scope of Regulation (EU) 2024/2847.

Is it a hardware or software product (or component) with digital elements?

Art. 3(1) — “product with digital elements”

Can it connect directly or indirectly to a device or network?

Art. 2(1) — logical or physical data connection

Will it be placed or made available on the EU market in the course of a commercial activity?

Art. 3(21)(22) + Recital 15

Is it NOT excluded? (not a medical device, not a motor vehicle, not certified aviation, not marine equipment, not national security/defence-only, not a spare part)

Art. 2(2)–(7)

Take the full product classification test →

Choose your licence

One-time payment. No subscription. The downloaded dossier is yours forever.

1 PRODUCT

149 €

/ product

8-document CRA dossier (ZIP)
Product Classifier + Technical Documentation
Risk Assessment + User Information
10 regenerations · 30 days
1 licence = 1 product

Buy licence →

PROFESSIONAL PACK

1,199 €

70 generations · 1 key

For multi-product catalogues

70 generations with a single key
70 complete dossiers (8 documents each)
Switch product between generations
Ideal for importers with large catalogues
For consultants billing CRA compliance

Buy Professional Pack →

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines whether your product is Default, Important Class I, Important Class II (Annex III) or Critical (Annex IV). Documents the rationale and the applicable conformity assessment procedure under Article 32.

Technical Documentation

Article 31 + Annex VII dossier. Product description, design and development, vulnerability handling processes, risk assessment, list of harmonised standards applied, conformity solutions.

Cybersecurity Risk Assessment

Annex I, Part I analysis. Intended purpose, reasonably foreseeable use, operational environment, applicability of each essential requirement, mitigation measures.

User Information & Instructions

Annex II. Manufacturer details, single point of contact, intended purpose, support period end date, secure decommissioning, automatic-update opt-out instructions.

EU Declaration of Conformity

Article 28 + Annex V. Pre-structured with your classification, applicable conformity module, harmonised standards or certificates relied on, notified body number when applicable.

Coordinated Vulnerability Disclosure Policy

Annex I, Part II, point (5). Single point of contact, intake workflow, triage and remediation timeline, public disclosure rules.

ENISA Notification Template

Article 14 reporting. Pre-filled 24h early warning, 72h vulnerability/incident notification, 14-day final report templates.

Obligations Calendar

Personalised milestones: Article 14 reporting starts 11 September 2026, full application 11 December 2027, document retention 10 years, support period (Art. 13(8)) end date.

See before you buy — Download sample dossier (PDF, fictional company). Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

📅 COMPLIANCE PROGRAMME MANAGER (12-MONTH ENGAGEMENT)

€60,000–€120,000

Project management of the multi-deadline roadmap across legal, R&D, security and product. Required for large catalogues; overkill for a single product.

CRACHECK — SAME OUTPUT

€149

Per-product dossier with personalised Obligations Calendar tracking Articles 14, 31, 32, 71 and the 5-year support period for your product.

Legal sources

Every article and recital cited on this page comes from the official text of Regulation (EU) 2024/2847 (Cyber Resilience Act), published in the Official Journal of the European Union on 20 November 2024 (ELI: data.europa.eu/eli/reg/2024/2847/oj).

→ Full text on EUR-Lex (CELEX 32024R2847)
→ HTML version (article-by-article)
→ Official PDF (81 pages)
→ All 24 EU language versions

Related: Regulation (EU) 2019/881 (Cybersecurity Act, EUCC) · Directive (EU) 2022/2555 (NIS2) · Regulation (EU) 2019/1020 (market surveillance) · Regulation (EU) 2024/1689 (AI Act).

Important notice

This is not legal advice. CRACheck is structured self-assessment software based on Regulation (EU) 2024/2847. The dossier you download is structured documentation, not a third-party audit or certification.

Class II and Critical products still need a notified body. CRACheck prepares the dossier that the notified body will examine — it does not replace the third-party conformity assessment required by Article 32(3) and Article 32(4).

Maximum liability: the amount you paid for the licence. Always verify your specific situation with your legal counsel.

Frequently asked questions

What is the difference between ‘entry into force’ and ‘application’?

Entry into force (10 December 2024) is when the regulation becomes part of the EU legal order — delegated-act timers start, the Commission can begin secondary legislation. Application (11 December 2027 in the main case) is when manufacturers must actually comply. Article 71 sets three different application dates for different parts of the text.

Does Article 14 really apply before everything else?

Yes. Article 71(2) is explicit: ‘However, Article 14 shall apply from 11 September 2026 and Chapter IV (Articles 35 to 51) shall apply from 11 June 2026’. Article 69(3) adds that Article 14 reporting also applies to products placed on the market before 11 December 2027. That means a vulnerability in a 2024 product, exploited in 2026, must be notified within 24 hours to ENISA and the relevant CSIRT.

When will harmonised standards be published?

Recital 80 says ‘the timely development of harmonised standards during the transitional period… will be particularly important’. The Commission has issued a standardisation request to CEN, CENELEC and ETSI. Publication of references in the Official Journal is expected before 11 December 2027. If delays persist, Art. 27(2) allows fallback common specifications by implementing act.

What if a delegated act misses its deadline?

Article 7(4) gives a hard deadline of 11 December 2025 for the implementing act specifying technical descriptions of Annex III and IV categories. Article 14(9) gives the same deadline for the delegated act on delaying notification dissemination. If the Commission misses a deadline, the obligation still applies on the underlying article text — but practical clarity may suffer.

Is this a subscription?

No. One-time payment. 30-day editing window. 10 regenerations. The PDF dossier is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, the act of licence activation constitutes express consent for immediate digital content generation, which removes the right of withdrawal. Refunds are issued only for reproducible technical failures.

What if the regulation changes before I file my dossier?

Regenerate at no additional cost during your licence validity. Substantive amendments to Regulation (EU) 2024/2847 are tracked weekly from EUR-Lex; if a clause you cited is amended, you can regenerate the affected sections.

The CRA compliance timeline: every Article 71 milestone from entry into force on 10 December 2024 to full application on 11 December 2027