EU CRA Compliance Deadlines

Product development takes time. Get prepared and know these dates.

The Time Is Now. Get Started Today.

The Countdown Has Begun

Product development takes time and the EU won't wait or make an exception. Get started now understanding the timeline and EU CRA requirements that will impact your new device EU market entry. Here’s what you need to know:

1. In September 2026, manufacturers must report exploited vulnerabilities. In order to do that, you should have already built some of the cybersecurity programs and protocols. This means you will need to regularly monitor for security issues, fix vulnerabilities quickly, report active exploits to ENISA within 24 hours, and notify users if their security is at risk. A conservative estimate for implementing and maintaining a vulnerability management process for a single connected product is approximately 0.5 to 1.0 Full-Time Equivalent (FTE) per year. This assumes your company already has a product security team and CI/CD infrastructure in place. If starting from scratch, the initial setup could push your Year 1 needs to 1.5+ FTE.

2. On July 16, 2027, full compliance becomes mandatory for all new products with digital elements placed on the EU market. All new connected products (hardware or software) introduced in the EU must comply with CRA cybersecurity requirements. Manufacturers must complete a conformity assessment (self-assessment or third-party, depending on product class).

Product requirements are as follows:

  • Be secure by design and default
  • Support automatic security updates for at least 5 years
  • Be ready for 24-hour reporting of actively exploited vulnerabilities to ENISA
  • Include vulnerability management processes
  • Include a Software Bill of Materials (SBOM)
  • Display a CE mark to enter the EU market

3. July 16, 2028, is the deadline for legacy products to comply with CRA.

Key Dates for EU CRA Compliance

EU CRA Compliance Starts Here

USA Firmware can help you meet the evolving expectations of global regulators with precision-engineered cybersecurity services that deliver more than box-checking—they deliver confidence. We help you:

  • Navigate CRA’s legal landscape
  • Maintain trust with regulators and customers
  • Enhance security across the lifecycle
  • Extend value beyond compliance

Partner with USA Firmware to meet these deadlines. We can help you integrate compliance, minimize disruption, and secure your place in the future of connected devices.

Interested in one of our service offerings? Click here for more information or contact us today by completing the online form on this page.

Get in Touch

Thank you for your interest in USA Firmware.

Please let us know how we can be of help to you today.