Module 2: CRA Timelines and Transition Periods (2024–2027)

1. Why CRA Timelines Matter for You (2024–2027)

In Module 1, you saw what the Cyber Resilience Act (CRA) is and who it targets. In this module, we focus on when different CRA obligations apply and how this affects software product planning.

Big picture

Between 2024 and 2027, the CRA moves through three main phases:

1. Entry into force – the law formally exists (late 2024)
2. Early obligations – some duties start earlier (especially vulnerability reporting) in 2026
3. Full applicability – most obligations apply from 11 December 2027

You will learn to:

• Identify the key CRA dates and what changes at each point
• Distinguish between existing products already on the EU market and new or substantially modified products after December 2027
• Understand what these dates mean for software release planning and roadmaps up to 2027

> Think of the CRA timeline like a software rollout: alpha (law exists), beta (some features live), and full release (all features enforced).

2. Key CRA Milestones (Chronological Overview)

Let’s place the main dates on a simple timeline. These dates reflect the current, post‑adoption CRA text as of late 2024.

Core dates to remember

• 11 December 2024 – Entry into force (Regulation is officially in force in the EU)
• 11 September 2026 – Early vulnerability reporting obligations start
• Manufacturers must start reporting actively exploited vulnerabilities and incidents to ENISA within strict timelines (details in later modules)
• 11 December 2027 – General applicability
• Most CRA requirements apply to products with digital elements placed on the EU market from this date

Visual description (timeline)

Imagine a horizontal line:

• On the left, a marker: Dec 2024 – CRA exists, but big obligations not yet active
• In the middle, a marker: Sept 2026 – reporting obligations turn on
• On the right, a marker: Dec 2027 – full CRA regime applies to most new / substantially modified products

We will now unpack what changes at each of these markers.

3. Quick Ordering Exercise: Arrange the CRA Dates

Mentally (or on paper) arrange these events in the correct chronological order and then check yourself below.

Events:

1. General CRA applicability to most obligations
2. CRA enters into force
3. Early vulnerability and incident reporting obligations begin

Your task: Write down the order (e.g., 2 → 3 → 1), then reveal the answer:

<details>

<summary>Show the correct order</summary>

Correct order:

1. CRA enters into force – 11 December 2024
2. Early reporting obligations begin – 11 September 2026
3. General CRA applicability – 11 December 2027

</details>

Reflect: Did any date surprise you? Many manufacturers underestimate how soon reporting obligations start compared to full applicability.

4. Step-by-Step: What Happens on 11 December 2024?

On 11 December 2024, the CRA enters into force.

What this does not mean yet

• You do not instantly need CRA‑compliant documentation for all products.
• You do not yet have full CRA conformity assessment obligations.

What it does mean

• The CRA is now binding EU law.
• The transition clock starts. The later dates (2026 and 2027) are now fixed reference points.
• National authorities and market players begin preparing:
• Drafting guidance
• Setting up internal compliance programs
• Updating contracts and security processes

Why this matters for planning

From December 2024, manufacturers should:

• Map their product portfolio: Which products are in scope? Which are critical for the EU market?
• Identify long‑lifecycle products: Products that will still be sold or significantly updated after Dec 2027 are priority candidates for early CRA alignment.

> Think of Dec 2024 as the moment when the “countdown to compliance” officially starts, even though you are not yet fully bound by most obligations.

5. Example: Planning Around the 11 September 2026 Reporting Start

From 11 September 2026, vulnerability and incident reporting obligations under the CRA begin to apply earlier than the rest of the Regulation.

This mainly affects manufacturers, but also has implications for importers and distributors.

Practical example

Scenario: You are a software manufacturer providing an IoT home security hub sold in multiple EU countries.

• Today (2024):
• You already handle vulnerabilities informally (e.g., via email reports from security researchers).
• By mid‑2026 (before 11 Sept 2026):
• You set up a formal vulnerability handling process.
• You define internal playbooks: who investigates, who decides if it is actively exploited, who reports to ENISA.
• You update your incident response plan to include CRA‑specific reporting timelines.
• From 11 Sept 2026 onwards:
• When you discover a actively exploited vulnerability in your hub, you must report it within the CRA’s deadlines (details in a later module).
• Failure to report could result in enforcement actions even though other CRA obligations are not yet fully applicable.

Key takeaway

Even if your product will be phased out before 2027, you may still need a robust vulnerability reporting process from September 2026.

6. Full Applicability from 11 December 2027: What Changes?

From 11 December 2027, the CRA becomes generally applicable. This is when most of the obligations you saw in Module 1 actually bite.

Main obligations that become fully applicable

From this date, for products with digital elements placed on the EU market, manufacturers must (among others):

• Ensure products meet essential cybersecurity requirements (secure design, default configuration, protection against known vulnerabilities, etc.)
• Perform a risk assessment and integrate it into design and development
• Provide technical documentation demonstrating conformity
• Offer security updates and vulnerability handling throughout the product’s support period
• Use a suitable conformity assessment procedure and affix CE marking when required

Who is affected on 11 December 2027?

• New products placed on the EU market from that date
• Substantially modified products (even if they were originally placed earlier)

We will define “substantially modified” more concretely in the next step.

7. Existing vs New or Substantially Modified Products

A critical part of the CRA transition is understanding which products must comply when.

1. Products already on the market before 11 December 2027

If a product with digital elements is lawfully placed on the EU market before 11 December 2027 and is not substantially modified afterwards:

• It can generally continue to be made available (sold from existing stock) without full CRA re‑certification.
• However, once the early obligations apply (from Sept 2026), the reporting duties still affect the manufacturer if relevant.

2. Products placed on the market on or after 11 December 2027

• Must comply with all applicable CRA requirements from day one.
• Need appropriate conformity assessment and documentation.

3. Substantially modified products

A product is considered substantially modified when changes:

• Affect its intended purpose, or
• Significantly change its cybersecurity properties or risk profile.

In such cases, even if the product was first placed on the market before 11 December 2027, a substantial modification after that date can trigger full CRA obligations for the modified version.

> In practice: Big feature upgrades, architecture changes, or major integrations can be treated like “new” products for CRA purposes.

8. Roadmap Examples: Existing vs Substantially Modified Products

Let’s compare two software roadmap scenarios around December 2027.

Example A – Existing product, only minor updates

• Product: A desktop password manager app sold in the EU since 2023.
• 2025–2027: You release minor patches: bug fixes, small UI changes, non‑security features.
• After 11 Dec 2027:
• The product version that was placed on the market before Dec 2027 can still be made available without full CRA re‑assessment, as long as updates do not substantially modify its cybersecurity properties.
• You still must comply with vulnerability reporting rules from Sept 2026.

Example B – Substantial modification after 11 Dec 2027

• Product: Same password manager, but in 2028 you:
• Integrate cloud‑based sync using new infrastructure and third‑party services
• Add biometric authentication features
• Change the encryption model and storage architecture
• These changes significantly alter the cybersecurity risk profile.
• Result: The updated product is treated as substantially modified and must comply with full CRA requirements (risk assessment, documentation, conformity assessment, etc.), even though the original product existed pre‑2027.

Planning insight

When planning your roadmap for 2026–2028, you should:

• Identify which releases are maintenance/minor vs major/substantial.
• Time major redesigns with the understanding that post‑Dec 2027 substantial changes will likely require full CRA compliance.

9. Thought Exercise: Classify Your Hypothetical Product

Imagine you are responsible for an EU‑market software product. Choose one of these or invent your own:

• A mobile banking app
• A smart thermostat controller app
• A SaaS project management tool

Task: Answer these questions (write down brief notes):

1. Will your product still be sold or actively maintained after 11 December 2027?

• If yes, you should plan for full CRA compliance.

1. Do you expect major feature or architecture changes after 2027?

• If yes, those changes might be substantial modifications.

1. What must you have in place by 11 September 2026?

• Hint: think about vulnerability and incident reporting.

1. What documentation and design changes need to be ready by 11 December 2027?

• Hint: think about risk assessment, secure development, and technical documentation.

<details>

<summary>Sample reflection for a smart thermostat controller app</summary>

1. Yes, the app will still be in use and sold after Dec 2027 → plan for full CRA compliance.
2. In 2028, we plan to add remote access via a new cloud backend → likely a substantial modification.
3. By Sept 2026, we need a formal vulnerability handling and reporting process and clear internal responsibilities.
4. By Dec 2027, we need documented security requirements, threat models, update policies, and evidence that the app meets CRA’s essential cybersecurity requirements.

</details>

10. Check Understanding: Dates and Applicability

Answer this question to test your understanding of CRA timelines.

11. Review Key Terms and Dates

Use these flashcards to reinforce the core CRA timeline concepts.