Where the CRA stands today
A running view of the Cyber Resilience Act's implementation; what has happened, what is in progress, and the dates still ahead.
June 2026
Milestones
Full application
The bulk of obligations apply; products placed on the market must meet the essential requirements and carry the CE marking.
UpcomingRemaining standards expected
The remaining horizontal harmonised standards are due; roughly a year before full application, so manufacturers can rely on them.
ExpectedVertical standards expected
The product-specific (vertical) harmonised standards are due to be delivered.
ExpectedReporting obligations apply
Manufacturers must notify actively exploited vulnerabilities and severe incidents to ENISA and the national CSIRT. ENISA's single reporting platform (Article 16) is to be operational by this date.
UpcomingFirst core standards expected
The two key horizontal standards (secure development and vulnerability handling) are due to be delivered, ahead of the other horizontal standards.
ExpectedGuidance & standards development
The Commission is publishing guidance (a living FAQ and Article 26 guidance) while the European standards bodies draft the harmonised standards.
In progressStandardisation request accepted
CEN, CENELEC and ETSI accepted the Commission's request M/606 to develop around 41 harmonised standards (15 horizontal and the remainder vertical, product-specific).
CompleteEntered into force
The CRA became law across the EU; the implementation clock started.
CompleteAdopted and signed into law
The Regulation was formally adopted by the European Parliament and Council.
Complete