CRA Countdown to September 2026

The clock is already ticking on the Cyber Resilience Act (CRA). From 11 September 2026, manufacturers must be able to detect, manage and report actively exploited vulnerabilities and severe incidents within strict legal timeframes, or risk significant penalties.

This practical SafeShark guide explains:

• • What the CRA vulnerability reporting requirements mean in practice

• • The reporting timelines organisations must meet

• • What processes, monitoring and governance need to be in place

• • How ENISA and CSIRT reporting works

• • The operational steps manufacturers should be taking now

If your organisation cannot currently identify and report vulnerabilities within the required timelines, action is needed now – not in 2027.

Download the guide to understand your obligations and assess your readiness ahead of the September 2026 deadline.