CRA Vulnerability Reporting: September 2026 is Around the Corner

The EU Cyber Resilience Act (CRA) sets a new cybersecurity standard for product manufacturers in the European Union, making them accountable for digital resilience throughout the entire product lifecycle. Most of the CRA requirements take effect in December 2027, but one set of provisions—the Article 14 requirements to report actively exploited vulnerabilities within 24 hours—starts much earlier. That obligation takes effect on September 11, 2026, and most manufacturers are not prepared.

Don’t Wait Until September to Start

Companies that are planning for CRA compliance are likely familiar with the December 2027 deadline: their products must meet essential cybersecurity requirements, undergo a conformity assessment, and have a robust, audit-ready technical evidence package.

But there is a more pressing deadline in just a few weeks. Beginning on September 11, 2026, manufacturers must have vulnerability reporting workflows in place and operational. Manufacturers need to monitor vulnerabilities to determine when they affect products on the market and if they’ve been exploited in the wild. When that happens, the CRA defines aggressive reporting deadlines:

• Within 24 hours, manufacturers must make an initial notification to ENISA and a designated CSIRT.
• Within 72 hours, manufacturers owe a detailed follow-up notification, including a description of corrective action.
• Within 14 days, once a mitigation is available, manufacturers owe a final report with details on the vulnerability and any exploitation that occurred.

Most manufacturers, even those that have vulnerability management programs in place, aren’t prepared to meet the CRA requirements. Full compliance requires coordination across four separate functions:

1. Vulnerability disclosure: The company must have processes, policies, and technology in place to receive and analyze vulnerability reports and to communicate with the security researcher to coordinate disclosure.
2. Product security: For each disclosure, the product team must be able to receive, investigate, mitigate, and ship a fix. They must be able to assess impact and accurately report the nature of the vulnerability to EU regulators within 24 hours.
3. Customer communication: Customer success teams must be able to identify which customers are affected by a particular vulnerability, know where they are located, and communicate the necessary mitigating actions—without compromising trust in the company’s reputation.
4. Supply chain awareness: Companies need to have an accurate, up-to-date understanding of what hardware and software components are in each version of every product. They must maintain that data across new releases, so that if a single component has an actively exploited vulnerability, they can meet CRA reporting obligations.

In many companies, answering these questions requires cooperation among multiple cross-functional teams. Manufacturers need to have these communication lines established and tested ahead of time. The CRA requires a notification within 24 hours of learning about a new exploited vulnerability; there won’t be time to figure this out on the fly.

The Monitoring Obligation Is Expansive

The continuous monitoring requirement is particularly challenging because the CRA obligates manufacturers to have visibility into past product releases and all components integrated into their products. That means that beginning in September, manufacturers need a complete view into vulnerabilities distributed across software supply chains, embedded in third-party components with limited transparency, scattered across regional product variants, and buried in firmware that may have been compiled years before the current release.

The CRA also imposes ongoing obligations as the products evolve. With every new release, manufacturers must update their inventory of components, correlate against newly disclosed CVEs, and be able to distinguish between raw CVSS scores and actual exploitable product vulnerabilities.

For many companies, meeting these new obligations will require new infrastructure. Today, that infrastructure may not exist or may be fragmented across different teams and disconnected tools. Companies will have to think about product security as a continuous workflow, integrating proactive vulnerability management into the development lifecycle, rather than reactive crisis response.

Good News: Compliance is a Market Advantage

Although CRA compliance may be daunting, companies that do it well will differentiate themselves in a competitive market. Enterprise buyers and OEM procurement teams will increasingly expect suppliers to demonstrate defensible, evidence-backed security across their product lifecycle. Buyers are already asking for machine-readable SBOMs, clear vulnerability disclosure processes, and data to back up vulnerability disclosure decisions. Under the CRA, manufacturers are accountable for risks in their supply chains, so they will look for evidence of ongoing product security over time.

Organizations that can demonstrate this kind of security and back it up with evidence will have a measurable advantage in procurement cycles. Those that cannot will face friction: extended audits, delayed sourcing decisions, and, eventually, market access constraints.

What to Do Before September 11

September 11 is three months away. Organizations should treat this moment as an opportunity to make meaningful operational changes, not simply as a compliance exercise. Setting up the proper vulnerability monitoring and disclosure infrastructure will pay immediate dividends and lay a strong foundation for the CRA’s requirements in 2027. Specifically, manufacturers should establish four functional capabilities right now:

1. Operationalize vulnerability disclosure: Establish a process for receiving and routing a vulnerability notification. Decide who has the authority to approve an ENISA notification within 24 hours. Then test it.
2. Strengthen product security: Establish routine and emergency change processes to ensure that new vulnerabilities can be addressed quickly. This enables the company to report to ENISA that vulnerabilities have been fixed, not just identified.
3. Systematize customer communication: Create or update an inventory of which products are available in which markets, including version numbers. Establish targeted communication channels that allow for sharing vulnerability information with specific customer segments.
4. Build supply chain awareness: Create an SBOM for each product. Identify a source of vulnerability intelligence and begin correlating against product components. This requires automation and continuous monitoring to take immediate action; manual, ad hoc review is not enough.

Teams that have these capabilities operational before September 11 will meet the first CRA deadline and have a foundation to build toward December 2027 capabilities. Teams that do not risk non-compliance penalties: administrative fines of up to €15,000,000 or 2.5% of worldwide annual turnover, whichever is higher, and potential loss of access to the EU market.

For companies that don’t already have this infrastructure in place, Finite State can help. Our managed CRA compliance service delivers a living SBOM, cybersecurity risk assessment, continuous product vulnerability monitoring, managed vulnerability disclosure support, and a technical documentation package. All are maintained as a service for a designated product. The service stands up in two weeks, which means teams should start now to be operational before the deadline.

Let us help you make a plan for September: request a CRA consultation today.

Frequently Asked Questions

What does CRA Article 14 require from manufacturers? Article 14 requires manufacturers to notify ENISA and a designated EU member-state CSIRT within 24 hours of becoming aware of an actively exploited vulnerability in their product, followed by a 72-hour detailed notification; a final report must follow within 14 days of a mitigation or corrective action becoming available. The reporting clock starts when the manufacturer has determined both that the product is affected and that active exploitation is occurring, not when the CVE was published.

When do CRA Article 14 reporting obligations apply? September 11, 2026. From that date, manufacturers selling connected products in the EU must have operational disclosure workflows in place. The remaining CRA obligations — including “essential cybersecurity requirements” and the technical documentation package — apply from December 11, 2027.

What is the difference between the September 2026 and December 2027 CRA deadlines? September 2026 is an operations deadline requiring continuous vulnerability monitoring, a tested disclosure workflow, and a current SBOM for each designated product. All of the remaining CRA requirements apply beginning in December 2027, including secure-by-default product configurations, access control mechanisms, and a complete technical evidence package. Preparation to meet the September 2026 deadline is necessary foundational work to be ready for December 2027.

What triggers the 24-hour CRA reporting clock? The company must determine that (1) their product is affected by a known vulnerability, and (2) that vulnerability has been actively exploited in the wild. If those are both true, the manufacturer is obligated to report to ENISA and notify its customers.