When does the CRA enter into force and when does the regulation start to apply?

The Cyber Resilience Act (CRA) entered into force on December 11, 2024. Reporting obligations of actively exploited vulnerabilities and severe incidents (Article 14) start to apply on September 11, 2026. All other obligations for software developers start to apply on December 11, 2027.

%%{init: {'theme':'base'}}%%
gantt
    title CRA Implementation Timeline
    dateFormat  YYYY-MM-DD
    axisFormat %Y
    tickInterval 1year

    Drafting phase: 2024-01-01, 2024-11-20
    Publication in the Official Journal of the EU (November 20, 2024): milestone, 2024-11-20, 5m
    Entry into force (December 11, 2024): milestone, 2024-12-11, 5m
    Implementation phase: 2024-12-11, 3y
    Reporting obligations of vulnerabilities and incidents (September 11, 2026): milestone, 2026-09-11, 5m
    Notification of conformity of assessment bodies (June 11, 2026): milestone, 2027-06-11, 5m
    All other obligations (December 11, 2027): milestone, 2027-12-11, 5m
    Application phase: 2026-09-11, 2029-06-30