Cybersecurity | Countdown to the EU’s New CRA Regulations: Mandatory Reporting of Cybersecurity Incidents Starting in September 2026!

What happens when a cybersecurity issue stops being a theoretical risk and starts unfolding in the real world?

As the EU Cyber Resilience Act (CRA) approaches its critical milestones, the countdown has officially begun: starting from September 2026, the reporting obligations under Article 14 will become mandatory—even for legacy products already on the market.

Under Article 14, manufacturers must know exactly:
Whom to notify, how fast to report, and what information to provide. When a crisis strikes, speed is everything.

Two Critical Scenarios Triggering CRA Reporting:

01

Actively Exploited Vulnerabilities

When a flaw is actively being exploited by attackers ➔ An early warning must be issued within 24 hours, followed by a detailed notification within 72 hours, and a final report once mitigation measures are implemented.

02

Severe Security Incidents

When a product's security faces a severe risk (even if no actual exploitation has occurred yet) ➔ The same fast-track reporting channel must be utilized, accompanied by structured progress reports.

All notifications will be processed through a single reporting platform, ensuring seamless coordination with Computer Security Incident Response Teams (CSIRTs) across Europe and the European Union Agency for Cybersecurity (ENISA).

This is not just about regulatory compliance; it is about rapid response, user protection, and minimizing damage in real-time.