EU Cyber Resilience Act Enforcement Begins with New Reporting Requirements
The EU Cyber Resilience Act's vulnerability reporting obligations take effect, requiring manufacturers of products with digital elements to report actively exploited vulnerabilities within 24 hours.
Affected
What happened: The European Union's Cyber Resilience Act (CRA) reached its first enforcement milestone, with vulnerability reporting obligations now mandatory for manufacturers of products with digital elements sold in the EU market. Manufacturers must report actively exploited vulnerabilities to ENISA (the EU Agency for Cybersecurity) within 24 hours of becoming aware of exploitation, with a full vulnerability notification due within 72 hours. The reporting requirements apply to all connected devices, software, and hardware products.
Technical details: The CRA reporting requirements mandate that manufacturers establish processes for monitoring vulnerability information related to their products, have the capability to identify when vulnerabilities are being actively exploited, and submit structured reports to ENISA through a dedicated reporting platform. Reports must include vulnerability details, affected product versions, known exploitation methods, available mitigations, and patching timelines. The 24-hour initial notification requires basic vulnerability information, while the 72-hour full notification requires technical detail and remediation plans. Non-compliance penalties can reach up to 15 million euros or 2.5% of global turnover.
Who is affected: Any manufacturer selling products with digital elements (software, hardware, IoT devices, connected products) in the EU single market, regardless of where the manufacturer is headquartered. Open-source software developed in a non-commercial context is excluded. The regulation affects global technology companies, IoT device manufacturers, and software vendors. Full product security requirements under the CRA take effect in 2027.
What defenders should do: Organizations manufacturing or distributing products in the EU should establish CRA compliance programs immediately. Implement vulnerability tracking and monitoring capabilities for all products. Establish incident response procedures that can meet the 24-hour reporting deadline. Engage with legal counsel to determine which products fall within CRA scope. Begin preparing for the full CRA requirements including security-by-design mandates effective 2027.
Broader implications: The CRA represents the most comprehensive product cybersecurity regulation globally and will significantly influence how technology products are designed, maintained, and supported. The 24-hour reporting requirement for exploited vulnerabilities is more aggressive than most existing regulations and will force manufacturers to invest in continuous vulnerability monitoring. The regulation may become a de facto global standard as manufacturers adopt CRA compliance practices across all markets rather than maintaining separate processes for EU and non-EU products.
Sources