Many manufacturers of products with digital elements continue to focus their preparation for the Cyber Resilience Act (CRA) strongly on 2027. Then the comprehensive security requirements take full effect. However, a key operational milestone is much earlier: the reporting obligations will apply from 11 September 2026.
Phillip Ansorge, Managing Security Consultant at usd AG, accompanies clients in the structured assessment of CRA requirements. His assessment: The organizational and procedural requirements that must be created by September 2026 in order to reliably meet the required reporting obligations are often underestimated.
This is because many limit these requirements to pure reporting. In fact, the CRA reporting obligations go far beyond this. The real challenge lies in the preparation: for example, the question of whether relevant security events can be detected in a structured way, classified and escalated internally on time.
In this blog post, Phillip Ansorge classifies the requirements for the reporting obligation and shows what is important in practical implementation.
If you would like to get an overview of the basics and scope of the CRA in advance, you can find them in our article „7 Questions about the Cyber Resilience Act“.
Which CRA Obligations Apply from September 2026
From 11 September 2026, manufacturers will have to report vulnerabilities and security incidents as soon as they become aware of them. Not every vulnerability and every security incident must be reported:
A vulnerability that is actively exploited, i.e. a vulnerability with evidence of real attacks, not just theoretical exploitability, must be reported. Pure Proof-of-Concepts or research results are not enough. The decisive factor is that there is actual exploitation affecting the product.
A significant security incident is notifiable if it impairs or may impair the security of a product, in particular with regard to confidentiality, integrity, availability or authenticity. This also includes security incidents in the manufacturer's environment, if they have a direct impact on product security.
The reporting deadlines are clearly defined in Article 14 of the Cyber Resilience Act:
- Early warning report within 24 hours
- Full report within 72 hours
- Final report for actively exploited vulnerabilities no later than 14 days after a fix becomes available; for significant incidents, within one month.
The report is made via the Single Reporting Platform of ENISA (European Union Agency for Cybersecurity): ENISA Single Reporting Platform.
The challenge in practice lies less in reporting itself than in the reliable evaluation of concrete events under time pressure. Decisions have to be made, especially in the case of early warning reports, although the information situation is not yet complete. This classification can only succeed if responsibilities, decision processes and evaluation logics are clearly defined and tested in advance.
It should be taken into account that the reporting deadlines apply regardless of weekends or public holidays. Decision-making and reporting processes must therefore be set up in such a way that they can take effect at any time.
What the CRA Reporting Obligation Means Organizationally
In practice, it has been shown that the reporting obligations are characterized less by individual requirements than by the interplay of several factors.
This requires a change of perspective: Security is no longer just an IT operations topic, but is understood as part of the entire product life cycle.
Against this background, there are crucial factors that manufacturers should address at an early stage:
- Operationalize short deadlines: The specified time frames require coordinated processes between several functions that interlock in the event of an incident.
- Anchor product security throughout the entire life cycle: Security applies not only to operation, but also to the development, maintenance and further development of products.
- Create transparency about products and dependencies: For a quick classification, it is crucial which product is affected in which version and what dependencies exist, for example with third-party providers or cloud services.
- Consistently align vulnerability management with products: Existing processes often form a good foundation. It is important that they apply consistently in the product context without setting up separate reporting processes for each product.
- Making reporting decisions under time pressure: In practice, assessments are often carried out in parallel with the analysis. Clear criteria and coordinated decision-making processes provide orientation here.
Your Roadmap to Prepare CRA Reporting Processes
A look at the timeline shows that there are only a few weeks left until the requirements come into force. Depending on the initial situation, the scope of the necessary measures differs significantly.
In order to create a reliable basis, you should clarify the following questions internally by September 2026:
- Who makes the decision on a report in an emergency?
- What criteria are used to assess whether an incident is reportable?
- What information must be available for this and how is a decision made in the event of incomplete data?
- When is an event considered known and when does the 24-hour period begin?
- Which products, versions, and dependencies are in scope?
- Who is responsible in each case?
In addition, you should check:
- Are the ways of reporting, decision-making processes and communication coordinated under time pressure?
- Have these processes already been tested on the basis of realistic scenarios?
With regard to the preparation, Phillip Ansorge emphasizes:
"Many of these points cannot be implemented in the short term. This makes it all the more important to clarify at an early stage how to deal with specific cases. Our projects show that if this initial classification is successful, even tight deadlines can be implemented in a manageable way in the next step."
Outlook: CRA Requirements Until December 2027
The CRA reporting obligations from September 2026 mark a first milestone. By December 2027, further requirements will be added, which can be classified into three areas:
- Security throughout the entire product lifecycle ("Secure by Design"),
- Technical documentation and verification in the context of conformity assessment
- as well as the structured handling of vulnerabilities, including coordinated reporting.
For manufacturers, comprehensive preparation is therefore crucial. As with the reporting obligations, the focus here is on the targeted further development of existing structures. While in some cases resilient structures in vulnerability and incident management already exist, in other constellations the focus is more on transparency about product inventory, dependencies and decision-making paths.
This picture is also confirmed in practice, as Phillip Ansorge classifies: "In our projects, we see that many manufacturers already have viable structures and processes in place, for example from IT security standards such as the PCI Software Security Framework. These cover some parts of the CRA requirements. In most cases, therefore, it is not a matter of a complete reconstruction, but of the well-founded classification of existing structures and the targeted closing of existing gaps. This is exactly where a scope workshop, followed by a gap analysis, provides the necessary transparency and forms a reliable basis for further implementation."
This enables us to answer the following questions together, among others:
- Which products are affected?
- Where do we stand today in terms of CRA requirements?
- What processes and structures are already in place?
- Where is there a concrete need for action?
We support you based on your specific situation: from an initial classification to the structured derivation of concrete measures or the further development of existing processes along the entire product lifecycle, all the way to proof of compliance. You can find more information here.
About the Expert: Phillip Ansorge
Phillip Ansorge is a Managing Security Consultant at usd AG. He works with manufacturers He works with manufacturers on the practical implementation of regulatory requirements for product and operational security in complex product environments and cross-organizational structures. His focus is on clear decision-making paths, robust reporting processes, and traceable security decisions.
Cyber Resilience Act: Key Facts in a Nutshell
Who does the CRA apply to?
The CRA applies to products with digital elements. This creates obligations for manufacturers that place these products on the market in the EU.
When will the CRA reporting obligations take effect?
From 11 September 2026.
What must be reported?
Actively exploited vulnerabilities and severe incidents having an impact on the security of products with digital elements, as soon as the manufacturer becomes aware of them.
What are the deadlines?
24-hour early warning, 72-hour full report, followed by a final report depending on the incident category.
Which platform is used for reporting?
Via ENISA’s CRA Single Reporting Platform.
