Huld

Bold Ideas with a Human Touch

Home / Insights / CRA – Key Dates and How to Prepare 

CRA – Key Dates and How to Prepare 

CyberSafety Digital Security Digital Services and Software
Jump to
CyberSafety Digital Security Digital Services and Software

The EU’s new Cyber Resilience Act (CRA) introduces strict cybersecurity requirements for digital products, and the timeline is tight.  

This blog gives you an overview of when different requirements take effect and how we can help your business prepare. 

CRA in a Nutshell 

The CRA is an EU-wide regulation aimed at improving the cybersecurity of digital products, both hardware and software, throughout their entire lifecycle. It applies to all manufacturers, importers, and distributors of products with digital elements. In practice, this means any product that communicates digitally falls under the scope of the regulation. 

The CRA’s requirements are mandatory and apply equally to all companies operating within the EU. If the requirements are not met by the deadline, the product cannot be placed on the EU market, or may be withdrawn from sale. Violations may also result in significant penalties. 

CRA Timeline – Key Dates  

The most critical dates for your business are: 

  • September 11, 2026: Vulnerability reporting requirements take effect. 
  • December 11, 2027: Essential cybersecurity requirements for products begin to apply. 

Below is a list of the key dates for the CRA and its related requirements: 

  • December 11, 2025: Deadline for technical documentation of important and critical products (Article 7). 
  • August 30, 2026: Publication of Type A standard (risk management and product cybersecurity measures) and Type B standard (vulnerability handling). 
  • September 11, 2026: Start of enforcement for vulnerability reporting requirements. 
    • Note: This requirement also applies to existing products – not just those entering the market for the first time. 
  • October 30, 2026: Publication of Type C standards for important/critical products (CRA Annexes III/IV) and broader vertical standard for OT environments (ISA/IEC 62443). 
  • October 30, 2027: Publication of Type B standard for general cybersecurity requirements. 
  • December 11, 2027: Enforcement of essential cybersecurity requirements for products. 
    • These requirements apply to products placed on the market for the first time after December 11, 2027. 

The European Commission has not yet issued standardization requests or set deadlines for other Type C standards. 

How Does CRA Impact Your Business? 

With the CRA, companies must assess the cybersecurity of their products, manage risks, and ensure security is considered throughout the product lifecycle. This demands new skills, processes, documentation, and continuous development. 

Huld Helps Meet CRA Requirements 

Huld’s cybersecurity team understands the CRA requirements and helps ensure your business meets them correctly and on time. Our services include: 

  • Compliancy assessments 
  • Secure Software and Product Development (SDL) consultancy 
  • Threat modeling and risk management services 
  • Security trainings 
  • IEC 62443 support  
  • Penetration and vulnerability testing 

Contact our experts to ensure your products meet future cybersecurity requirements! 

Contact

Musa Jallow

Cyber Security Expert
musa.jallow@huld.io
+358 44 082 4221

Contact us