Dates that affect release planning
When will the Cyber Resilience Act be implemented?
The Cyber Resilience Act is already law. The important question for product teams is when each operational obligation becomes real in release planning, vulnerability handling, and market access.
What to do with this information
- The regulation entered into force in December 2024.
- The vulnerability reporting duties are expected to apply from 11 September 2026.
- The main obligations for products with digital elements are expected to apply from 11 December 2027.
- If you sell software, firmware, connected devices, or managed digital products into the EU, the practical preparation window is shorter than it looks because SBOM, CVE response, secure update, and declaration evidence must be built into normal release operations.
How CertCore uses it
CertCore creates a live calendar for version updates, SBOM refreshes, CVE triage, Article 14 reporting milestones, declaration review, and audit evidence checkpoints.
Official and technical references
Questions teams ask
What is the practical deadline?
For most product obligations, plan around 11 December 2027. Reporting processes should be ready earlier, around 11 September 2026.
Should US companies care?
Yes, if they place covered software or connected products on the EU market, directly or through customers, distributors, or partners.
What should we do first?
Classify products, generate SBOMs, map dependencies to CVEs, and define the reporting workflow before the deadlines become release blockers.