Compliance

EU Cyber Resilience Act roadmap: 09/2026 and 12/2027 milestones

The Cyber Resilience Act is probably the most impactful European regulation for software publishers in 2026-2027. Its scope is broad: any product with digital elements placed on the European market. Sanctions on arrival are severe: no CE marking = no market placement, including updates of products already deployed.

10 min

The Cyber Resilience Act (CRA, Regulation EU 2024/2847) was adopted in October 2024. Application is phased over two milestones: September 11, 2026 (active reporting and VDP) and December 11, 2027 (full application with CE-Cyber marking).

For B2B SaaS, this is not a trivial chantier. ISO 27001 covers about 30-40% of CRA but is not sufficient. Here is the practical roadmap.

Are you concerned?

Very probably yes:

  • Included: B2B SaaS, commercial mobile apps, IoT, firmware, redistributed libraries, drivers, commercial plugins, embedded software.
  • Partially excluded: non-commercial open source (but new obligations apply to paid contributors and "open source stewards").
  • Excluded: pure services without embedded software component (rare).

If you sell software directly or indirectly, you are very probably in scope.

Milestone 1 — September 11, 2026: Active reporting

By that date, you must be able to:

1. Notify ENISA within 24 hours of an actively exploited vulnerability

This is the structuring requirement. The 24h deadline implies:

  • Detection capability (monitoring, alerting, dedicated team).
  • Triage and qualification procedure.
  • Internal escalation chain.
  • Direct interface to the EU centralized reporting platform.

2. Operate a Vulnerability Disclosure Program (VDP)

Five mandatory elements:

  • Identified intake channel: security.txt RFC 9116, dedicated email, web form.
  • Triage procedure with SLAs (typically 5 business days for qualification).
  • Communication policy: transparency, coordination with the researcher, no public disclosure before remediation.
  • Remediation commitment by criticality (24h critical, 90 days low).
  • No-harm policy: no legal action against good-faith researchers respecting the policy.

3. Trace patch deployment

For each release, traceability of: who has the patch, in what version, with what timeline. Allows responding to: "are users X exposed to vulnerability Y?".

Milestone 2 — December 11, 2027: Full application

Full obligations of Annex I (essential cybersecurity requirements) + CE-Cyber marking.

Three product categories

  • Default category: ~90% of products. Self-assessment, CE marking, basic technical documentation.
  • "Important" category (Annex III): authentication, password managers, SIEM, antivirus, identity management, BIOS. Notified body assessment for class II.
  • "Critical" category (Annex IV): chip cards, hardware security modules. Highest assessment level.

Annex I requirements

Essential requirements applicable to all in-scope products:

  1. Security by design and default: secure default configuration, minimal attack surface.
  2. Vulnerability management process: identification, qualification, remediation.
  3. Mandatory SBOM for "important" and "critical" products.
  4. Signed updates: cryptographic signing of patches and updates.
  5. Automated patching capability (where applicable).
  6. Support duration declaration: minimum 5 years for most products.
  7. End-of-life notification: in advance, with migration documentation.
  8. Logging by default: traceability of security events.

The SBOM — Software Bill of Materials

Mandatory machine-readable component list for "important" and "critical" products from December 11, 2027.

Standards: SPDX (ISO/IEC 5962:2021) or CycloneDX (OWASP). The two formats are accepted; CycloneDX is more security-oriented (vulnerabilities, exploitability, signing); SPDX is more compliance/license-oriented.

Tools: Syft (Anchore) for container images, cdxgen for source code, Maven plugin CycloneDX for Java, @cyclonedx/cyclonedx-npm for Node.

Best practice: automatic generation in CI/CD, signed with Sigstore cosign, attached to each release in the registry, accessible to authorities and clients on request, maintained over the entire support duration.

Articulation with EU AI Act and NIS2

For AI products, the CRA adds to the AI Act. For services falling under NIS2, double compliance also applies. A common approach (security management system) covers 70-80% of both. The remaining 20-30% is specific.

Sanctions and operational risks

Up to €15 million or 2.5% of worldwide annual turnover for breaches of essential requirements. Up to €10 million or 2% for other breaches. National authorities (in France, ANSSI) can also require market withdrawal or prohibit market placement.

Critical objections to anticipate

"We have 12 months — that's plenty"

12 months to build the operational layer is short. Notified bodies will be saturated in 2027.

"We delegate to a legal firm"

The CRA is technically constraining. A legal firm alone cannot bring you into compliance. You need a legal + technical duo. For the operational technical part, this is precisely the perimeter of WeeSec offerings.

"We already have ISO 27001 — same thing"

ISO 27001 is an information security management system. CRA is about technical characteristics of the product itself. Complementary but different. ISO 27001 facilitates CRA by about 30-40%, no more.

"SBOM, we have a script"

A CRA-compliant SBOM must be: automatic, up-to-date at every build, exportable in SPDX or CycloneDX format, traceable on the production chain. A bash script listing your node_modules is not enough.

Frequently asked questions

What is the Cyber Resilience Act (CRA)?

The CRA is the European Regulation 2024/2847 imposing cybersecurity requirements on products with digital elements placed on the European market. Adopted in October 2024, it fully applies on December 11, 2027 with mandatory CE-Cyber marking. The first milestone (incident reporting and vulnerability disclosure program) enters into force on September 11, 2026.

What are the key milestones of the CRA in 2026 and 2027?

Two structuring milestones. September 11, 2026: obligation to report actively exploited incidents to ENISA within 24h, and put in place a vulnerability disclosure program (VDP). December 11, 2027: full application — CE-Cyber marking, SBOM, Annex I technical requirements, lifecycle management over the declared support duration.

Is my SaaS concerned by the CRA?

If your product is made available on the European market and contains digital elements (software, firmware, connected service), yes. Pure SaaS hosted may be out of 'product' scope, but their components embedded at the client (agent, plugin, SDK) are concerned. A scope analysis is essential before September 11, 2026.

What should I prepare for September 11, 2026?

Three chantiers: (1) operational vulnerability disclosure program — security.txt, dedicated contact, triage procedure, response SLA; (2) incident reporting mechanism to ENISA within 24h; (3) inventory of concerned products and their classification (default, important, critical).

What is the difference between CRA and ISO 27001?

ISO 27001 is an information security management system of the organization. The CRA is about technical characteristics of the product itself: SBOM, signing, updates, vulnerability management over the support duration. The two are complementary: ISO 27001 facilitates CRA compliance by about 30-40%, but is not sufficient.

A connected topic at your company?

A 20-minute scope call. No cold commercial pitch.

Book on Calendly