EU Cyber Resilience Act: Preparing Your VDP for 2026 Reporting Requirements

Security Compliance EU Regulation March 17, 2026 Source: HackerOne Blog

The EU Cyber Resilience Act (CRA) turns vulnerability disclosure into a regulated, time-bound process for manufacturers producing "products with digital elements" sold in the EU.

📅 Key Date: September 11, 2026 - Reporting obligations begin

What is the Cyber Resilience Act?

The Cyber Resilience Act is Regulation (EU) 2024/2847. Its goal is to improve the cybersecurity of software and hardware placed on the EU market.

It applies to products with digital elements, broadly defined as software or hardware products (including associated remote data processing solutions) that rely on digital components to function.

Key Dates to Know

Milestone	Date	What It Means
Entry into force	December 2024	The CRA becomes EU law and the rollout timeline begins.
Reporting obligations begin (Article 14)	11 September 2026	Manufacturers must start meeting mandatory vulnerability and incident reporting timelines.
Full CRA application date	11 December 2027	Full CRA requirements apply for in-scope products placed on the EU market.

What the CRA Requires for Vulnerability Disclosure

At a minimum, the CRA expects manufacturers to run a vulnerability handling program that's easy to access, fast to execute, and provable with records.

Requirement	What You Need in Place
CVD policy + reporting channel	Publish and enforce a CVD policy and provide a clear, monitored single point of contact for reports.
Lifecycle vulnerability handling	Track components (including an SBOM), test/review regularly, remediate quickly, and ship secure updates without undue delay.
Communicate fixes	When an update is available, publish what's affected, severity/impact, and remediation steps.
Support period	Define and communicate how long you'll provide vulnerability handling and security updates. Minimum 5 years.

        Key Insight: The Commission's draft guidance makes clear that five years is not a default ceiling where products are reasonably expected to remain in use longer.
    

Reporting to EU Authorities

Starting 11 September 2026, manufacturers must report certain vulnerabilities and incidents via ENISA's Single Reporting Platform (SRP), coordinated through the Member State's designated CSIRT coordinator.

Practical Path to Compliance

Start with a clear intake channel for vulnerability reporting
Define a coordinated vulnerability disclosure (CVD) policy
Scale with fast triage, integrations, and automation
Track "awareness," remediation, and communications
Produce audit-ready evidence

This article provides practical guidance for organizations to prepare for the upcoming EU Cyber Resilience Act requirements.