EU sets Sept 11 cyber reporting deadline

Connected products are the story here — the sensors, controllers, gateways, apps, and embedded software that now sit inside everything from pumps to port equipment. The EU’s new move matters because these products already run real operations, but the people buying them often have little visibility into hidden cyber failures. The gap has been simple: vendors could treat product security as a quality issue, not a fast-reporting obligation. That changes on September 11, 2026, when the Cyber Resilience Act’s first live duty kicks in — mandatory reporting of actively exploited vulnerabilities and severe incidents. ### What actually starts in September 2026? Not the whole law. That is the first thing to get straight. The full Cyber Resilience Act applies from December 11, 2027, but the reporting piece starts earlier. From September 11, 2026, manufacturers of products with digital elements sold in the EU have to report two things: vulnerabilities that are being actively exploited, and severe incidents that affect the security of the product. (digital-strategy.ec.europa.eu) ### What counts as a “product with digital elements”? Basically, almost any hardware or software product with a digital component that is placed on the EU market. The law is broad on purpose. It covers standalone software as well as connected physical products, which is why this is not just a consumer-tech rule. Industrial gear, embedded control systems, remote monitoring equipment, and the software wrapped around them can all fall inside the scope. (digital-strategy.ec.europa.eu) ### Why is the deadline a big deal? Because this is the moment the law stops being a future compliance project and becomes an operations problem. A lot of companies have been planning around the December 2027 date. But the reporting duty arrives 15 months earlier. That means a manufacturer can be legally exposed before it finishes the bigger redesign, documentation, and conformity work tied to the full regime. (digital-strategy.ec.europa.eu) ### How fast do companies have to move? Very fast. The manufacturer has to send an early warning within 24 hours of becoming aware of an actively exploited vulnerability or a severe incident. A fuller notification follows within 72 hours. Then there is a final report — within 14 days after a corrective measure is available for an exploited vulnerability, and within one month for a severe incident. That is not a leisurely audit cycle. It is incident response with a regulator in the loop. (digital-strategy.ec.europa.eu) ### Where do those reports go? Through the CRA Single Reporting Platform that ENISA is building. The manufacturer files once through that platform. The notice goes to the national CSIRT tied to the manufacturer’s main establishment, and the information is also made available to ENISA unless exceptional circumstances apply. The platform is supposed to be operational by September 11, 2026, with testing before then. (digital-strategy.ec.europa.eu) ### Why does this hit infrastructure teams too? Because the legal duty sits with manufacturers, but the practical fallout lands on operators and project owners too. If a drainage sensor, telemetry box, or pump controller is in scope, someone has to know who patches it, who receives vendor alerts, and what happens if a remote function becomes unsafe or unavailable. The catch is that many civil and industrial deployments were built for uptime first. (digital-strategy.ec.europa.eu) Cyber reporting forces clearer ownership. That is an inference from the rule’s structure and the kinds of products it covers. ### So what should teams do before 2026? Map the devices and software that come from outside vendors. Pin down who the legal manufacturer is for each one. Make sure contracts specify update responsibilities, notification contacts, support windows, and escalation paths. And keep a manual fallback where the physical process matters — because if a connected product fails securely but the real-world job still has to continue, operations need a non-digital way to limp through. (digital-strategy.ec.europa.eu) That last point is practical risk management rather than a verbatim legal requirement. ### Bottom line? September 11, 2026 is the EU’s first real enforcement-style date for the Cyber Resilience Act. The headline is reporting, but the deeper shift is responsibility: manufacturers have to surface product cyber trouble quickly, and buyers need to be ready to act on those warnings. (digital-strategy.ec.europa.eu)