The CRA isn’t asking whether you’re ready. It’s telling you when.
From 11 September 2026, manufacturers of products with digital elements must meet mandatory vulnerability and incident reporting timelines. Full compliance follows on 11 December 2027. Here’s what the regulation requires — and how to stand up disclosure operations you can prove.
Reporting obligations start well before full compliance applies.
December 2024
CRA enters into force and the rollout timeline begins.
In force
11 September 2026
Reporting obligations begin (Article 14). Mandatory 24/72-hour vulnerability and incident reporting.
Reporting starts
11 December 2027
Full CRA application. All obligations apply to in-scope products on the EU market.
Full compliance
Four things every in-scope manufacturer needs in place.
01
A CVD policy/process and reporting channel
Publish and enforce a coordinated vulnerability disclosure (CVD) policy, and provide a clear, monitored single point of contact for reports.
02
Lifecycle vulnerability handling
Track components with an SBOM, test and review regularly, remediate without undue delay, and ship secure updates.
03
Communication of fixes
When an update is available, publish what's affected, the severity and impact, and the remediation steps, delaying only when justified to reduce risk.
04
A defined support period
Communicate how long you'll provide vulnerability handling and security updates, at least five years, unless the product's expected use is shorter.
Why it matters: the CRA provides for penalties of up to €15M or 2.5% of global annual turnover for the most serious infringements of these obligations. (Figures and obligations subject to legal confirmation for your role and product scope.)
From 11 September 2026, the clock starts the moment you become "aware."
Manufacturers must report certain vulnerabilities and incidents via ENISA’s Single Reporting Platform, coordinated through their Member State’s designated CSIRT. The deadlines are tight — and tied to when you became aware, not when you finished investigating.
| Report Type | Early Warning | Notification | Final Report |
|---|---|---|---|
| Actively exploited vulnerability | 24 hours | 72 hours | 14 days after a fix is available |
| Severe incident impacting security | 24 hours | 72 hours | 1 month after notification |
Build CRA-ready disclosure operations, and prove them.
You need a clear reporting channel, a CVD policy, and a workflow you can evidence with records. The HackerOne Platform gives you all three, and a path to mature as the deadlines approach.
01 · Start
Stand up a disclosure channel
A public VDP gives you a single, monitored intake point and a consistent place to publish your CVD policy, structured, trackable submissions your team manages in one platform.
02 · Validate
Cut noise with Hai + H1 Validation
AI-assisted triage validates reports quickly, filters noise, and surfaces exploitable vulnerabilities with priority context, so the 24/72-hour clock runs on what's real.
03 · Prove
Automate the audit trail
Integrations push high-severity issues into your ticketing and incident workflows. Automation captures timestamps, enforces escalations tied to reporting timelines, and keeps an exportable, audit-ready record.
04 · Expand
Start scoped, expand as you grow
A working programme producing real data by the September deadline is also the natural foundation for H1 Bounty, broader, continuous coverage as your programme matures.
If you're not ready for disclosure, you're not ready for what's already looking for you.
Attackers using AI don't wait for you to be ready. The question is whether you find the vulnerabilities first, or they do. We validate exploitability and prioritise, so you act on what's confirmed, not noise.
Building a Compliant Vulnerability Disclosure and Coordinated Response Programme
Design and operationalise a VDP that meets CRA requirements, coordinated disclosure policies, lifecycle vulnerability handling, support commitments, and regulatory reporting. Includes a live demonstration of publishing reporting channels, standardising triage and validation, coordinating remediation, and maintaining audit-ready records.
