Blog

The Cyber Resilience Act timeline, in plain terms

The EU Cyber Resilience Act sets baseline cybersecurity requirements for products with digital elements sold in the EU — most connected hardware and much of the software that ships with it. It applies obligations across the product lifecycle, from secure-by-design development to vulnerability handling and reporting.

The timeline

The CRA entered into force in 2024 with a staged application:

  • Reporting obligations for actively exploited vulnerabilities and severe incidents apply ahead of the full requirements.
  • The full set of obligations — secure-by-design, documentation, and vulnerability handling — applies after the transition period in 2027.

Manufacturers are responsible for the security of the product they place on the market, including handling vulnerabilities for the support period.

What to do now

The expensive part isn't the paperwork — it's proving your vulnerability handling actually happens: that your findings are tracked, triaged, and closed with a record. That's a continuous engineering practice, not a one-time audit.

Get ahead of it with a scan

npx @olydi/cli scan
# Scan complete. Findings written to SARIF.

OLYDI gives you a continuous read on your findings and mirrors them into your GitHub Security tab, so your vulnerability-handling story is backed by evidence. Your scan is free; clearing findings at volume is paid on Valty tiers.


This article is general information about regulatory developments, not legal advice. Consult qualified counsel for your specific obligations.