Most product development teams we speak to are focused on the December 2027 Cyber Resilience Act deadline.
That’s a mistake.
The first real deadline hits in September 2026, when vulnerability reporting becomes mandatory. If you don’t already have an SBOM and a working vulnerability management process in place by then, you’ll be non-compliant from day one.
A final, important note – The CRA is risk-based, not technology-based.
You don’t comply by ticking boxes.
You comply by understanding:
– What your product does
– How it communicates
– What could realistically go wrong
– How you’ve designed to manage that risk
Use the form to receive a copy of our practical guide. It that clearly shows what CRA requires, who it affects and what you need to be doing now in preparation.