For most of the history of consumer technology, there has been no legal requirement for the company that built your router, your security camera, or your smart plug to tell anyone when that device turns out to be dangerously broken. A vulnerability could be discovered, exploited in the wild for months, and quietly patched — or never patched at all — with no obligation on the manufacturer to disclose it, report it, or even acknowledge it existed. The economics of cheap connected hardware rewarded silence. Disclosure costs money and reputation; silence costs nothing, at least not to the manufacturer.

That arrangement is ending. On September 11, 2026 — now less than 100 days away — the European Union’s Cyber Resilience Act begins enforcing a mandatory vulnerability reporting regime that applies to virtually every connected device sold into the EU market. And because of how global supply chains work, the effects will not stay inside Europe’s borders. The device on your shelf was almost certainly designed to be sold into Europe too.

What the CRA Actually Is

The Cyber Resilience Act is a piece of EU legislation that regulates the security of what it calls “products with digital elements” — a deliberately broad term. It covers any hardware or software product whose intended or foreseeable use includes a direct or indirect connection to a device or network. In practice that means consumer IoT devices, routers and networking gear, enterprise software, industrial control systems, medical devices, and connected vehicle components. If it has a chip and it talks to a network, the CRA almost certainly applies.

Crucially, the law applies regardless of where the manufacturer is based. A device built in Shenzhen, designed by a company headquartered in California, and sold to a customer in Berlin falls under the CRA. The trigger is placement on the EU market, not the nationality of the maker. This is the same extraterritorial structure that made the GDPR a global standard rather than a regional one: companies do not build separate products for separate markets when they can avoid it, so the strictest applicable rule tends to become the default for everyone.

The CRA was adopted in 2024 and is being phased in over several years. The headline event for 2026 is the start of mandatory incident and vulnerability reporting. Full application of the entire regulation — secure-by-design engineering obligations, CE marking, conformity assessments, and mandatory provision of security updates — arrives on December 11, 2027.

The Two 2026 Deadlines

There are two dates in 2026 that matter, and they are easy to conflate.

The first is June 11, 2026. This was the deadline by which national authorities across the member states were required to designate the conformity assessment bodies that will eventually evaluate products under Chapter IV of the law. It is an administrative milestone — the scaffolding being put in place — rather than an obligation that lands directly on manufacturers. During June 2026, the EU’s cybersecurity agency, ENISA, is providing registration instructions and training materials. This is the practical onboarding window for the reporting infrastructure that goes live in the autumn.

The second, and the one that changes behavior, is September 11, 2026. From that date, manufacturers must report actively exploited vulnerabilities and severe security incidents under a strict, multi-stage timeline.

The 24-Hour Clock

The reporting obligation that begins in September is built around a three-stage cascade, and the speed of the first stage is what has security and legal teams across the industry scrambling.

Within 24 hours of becoming aware that a vulnerability in one of its products is being actively exploited, a manufacturer must file an early warning with the authorities. This is a preliminary notification — it does not require a complete technical analysis — but it must happen within a single day.

Within 72 hours, the manufacturer must follow up with a full notification containing detailed technical information about the vulnerability or incident, its nature, and any corrective or mitigating measures taken or available.

Within 14 days, a final report must be submitted with a comprehensive analysis. For particularly severe incidents, this window can extend to 30 days, but the expectation is a thorough post-incident accounting.

The reports do not go to a single national regulator and stop there. Manufacturers submit through the ENISA Single Reporting Platform, a centralized EU web portal that routes each submission simultaneously to the relevant national Computer Security Incident Response Team and to ENISA itself. ENISA then disseminates the information automatically across every member state where the product is available. A single report propagates across the entire union.

The distinction that matters here is actively exploited. The CRA’s 24-hour clock is triggered by exploitation in the wild, not by the mere discovery of a flaw. A theoretical vulnerability sitting in a bug tracker does not start the timer. A vulnerability that attackers are demonstrably using against real devices does. This is a meaningfully higher bar than “every bug must be reported,” but it is also exactly the category of vulnerability that matters most to the people who own the affected devices.

The Penalties Have Teeth

The reason this regulation will actually change manufacturer behavior — rather than joining the pile of well-intentioned standards that everyone ignores — is the size of the penalties.

Failure to meet the CRA’s most serious obligations, including the mandatory reporting requirements that begin September 11, can result in fines of up to €15 million or 2.5% of global annual turnover for the preceding financial year, whichever is higher. For a large manufacturer, the percentage-of-turnover figure is the one that bites; 2.5% of global revenue is not a rounding error for any company of scale.

Beyond fines, regulators have the power to order non-compliant products withdrawn from the EU market entirely. For a hardware company, losing access to the European market — or being forced to recall deployed products — is an existential commercial threat, not a line-item cost.

Why This Matters for Your Home, Even Outside Europe

If you are reading this from outside the European Union, it would be easy to assume the CRA is someone else’s problem. It is not, for two reasons.

The first is the global-default effect. Manufacturers will not, in general, build one version of a smart camera with mandatory vulnerability reporting and secure-by-design engineering for Europe and a separate, less secure version for everyone else. It is cheaper to build to the strictest standard and ship that everywhere. The same dynamic that made GDPR-style privacy controls appear in products worldwide will push CRA-driven security practices into the global product baseline. When your camera’s manufacturer is legally required to maintain a vulnerability-handling process and ship security updates to satisfy Europe, you benefit from that process even if you live in Ohio.

The second is information. Today, when a vulnerability in a popular consumer device is being exploited, the public often finds out — if at all — through the work of independent security researchers, threat intelligence firms, and journalists, frequently weeks or months after exploitation began. The CRA creates a legal channel through which exploited vulnerabilities surface promptly and consistently. Over time, that should mean earlier, more reliable signals about which devices are under active attack — signals that flow into the security community and, eventually, to consumers.

There is a caveat worth being honest about. The reports filed through the Single Reporting Platform are not, by default, public bulletins. They go to CSIRTs and ENISA, which manage disclosure carefully to avoid handing attackers a roadmap before patches are available. So the CRA is not going to produce a public, real-time feed of every exploited home-device vulnerability. What it produces is a structural obligation — a legal requirement that the manufacturer act, on a clock, under threat of serious penalty. That obligation is the thing that has been missing.

What This Changes About Buying Connected Devices

The CRA is fundamentally a supply-side regulation. It puts obligations on manufacturers, not on the people who buy and use the devices. You will not have a reporting deadline. But the law should, over the next eighteen months, reshape the market you buy in.

The companies that take the CRA seriously will build vulnerability-handling processes, commit to providing security updates for a defined support period, and document their security practices as part of conformity assessment. The companies that cannot or will not do this face exclusion from the EU market. The cheapest, most disposable end of the connected-device market — the no-name smart plug shipped with a hardcoded password and no update mechanism, the streaming box with debug interfaces left open from the factory — is precisely the category that the CRA, combined with conformity requirements arriving in 2027, is designed to push out.

For a homeowner, the practical guidance does not change overnight, but the direction of travel is clear. Favor manufacturers that publish a security contact and a coordinated vulnerability disclosure policy. Favor devices that come with a stated security update commitment. Treat the absence of any vulnerability-handling process as the warning sign it has always been — and understand that, increasingly, the legitimate manufacturers will have one because the law now requires it.

The CRA does not patch the devices already in your house. It does not replace the work of keeping your own network segmented, your firmware current, and your default passwords changed. What it does is begin to fix the structural problem underneath all of that: an industry that, until now, faced no consequences for shipping insecure connected hardware and saying nothing when it broke. Starting September 11, silence has a price.

Sources

This article is provided for informational purposes only and does not constitute legal advice.