Timeline graphic of EU Cyber Resilience Act deadlines for IoT device manufacturers, 2024 to 2027The EU Cyber Resilience Act gives IoT manufacturers until December 2027, but the compliance infrastructure isn't built yet.
Regulation & Compliance

The EU Cyber Resilience Act’s IoT Deadline Is Coming, and the Rulebook Isn’t Ready

Your engineering team has 14 months to make every connected product legally sellable in the EU. The regulator that set that deadline hasn’t finished writing the rules you’re supposed to follow to meet it. That’s not a hypothetical, it’s the state of the EU Cyber Resilience Act as of this week: zero harmonized standards published, zero notified bodies designated, and a September 2026 reporting deadline that arrives regardless.

If you build or sell connected hardware into Europe, this is the piece to read before you plan next quarter’s roadmap.

The Real Countdown: Four Dates That Matter

Most coverage of the Cyber Resilience Act (Regulation (EU) 2024/2847) leads with December 2027, the full-compliance deadline. That’s the wrong date to anchor your planning on. The Act entered into force on December 10, 2024, and it front-loads real obligations well before 2027 hits.

DateWhat Happens
Dec 10, 2024CRA enters into force
Jun 11, 2026Rules for conformity assessment (notified) bodies begin to apply
Sep 11, 2026Mandatory vulnerability and incident reporting begins: 24-hour early warning, 72-hour detailed report, 14-day final report
Dec 11, 2026Target date for a “sufficient number” of notified bodies to be designated under Article 35
Dec 11, 2027Full applicability: CE marking, conformity assessment, and technical documentation become mandatory

September 11, 2026 is the date to internalize. It’s roughly two months out, it applies to products you’ve already shipped, and it’s not contingent on any standard being finished. If your product has a known exploited vulnerability after that date, the clock on reporting it starts regardless of where your compliance program stands.

The Infrastructure Gap Nobody Budgeted For

Here’s the part of the story that hasn’t gotten enough attention: the scaffolding the CRA depends on to actually function isn’t built yet.

The European Commission asked CEN, CENELEC, and ETSI to develop 41 harmonized standards under Standardization Request M/606, split across horizontal (general) and vertical (product-specific) requirements. As of June 4, 2026, not one of them has been approved or published in the Official Journal. Every standard is still in draft. That matters because publication is what triggers the “presumption of conformity,” the mechanism that lets a manufacturer self-declare compliance instead of hiring a third party to check its work.

Without that presumption, most manufacturers of higher-risk products are stuck. And the fallback, notified-body assessment, has its own problem: as of June 24, 2026, the EU’s NANDO database lists zero CRA-designated notified bodies, even though the rules governing them started applying on June 11.

Why this is worse than it sounds: accreditation and designation of new conformity-assessment bodies typically takes 12 to 18 months. Even a fast start from EU member states in mid-2026 likely doesn’t produce meaningful assessment capacity until well into 2027, compressing what should be an 18-month compliance runway into a matter of months for higher-risk product categories.

Adding to the pressure: the Commission decided on February 16, 2026 to repeal the RED Cyber Delegated Regulation, the interim cybersecurity framework many IoT vendors currently lean on, effective December 11, 2027. That’s the same day the CRA becomes the only game in town. There’s no overlap buffer if the new standards slip.

“62% of people in Europe were unaware of what they needed to do last year. This year it’s 66%, statistically the same.” Christopher “CRob” Robinson, Chief Security Architect, OpenSSF, quoted in DevOps.com, May 2026

Robinson’s data comes from OpenSSF and the Linux Foundation’s 2026 CRA Awareness and Readiness Report, and the numbers get more uncomfortable outside Europe. Among US and Canadian respondents, 72% said they were unfamiliar with a regulation that may legally apply to them the moment they sell a connected product to an EU customer. Only 34% of CRA-aware respondents could correctly name December 2027 as the full compliance date.

Why the EU Built This: 21.9 Billion Devices, Record-Breaking Botnets

None of this exists in a vacuum. There are an estimated 21.9 billion active connected IoT devices globally in 2026, per IoT Analytics tracking, and a meaningful share of them are running the security posture of a decade ago. Research compiled by Phosphorus and Dexpose puts roughly 75% of IoT devices in the field on default passwords, with close to 98% of IoT device traffic still moving in plaintext.

That’s the raw material for what’s already happening. The Aisuru botnet, built largely from compromised consumer routers, CCTV cameras, and DVRs, hit a peak of 29.7 Tbps and 14.1 billion packets per second in 2026, breaking the previous DDoS record within months of it being set. Every one of those compromised devices is a product that, under a functioning CRA, should have shipped with better default security and a working vulnerability-disclosure process.

This is the regulation’s actual argument: product-level security obligations, not just entity-level ones like NIS2 already covers. Whether the compliance infrastructure catches up to that ambition in time is a separate question.

What Changes on Your Engineering Roadmap Starting Now

If you lead product, engineering, or security at a company selling connected hardware into the EU, including companies headquartered outside it, a few things stop being someday problems.

Classification can’t wait for the standards

Waiting for a finished harmonized standard before you classify your product (default, Important Class I/II, or Critical) isn’t a viable strategy anymore. Manufacturers currently have to document compliance against Annex I’s essential requirements directly, without the shortcut a published standard would provide.

Notified-body conversations need to start now, not in 2027

If your product lands in Important or Critical tiers (routers, VPNs, smart locks, security cameras, identity hardware), the constraint isn’t going to be your paperwork. It’s going to be the queue. A notified body has to appear in NANDO before it can issue a valid assessment, and that list is currently empty.

SBOMs stop being optional

Only about 32% of manufacturers currently produce a Software Bill of Materials for all of their products, and roughly 51% still passively depend on upstream open-source maintainers to catch and fix security issues. Under CRA’s supply-chain accountability rules, that gap is now a liability, not just a hygiene issue.

Reporting infrastructure needs to work by September 11

The 24-hour, 72-hour, 14-day reporting cascade applies to products already on the market, not just new launches. If your incident-response process can’t hit those windows today, that’s the highest-priority gap to close.

The upside most vendors miss: procurement teams and enterprise customers are already starting to ask for CRA evidence well ahead of the 2027 deadline. Being able to say “yes, here’s our documentation” is turning into a sales advantage months before it becomes a legal requirement.

Is December 2027 Realistic? The Critics Say No

The timeline problem isn’t just that standards are late. It’s that some of them are scheduled to arrive after the deadline they’re supposed to support. Security researcher Sarah Fluchs has documented the delivery schedule in detail: the horizontal standard covering vulnerability handling targets August 30, 2026, but the horizontal standard covering generic cybersecurity requirements isn’t due until October 30, 2027, essentially the eve of full applicability, leaving manufacturers almost no runway to build a compliance program against a finished reference point.

Scope is a second, older fault line. When the CRA was still a proposal, the Open Source Initiative and 17 other organizations warned that its definition of “commercial activity” created real legal uncertainty for developers, and risked discouraging the open-source ecosystems that have historically been more responsive on security, not less. Amendments added an open-source exemption and a new “open source steward” category before final passage, but the underlying scope ambiguity hasn’t fully gone away. NLnet Labs, maintainer of widely used DNS and routing software, has separately pushed the Commission on whether the “occasional supplies” exemption meaningfully applies to software as foundational as BIND or MINIX, both decades-old, both embedded in critical infrastructure.

Our read: this signals a regulation whose ambition outran its own build schedule. That’s not unusual for first-of-its-kind product security law. It does mean the manufacturers who treat 2027 as the actual planning deadline, rather than September 2026, are the ones most likely to get caught by a slipped standard or a full notified-body queue.

One more thing worth correcting: the widely repeated claim that “90% of products can self-assess” isn’t an official CRA statistic. It’s an estimate based on how narrow the Important and Critical categories are, and it’s worth treating as a caveat rather than a guarantee for your specific product line.

A Practical Compliance Roadmap

  1. Classify now, against Annex I directly. Don’t wait for a published standard to tell you what tier you’re in.
  2. Start notified-body conversations immediately if you’re in Important Class I/II or Critical territory. The queue, not the documentation, is the bottleneck.
  3. Stand up SBOM generation as a permanent engineering practice, not a pre-launch checklist item.
  4. Build (or stress-test) your 24/72-hour reporting pipeline before September 11, 2026, using your current, already-shipped product line as the test case.
  5. Budget for a 10-year vulnerability record retention and 5-year minimum security-update commitment. This is a lifecycle obligation, not a one-time certification.
  6. Track the standards calendar directly rather than relying on secondhand summaries. Target dates slip, and your compliance plan needs to move with them.

Frequently Asked Questions

When does the EU Cyber Resilience Act take effect?

The CRA entered into force December 10, 2024. Vulnerability and incident reporting obligations begin September 11, 2026. Full compliance, including CE marking, conformity assessment, and all essential cybersecurity requirements, becomes mandatory December 11, 2027, across all 27 EU member states.

What products does the Cyber Resilience Act cover?

The CRA covers any hardware or software product with digital elements whose intended or foreseeable use includes a direct or indirect connection to a device or network, from smart home devices and routers to enterprise software. Products already regulated elsewhere, like medical devices and vehicles, and non-commercial open-source software are excluded.

What are the penalties for CRA non-compliance?

Penalties reach up to €15 million or 2.5% of global annual turnover, whichever is higher, for breaches of essential cybersecurity requirements. Lower tiers of €10 million/2% and €5 million/1% apply to lesser infringements, alongside possible product recalls and EU market-access bans.

Does the Cyber Resilience Act apply to US companies?

Yes. Any manufacturer placing a product with digital elements on the EU market is in scope, regardless of where it’s headquartered. A US firmware vendor selling into Germany or a Korean device maker with EU distributors both fall under CRA obligations.

Are there harmonized standards for CRA compliance yet?

No. As of mid-2026, no CRA harmonized standard has been published in the EU Official Journal, so the presumption of conformity isn’t available for any product category yet. Manufacturers currently have to document compliance through direct reference to Annex I’s essential requirements.

What is a notified body under the CRA?

A notified body is a third-party conformity assessment organization designated by an EU member state to evaluate Important and Critical products that can’t be self-assessed. As of mid-2026, member states can formally designate these bodies, but none had appeared in the EU’s NANDO database yet.


What This Means Going Forward

The Cyber Resilience Act isn’t in danger of being delayed. The dates in the regulation are fixed, and the Commission has given no signal it plans to move them. What’s genuinely uncertain is whether the standards and notified-body infrastructure catch up in time for manufacturers to comply the way the law assumes they will, through self-assessment against a finished, published standard.

Over the next six to eighteen months, watch three things: whether the first horizontal standard actually publishes near its August 2026 target, how many notified bodies appear in NANDO by the December 2026 target date, and whether the Commission issues any interim guidance to bridge manufacturers through the gap. Any of the three slipping further pushes real compliance risk earlier into 2027, not later.

The companies that treat September 2026 as the real starting gun, not December 2027, are the ones least likely to be caught mid-recall when the infrastructure finally arrives.

Want the next regulatory deadline before it becomes a headline? Subscribe to The Neural Loop at neuralwired.com/newsletter.

Leave a Reply

Your email address will not be published. Required fields are marked *