Cybersecurity experts, OEMs, software publishers and end user organizations have focused on the EU Cyber Resilience Act’s ultimate December 2027 compliance deadline for years. What’s gotten far less attention is the first major enforcement milestone on September 11, 2026, now less than 100 days away.
On that date, anyone selling connected products and applications into the EU must report actively exploited vulnerabilities and significant security incidents to regulators under strict timelines – within 24 hours.
Doc McConnell, Head of Policy and Compliance, Finite State, said
“For many companies, the challenge isn’t simply reporting, it’s determining within a few hours whether a vulnerability exists inside their products, whether it’s being actively exploited, and who might be affected.
“The biggest obstacle isn’t paperwork, it’s visibility. Many companies lack accurate software inventories across their product lines, and have limited insight into third-party components embedded in products. Even more lack an in-place internal decision process to meet that 24-hour reporting mandate. The CRA readiness gap persists across sectors: ICS, automotive, medical devices, consumer electronics, IoT, IT gear, mobile applications distributed to EU end users, embedded software and more. And are their legal and compliance departments ready to assess cyber resilience?”
Ryan McCurdy, VP, Liquibase, added:
“The CRA turns cybersecurity from a best practice into a reporting obligation. That creates a simple test for software manufacturers: can you prove what changed, who changed it, when it changed, and whether the right controls were applied? For many organizations, the database layer is where that proof breaks down. Manual scripts, schema drift, and inconsistent approvals make it hard to show control when regulators, customers, or auditors ask. The companies that are ready for CRA will not just have security policies. They will have governance and proof of control across the full software lifecycle, including database change.”
The bottom line is that we’ll see if 100 days is an administrative nightmare, or a nothing burger. And it will be up to software vendors to decide which side of the fence that this falls on.
Related
This entry was posted on June 9, 2026 at 8:28 am and is filed under Commentary with tags EU. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
100 Days ‘til 1st Major EU CRA Deadline: a 24-Hour Reporting Clock
Cybersecurity experts, OEMs, software publishers and end user organizations have focused on the EU Cyber Resilience Act’s ultimate December 2027 compliance deadline for years. What’s gotten far less attention is the first major enforcement milestone on September 11, 2026, now less than 100 days away.
On that date, anyone selling connected products and applications into the EU must report actively exploited vulnerabilities and significant security incidents to regulators under strict timelines – within 24 hours.
Doc McConnell, Head of Policy and Compliance, Finite State, said
“For many companies, the challenge isn’t simply reporting, it’s determining within a few hours whether a vulnerability exists inside their products, whether it’s being actively exploited, and who might be affected.
“The biggest obstacle isn’t paperwork, it’s visibility. Many companies lack accurate software inventories across their product lines, and have limited insight into third-party components embedded in products. Even more lack an in-place internal decision process to meet that 24-hour reporting mandate. The CRA readiness gap persists across sectors: ICS, automotive, medical devices, consumer electronics, IoT, IT gear, mobile applications distributed to EU end users, embedded software and more. And are their legal and compliance departments ready to assess cyber resilience?”
Ryan McCurdy, VP, Liquibase, added:
“The CRA turns cybersecurity from a best practice into a reporting obligation. That creates a simple test for software manufacturers: can you prove what changed, who changed it, when it changed, and whether the right controls were applied? For many organizations, the database layer is where that proof breaks down. Manual scripts, schema drift, and inconsistent approvals make it hard to show control when regulators, customers, or auditors ask. The companies that are ready for CRA will not just have security policies. They will have governance and proof of control across the full software lifecycle, including database change.”
The bottom line is that we’ll see if 100 days is an administrative nightmare, or a nothing burger. And it will be up to software vendors to decide which side of the fence that this falls on.
Share this:
Like this:
Related
This entry was posted on June 9, 2026 at 8:28 am and is filed under Commentary with tags EU. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.