Compliance Planning October 2025 7 min read

Understanding CRA Deadlines: Timeline and Compliance Milestones

Time is running out to prepare for the EU Cyber Resilience Act. This guide breaks down the complete timeline, key deadlines, and what you need to accomplish at each stage to ensure your products are compliant when enforcement begins.

The Complete CRA Timeline

The EU Cyber Resilience Act follows a multi-phase implementation timeline designed to give manufacturers time to prepare while ensuring cybersecurity improvements happen as quickly as possible. Understanding these phases and their deadlines is critical for planning your compliance strategy.

CRA Timeline at a Glance

September 2022: Initial Proposal

European Commission proposes the Cyber Resilience Act, launching the legislative process.

2023-2024: Legislative Process

European Parliament and Council negotiate and refine the regulation through trilogue discussions. Amendments proposed and debated.

Late 2024: Expected Adoption

Final text agreed and formally adopted by European Parliament and Council. Regulation published in Official Journal of the EU.

20 Days After Publication: Enters into Force

Regulation officially enters into force, starting the countdown to enforcement. Organizations should finalize compliance plans.

24 Months After Entry Into Force: Phase 1

Early provisions take effect, including notified body designation and standard development. Manufacturers should be well into implementation.

36 Months After Entry Into Force: FULL ENFORCEMENT

All CRA requirements become fully applicable. Products placed on market must comply. No exceptions.

Expected: Late 2027 / Early 2028

Critical Date: Late 2027 / Early 2028

Based on current legislative progress, full CRA enforcement is expected approximately 36 months after the regulation enters into force in late 2024. This means products sold in the EU after this date MUST comply with all CRA requirements or cannot be legally placed on the market.

Phase 1: Preparation Period (Months 1-24)

The first 24 months after the CRA enters into force is the preparation period. During this phase, the regulatory infrastructure is established and manufacturers should complete the majority of their compliance work.

What Happens During Phase 1

  • Standardization work: European standardization organizations (CEN, CENELEC, ETSI) develop harmonized standards that manufacturers can follow for presumption of conformity
  • Notified body designation: Third-party conformity assessment bodies are designated and accredited for Class I and II products
  • Guidance development: European Commission and ENISA publish implementation guidance, FAQs, and best practices
  • Technical infrastructure: Incident reporting systems, vulnerability databases, and regulatory portals are established

What You Should Do During Phase 1

Months 1-6: Assessment and Planning

  • [ ] Conduct gap analysis of current products against CRA requirements
  • [ ] Identify which products fall under CRA scope
  • [ ] Classify products by risk category (standard, important, critical)
  • [ ] Assess resource needs (budget, personnel, tools)
  • [ ] Create detailed compliance roadmap with internal deadlines
  • [ ] Establish compliance team or assign responsibilities

Months 7-12: Implementation Begins

  • [ ] Implement secure development lifecycle (SDLC) processes
  • [ ] Begin generating SBOMs for all products
  • [ ] Establish vulnerability management program
  • [ ] Create or update security testing procedures
  • [ ] Draft technical documentation templates
  • [ ] Set up incident response and reporting procedures

Months 13-18: Technical Compliance

  • [ ] Conduct security assessments on all products
  • [ ] Address identified vulnerabilities and security gaps
  • [ ] Complete conformity assessment for each product
  • [ ] Prepare EU Declarations of Conformity
  • [ ] Finalize all technical documentation
  • [ ] Update product documentation with required security information

Months 19-24: Final Preparations

  • [ ] Complete testing and validation of all compliance measures
  • [ ] Engage notified body (if required for Class I/II products)
  • [ ] Prepare CE marking and labeling updates
  • [ ] Train support and sales teams on CRA requirements
  • [ ] Update website, marketing materials, and documentation
  • [ ] Conduct final pre-enforcement readiness review

Don't Wait Until Month 24

While you have 36 months until full enforcement, waiting until the deadline approaches creates unnecessary risk. Start implementing changes now so you have time to test, refine, and address unexpected challenges.

Phase 2: Enforcement Period (Month 36 Onward)

At 36 months after the CRA enters into force, all requirements become fully applicable. From this date forward:

  • New products placed on the market must comply with all CRA requirements
  • Substantial modifications to existing products trigger compliance obligations
  • Security update obligations apply to all products, including those placed on market before enforcement
  • Incident reporting requirements are active and must be followed
  • Market surveillance authorities can conduct audits, request documentation, and enforce penalties

Grace Periods and Exceptions

Products already on the market before the enforcement date may continue to be sold during a limited grace period, but this should not be relied upon as a compliance strategy. The exact duration of grace periods is defined in the final regulation text.

Important: Security update obligations apply to all products regardless of when they were placed on the market. You cannot avoid CRA obligations simply by releasing products before enforcement.

The Risk of Missing Deadlines

Failing to meet CRA deadlines carries significant consequences:

Business Consequences

  • Market exclusion: Non-compliant products cannot be legally sold in the EU
  • Existing sales blocked: Marketplaces and distributors may refuse to carry non-compliant products
  • Revenue loss: Unable to serve EU customers until compliance achieved
  • Competitive disadvantage: Compliant competitors capture your market share
  • Customer trust damage: Non-compliance signals poor security practices

Legal and Financial Penalties

  • Fines up to €15 million or 2.5% of global annual turnover (whichever is higher) for most serious violations
  • Fines up to €10 million or 2% of turnover for incorrect/incomplete information
  • Product recalls: Authorities can order withdrawal of non-compliant products from market
  • Injunctions: Courts can issue orders prohibiting sales
  • Liability exposure: Potential civil liability for damages caused by non-compliant products

Operational Impacts

  • Last-minute compliance rush: Expensive, stressful, and error-prone
  • Resource strain: Diverting resources from product development and innovation
  • Quality compromises: Rushing compliance increases risk of mistakes
  • Team morale: Crisis-mode operations cause burnout and turnover

Action Items by Date

Right Now (Today)

  • Read this guide and share with stakeholders
  • Subscribe to CRA regulatory updates
  • Bookmark official EU resources and guidance
  • Assess your product portfolio against CRA scope
  • Register for CRA Compliance Suite free trial

This Month

  • Conduct preliminary gap analysis
  • Create list of all products requiring compliance
  • Estimate budget and resource needs
  • Generate first SBOM using automated tools
  • Draft initial compliance roadmap

Next 3 Months

  • Establish compliance team and governance
  • Begin implementing secure development practices
  • Set up vulnerability management program
  • Start technical documentation process
  • Conduct security assessment on highest-priority products

Next 6 Months

  • Complete conformity assessment for flagship products
  • Establish incident response procedures
  • Generate SBOMs for all current products
  • Draft EU Declarations of Conformity
  • Begin addressing identified security gaps

Next 12 Months

  • Complete technical compliance for all products
  • Finalize all documentation and declarations
  • Engage notified body (if applicable)
  • Prepare CE marking and labeling
  • Train organization on CRA obligations

Don't Fall Behind on CRA Compliance

CRA Compliance Suite helps you meet every deadline with automated SBOM generation, vulnerability scanning, and compliance documentation. Start your free trial today and get ahead of the compliance timeline.

Start Free Trial View Compliance Checklist

Staying Up to Date on Timeline Changes

While the CRA framework is largely settled, specific dates may shift as the legislative process concludes. Stay informed by:

  • Monitoring the European Commission website for official announcements
  • Following ENISA (EU cybersecurity agency) publications
  • Subscribing to CRA Compliance Suite newsletter for regulatory updates
  • Joining industry associations and working groups focused on CRA
  • Consulting with legal counsel specializing in EU digital regulation

Conclusion: The Time to Act Is Now

The CRA compliance deadline may seem distant, but the work required to meet it is substantial. Organizations that start now will have time to implement changes thoughtfully, test thoroughly, and build robust security practices into their development culture.

Those who wait will face a costly, stressful scramble as the deadline approaches—with all the quality, security, and business risks that entails.

Don't be caught unprepared. Use the timeline in this guide to plan your compliance journey, and start taking action today.

Related Articles

CRA Compliance Roadmap

Step-by-step guide to achieving compliance before the deadline.

What is the EU Cyber Resilience Act?

Complete overview of CRA requirements and scope.

CRA for WordPress Developers

WordPress-specific compliance guidance and best practices.

About CRA Compliance Suite

We monitor CRA regulatory developments closely and update our platform to reflect the latest requirements. Our team tracks legislative changes, guidance updates, and enforcement developments to ensure you stay compliant throughout the CRA lifecycle.