On June 11, 2026, the EU Cyber Resilience Act reached a critical operational milestone: EU member states were required to designate and formally notify the conformity assessment bodies responsible for evaluating CRA compliance. This is not a policy announcement. It is the moment the compliance infrastructure became operational — the system that will determine whether your product can legally enter the EU market is now running.
For IoT and hardware manufacturers, the question is no longer whether CRA will happen. It is whether you will be ready when enforcement begins.
What actually happened on June 11
To understand why this date matters, you need to understand how EU product regulation works in practice.
When a regulation like CRA passes, it does not enforce itself immediately. There is a gap between the law entering into force and the system being capable of processing and verifying compliance. That gap closes in stages.
The first stage is the designation of Notified Bodies — the accredited third-party organisations that conduct conformity assessments for products in the Important and Critical categories. Without designated Notified Bodies, manufacturers of higher-risk products have nowhere to go for mandatory third-party certification. The market is ready in principle but not in practice.
June 11 is the date by which EU member states committed to having this infrastructure in place. Notified Bodies are now officially designated. The pipeline from "we need to certify our product" to "our product has CE marking" is now open end to end.
This has two direct consequences for manufacturers.
First, if your product falls into the Important Class I or Class II category — and some devices that manufacturers assume are Default may not be — the path to certification now has real timelines attached to it. Notified Bodies have limited capacity and their queues will fill.
Second, the existence of an operational assessment infrastructure signals to national market surveillance authorities that enforcement has a foundation. They now have the apparatus to act.
The three CRA deadlines in context
To put June 11 in perspective, it helps to look at all three operational milestones together:
| Date | What happens |
|---|---|
| June 11, 2026 | Notified Bodies designated. Conformity assessment infrastructure operational. |
| September 11, 2026 | Mandatory vulnerability and incident reporting obligations enter into force. |
| December 11, 2027 | Full CRA application. No product may be placed on the EU market without CE marking. |
Each milestone is a step in the same direction. The EU is not announcing these deadlines and then waiting quietly. The infrastructure is being built precisely because enforcement is the intended outcome.
What this means if you are already selling in the EU
If your connected product is on the EU market today, September 2026 is your most immediate concern — not December 2027.
Three and a half months from now, you need to have a functioning vulnerability management process. Not a plan for one. An actual process: someone monitoring your components for new CVEs, a defined internal escalation path, a published security contact for external researchers, and the ability to generate and submit a report to a government authority within 24 hours.
Most SME manufacturers I speak with have none of this. The firmware ships, the product sells, and that is where the manufacturer's attention ends. CRA changes that model permanently.
A connected device is not a one-time transaction with the customer. It is an ongoing responsibility. Every unit in the field is a potential liability until its support period ends — and that support period now has to be publicly declared before the product goes to market.
What this means if you are preparing to enter the EU
The June 11 milestone changes your planning horizon in a practical way.
If your product will be in the Important Class I or II category and you have not started the conformity assessment process, you now need to factor Notified Body availability into your timeline. These organisations run scheduled assessments. If you approach them in Q3 or Q4 2026 expecting a six-week turnaround before your planned market launch, you may find the wait significantly longer.
For Default Products — which represent the large majority of consumer and industrial IoT devices — the path is simpler. Self-assessment, technical documentation, SBOM, Declaration of Conformity, CE marking. No Notified Body queue. But "simpler" does not mean quick. The documentation burden is real, and the underlying technical requirements — secure by default, signed firmware updates, unique device identity, published support period — require architectural decisions that take months to implement and validate correctly.
The manufacturers entering the EU market in 2027 who avoid last-minute scrambles are the ones treating this as an engineering project starting now, not a compliance checkbox to handle in Q4 2027.
The question I hear most often — and the honest answer
"Do we really have to do all of this for a simple connected device?"
I understand why manufacturers ask this. If you make a smart thermostat or a BLE-connected sensor, it can feel disproportionate to implement device-level cryptographic identity, signed firmware chains, and formal threat models.
The honest answer is: yes, you do — and the reasoning is sound.
The Mirai attack in 2016, which disrupted significant portions of internet infrastructure, was executed using compromised consumer IoT devices: cameras, DVRs, home routers. Not industrial control systems. Not critical infrastructure. Consumer devices that shipped with default credentials and no firmware verification.
The EU's position, reflected in the CRA regulation text, is that manufacturers of consumer connected devices bear responsibility for the downstream security of the networks those devices join. A compromised smart bulb in a corporate environment can be an entry point for a ransomware attack. Regulations that acknowledge this are not disproportionate — they are a response to a documented pattern of harm.
This does not make implementation free or easy. But it does mean the manufacturers who argue it is not their problem are arguing against both the law and the evidence.
What the competitive landscape looks like now
Here is the dynamic that does not get discussed enough: CRA compliance is a market barrier, and that barrier works in both directions.
For established EU-based manufacturers who invest in compliance, it raises the cost of entry for competitors who have not. A product that cannot carry CE marking after December 2027 cannot be legally sold in the EU. For quality-focused manufacturers, this is not a burden — it is a structural advantage over low-cost competitors who built security as an afterthought.
For manufacturers outside the EU — particularly in markets where product security regulation has been less rigorous — CRA is the end of the strategy of selling into Europe on price alone. Compliance is now table stakes.
The manufacturers who move first have a window to build compliance competency, establish documented processes, and accumulate the technical documentation that takes time to produce properly. The manufacturers who wait will be compressing the same work into a shorter timeline, at higher cost, with less margin for iteration.
Three things to do this week
Given that June 11 has passed and the next deadline is September 11 — less than 100 days away — the most useful thing is to be direct about where to focus.
First: determine your product's CRA category. Default, Important Class I, or Important Class II. If you are unsure, this is the single most important question to resolve. It determines everything that follows — your documentation requirements, whether you need a Notified Body, and your realistic timeline to compliance.
Second: set up a security contact. A security@yourdomain.com address and a public vulnerability disclosure policy. This takes less than an hour and satisfies one of the September 2026 requirements. There is no reason to have this outstanding.
Third: inventory your components. Start building your SBOM. List every software component, library, and dependency in your product with version numbers. You cannot monitor for vulnerabilities you have not catalogued, and you cannot report on what you have not tracked.
None of these steps require a large budget or a security team. They require a decision that CRA compliance is part of your product roadmap — and that decision is better made now than in November 2027.
FAQ
Is the June 11 deadline the same as the main CRA compliance deadline? No. June 11, 2026 is when EU member states designate conformity assessment bodies (Notified Bodies). The main product compliance deadline is December 11, 2027. The vulnerability reporting obligation starts September 11, 2026.
Does my product need a Notified Body assessment? Only if it falls into the Important Class II or Critical categories. The large majority of consumer and industrial IoT devices are Default Products, which require only self-assessment and internal documentation.
How do I know if my product is Default or Important? The classification is based on the product's function and cybersecurity risk. Products with security-specific functions — identity management, access control, network protection — are more likely to fall into Important categories. Consumer IoT devices that do not perform security functions are typically Default. When in doubt, get a formal classification review.
What happens if I sell in the EU and miss the September 2026 reporting deadline? From September 11, 2026, failure to report an actively exploited vulnerability within 24 hours can result in fines under Article 64 of the CRA — up to €15 million or 2.5% of global annual turnover. Small enterprises may have some protections on the 24-hour deadline specifically, but the reporting obligation itself still applies.
How long does it take to get CRA-compliant? For a Default Product with no existing security architecture, realistic timelines run 4–6 months from the start of implementation to signed Declaration of Conformity. Products with partial security measures already in place can move faster. Starting now still leaves time to reach compliance before December 2027 — but that window is finite.
Valentyna Shulga is the CEO of Platanor Technologies. Platanor works with IoT and hardware manufacturers on the embedded security architecture and documentation required for CRA compliance. You can reach our team at platanor.com/contact.