CRAReadiness Reg. (EU) 2024/2847
EU Cyber Resilience Act · reporting duty from 11 Sep 2026

Is your software caught by the CRA — and can you report in 24 hours?

From 11 September 2026, makers of products with digital elements must report actively exploited vulnerabilities within 24 hours — for products already on the market, including software you shipped years ago. Find out if you're in scope, your class and conformity route, and get the reporting runbook.

Free scope check

Are you in scope of the CRA?

Four questions. This is a screening against the regulation and the Commission's March 2026 draft guidance — not legal advice.

What are you placing on the EU market?
Can it connect to a network or another device?
Is your cloud service one a separate product needs to function? (remote data processing)
The reporting duty

A 24-hour clock — for products you already shipped.

Full CRA compliance is due 11 December 2027, but the incident-reporting obligation bites first, on 11 September 2026 — and it reaches back to products already on the market.

The clock

24h / 72h / 14 days

Early warning within 24 hours of awareness, full notification within 72 hours, final report within 14 days of a fix — to your CSIRT and ENISA via the new Single Reporting Platform.

Art. 69(3)

It applies to legacy products

The reporting duty covers products already on the market — including software you shipped years ago that's still in use. "It doesn't matter that you launched in 2019."

Scope

SaaS is (mostly) out

The March 2026 guidance confirmed standalone SaaS is out of scope — unless it's a remote data processing solution a product needs to function. Non-commercial open source is out until commercialised.

The stakes

Up to €15m or 2.5%

Fines reach €15 million or 2.5% of worldwide turnover. Product classes (default / important / critical) set whether you self-assess or need a notified body.

The trigger is usually external. An enterprise customer's procurement questionnaire asking about CRA readiness, a distributor asking about CE-marking plans, or the September date hitting the trade press. The report includes a forwardable section that answers that questionnaire.
How it works

Your position, plus the runbook.

1

Describe your products

Product type, delivery model, connectivity, open-source status. No account.

2

We map the regulation

Scope (with the SaaS/RDPS reasoning), product class, conformity route, and the reporting duty — cited to the article and the March 2026 guidance.

3

Get the report + runbook

A dated position report plus the 24/72/14 incident procedure as a ready-to-adopt internal document, and the customer-questionnaire answer.

Get my report

Tell us about your products

The report reflects exactly what you enter.

€99one payment · PDFReg. (EU) 2024/2847

One per line. e.g. "on-prem inventory app", "Wi-Fi thermostat", "commercial SDK".

Primary delivery model
Established in the EU?

Non-EU makers may need an authorised representative.

Any product still selling that you shipped before 2024?

Legacy products carry the reporting duty too (Art. 69(3)).

Security-sensitive category?

Password managers, VPNs, firewalls, OS, identity, etc.

A screening of your answers against Regulation (EU) 2024/2847 and the Commission's non-binding draft guidance — not legal advice or a conformity assessment. Out-of-scope means out of scope of the CRA (other rules, e.g. NIS2, may still apply). Secure checkout via Stripe.

Questions

What you're buying

Does the CRA apply to SaaS?

The Commission's March 2026 draft guidance confirmed standalone SaaS is out of scope — ending a live debate — unless the cloud component is a "remote data processing solution" without which the product can't perform its function. The report shows the reasoning for your specific case, with the citation.

Does it really apply to old software?

Yes. Article 69(3) applies the reporting obligation to products already on the market — including software shipped years ago that's still in use. This turns a 2027 compliance project into a September 2026 reporting readiness one.

What exactly must I do from 11 September?

Report actively exploited vulnerabilities and severe incidents on a clock: early warning within 24 hours of awareness, full notification within 72 hours, and a final report within 14 days of a fix — via the new Single Reporting Platform to your CSIRT and ENISA. The report includes a ready-to-adopt runbook for exactly this.

Is my open-source project caught?

Non-commercial open source is out of scope. But commercialise it, or integrate it into a commercial product, and it's in — with a new "steward" category for foundations. The checker asks the commercial-activity question that decides it.

Is this legal advice?

No. It's a screening of your answers against the regulation and the (non-binding, draft) Commission guidance, cited so you can verify. The SaaS/RDPS boundary and class edges are genuinely contested — confirm with counsel or a notified body before relying on it for market-access decisions.