TL;DR
What: The first operational phase of the Cyber Resilience Act takes effect on September 11, 2026. Manufacturers of products with digital components must report actively exploited vulnerabilities and serious security incidents.
Deadlines (three-stage process): Early warning within 24 hours, full report within 72 hours, final report within 14 days (one month for incidents). Reports are submitted centrally via the ENISA Single Reporting Platform to the BSI and ENISA. DigiFors GmbH
Who is affected: Plugin and theme providers, custom web development using proprietary code, SaaS and tool providers. No lower threshold for SMEs. Non-commercial open-source software is exempt; as soon as money changes hands (premium versions, support contracts), the CRA applies. ADVISORI
Preparation (4 points): Product inventory, vulnerability monitoring with an escalation chain, securing the update channel, SBOM documentation. Effort: 15 to 25 person-days for initial setup.
Penalties: Up to 15 million euros or 2.5 percent of global annual revenue.
On June 25, 2026, the BSI hosted the second meeting of the CRA market surveillance authorities in Berlin. The outcome is clear: The first phase of the Cyber Resilience Act takes effect on September 11, 2026. Anyone who manufactures or distributes products with digital elements will be required to report, starting on that date, any actively exploited vulnerabilities and any serious security incidents.
At first glance, this sounds like an issue for large corporations. But it isn’t. Anyone who operates a website with a plugin architecture, offers their own software, or sells custom-developed software falls within the scope of the law. In this article, we explain what the obligation specifically entails, who is affected, and how SMEs can prepare by September.
Source: BSI press release dated June 26, 2026.
WHAT THE CRA REGULATES
The Cyber Resilience Act applies throughout the EU. It covers all products with digital elements. This doesn’t just mean hardware devices. Software, web applications, IoT components, apps, and even cloud services are included as long as they are marketed in the EU.
An overview of the phases:
- September 11, 2026: Mandatory reporting of actively exploited vulnerabilities and serious security incidents
- December 2027: Full applicability; all products with digital elements must provide adequate cybersecurity
The first phase is the operational phase. The second phase is the structural phase. Preparations must be made for both.
Source: Golem.de on cyber resilience and compliance (as of June 24, 2026).
WHO MUST REPORT
The reporting obligation applies to manufacturers. The BSI defines the term broadly. Anyone who places a product with digital elements on the EU market under their own name is considered a manufacturer. Three typical SME scenarios are affected:
1. Plugin developers and theme providers. Anyone who sells a WordPress plugin, a TYPO3 extension, or a theme is a manufacturer—even if sales take place through the official marketplace.
2. Custom web development using proprietary code. Anyone who develops and maintains custom modules for clients falls under the definition of a manufacturer. The client project is the product.
3. SaaS and tool providers. Anyone who offers an online tool, a booking platform, or an API is a provider of the online service.
Pure service providers, such as hosting providers or consulting firms, are not directly subject to the reporting requirement. However, they have obligations to cooperate with their clients.
WHAT MUST BE REPORTED
The obligation applies in two scenarios.
Scenario 1: Actively exploited vulnerability. As soon as a vulnerability in a delivered product is actually exploited by attackers, the reporting requirement applies. Theoretical vulnerabilities are not subject to reporting. Active exploits are.
Scenario 2: Serious product-related security incident. A data breach, a ransomware attack, or tampering with the update chain. If the incident affects the product itself and is serious, the obligation applies.
Reports are submitted centrally via the European Single Reporting Platform, which is currently under development. This platform is not yet live. The BSI is currently working on machine-readable exchange formats. We expect the platform to be ready by early September 2026.
WHAT SMALL AND MEDIUM-SIZED ENTERPRISES NEED TO PREPARE BY SEPTEMBER
We recommend a clear four-point plan to our clients.
Point 1: Product inventory. List all digital products and components that your company distributes under its own name: plugins, themes, custom modules, SaaS services, and APIs. A two-column list is sufficient: product name plus the person responsible on the team.
Point 2: Establish vulnerability monitoring. You need a process that quickly assesses incoming security reports. Specifically: Who reviews reports from customers, security researchers, or external services? Who decides whether an exploit is active? Who submits the report to the Single Reporting Platform?
Point 3: Secure the update channel. The Cyber Resilience Act requires that security updates reliably reach the customer. If you distribute plugins via the official wordpress.org marketplace, you already have this channel in place. If you operate your own update servers, verify their integrity now. Digital signatures, HTTPS-only access, and audit logs are the minimum standards.
Point 4: Create documentation. You need concise documentation for each product: What components are included? Which third-party libraries are used? Who is responsible? This Software Bill of Materials will be mandatory starting in December 2027 anyway. Those who start in 2026 will have a head start.
Source: BSI press release on the AdCo-CRA meeting.
SIX WELL-INTENDED MISTAKES
In our practice, we’re currently seeing six typical misconceptions.
Mistake 1: “We’re too small.” The regulation does not set a lower threshold for SMEs regarding the reporting requirement. Even a plugin with 500 installations falls within the scope of the regulation as soon as money changes hands.
Mistake 2: “Open source is exempt.” Only purely open-source projects with no commercial connection are exempt from many obligations. As soon as a plugin is sold with a premium license, the CRA applies.
Mistake 3: “The hosting provider handles it.” Hosting providers are not the manufacturers of the software they host. Whoever produces a plugin bears the responsibility.
Mistake 4: “We’re waiting for the BSI.” The BSI publishes guidelines. The obligation still takes effect on September 11, 2026. Anyone who waits until then to start will have a problem.
Mistake 5: “We’ll only report it if the customer asks.” The reporting obligation is proactive. As soon as an active exploit becomes known, the deadline begins—regardless of customer inquiries.
Mistake 6: “That’s a U.S. tool; we’re out of it.” Anyone who distributes a U.S. plugin in the EU or uses it in their own projects and earns money from it has a duty to cooperate. The location of distribution is what counts.
OUR PRACTICAL RECOMMENDATION
We are currently setting up exactly these structures with two clients. Both are WordPress plugin providers with installations in the low four-digit range. The effort required for the complete initial setup is approximately 15 to 25 person-days.
Breakdown:
- Product inventory plus responsibilities: 1–2 days
- Vulnerability monitoring process with escalation plan: 3–5 days
- Update channel audit and signature setup: 5–8 days
- Software Bill of Materials per product: 4–6 days
- Contingency plan plus reporting templates: 2–4 days
If you handle the preparation internally, this timeframe is sufficient. If you use external support, plan for a one-time cost in the three- to four-digit range. Ongoing costs thereafter: minimal.
Important: The September phase is the simpler one. The December 2027 phase requires a technical cybersecurity architecture. Those who do the September preparatory work thoroughly will have a much shorter path to 2027.
OVERLAP WITH OTHER OBLIGATIONS
The CRA isn’t the only regulation. Three other EU requirements apply to the same companies.
NIS-2. For critical and highly critical infrastructure operators with 50 or more employees. Companies operating in sectors such as energy, water, digital, and healthcare have additional obligations. The BSI updated the registration platform in June 2026.
EU AI Act. Article 50 takes effect on August 2, 2026. AI-generated content must be labeled.
GDPR. The existing reporting requirements for data breaches remain in effect.
SMEs are better off not treating the four mandatory areas separately. When developing the CRA plan, organizations should review the other three areas in parallel. This eliminates duplication of effort.
Source: BSI on Critical Infrastructure and NIS-2.
OUR ASSESSMENT
At first glance, the September phase seems like a bureaucratic hurdle. In reality, it enforces useful best practices: product inventory, vulnerability assessment, and security updates. These are things that any responsible software company needs anyway.
The difficulty does not lie in the preparation. It lies in recognizing that you are affected at all. We’re currently hearing many CEOs say, “But we don’t sell cybersecurity products.” Correct. But they sell products with digital elements. That’s enough.
Anyone who starts now has eight weeks to prepare before September. That’s enough.
CHECKLIST FOR PREPARATION
- Clarify: Do we sell plugins, themes, custom modules, SaaS services, or APIs?
- Create an inventory list: product, version, person in charge, third-party libraries
- Designate a vulnerability monitoring contact: one person, one email address, one response time
- Check the update channel: signature, HTTPS, audit log, rollback capability
- Prepare a reporting template: technical description, scope of impact, corrective actions
- Schedule a meeting with management: CRA status check as of August 31, 2026
We help SMEs prepare for CRA without all the compliance drama. We analyze your products, build your monitoring structure, and work with you to draft the reporting templates. If you want to know whether and how you are affected, contact us at: waterproof.agency/kontakt/.
