The Cyber Resilience Act doesn't switch on all at once. Its obligations phase in over roughly three years, which is either a comfortable runway or a trap — depending on whether you use the time.
The three windows
- Entry into force. The clock starts. Nothing is enforced yet, but the requirements are now known and fixed — this is your preparation window.
- Reporting obligations (~21 months in). The duty to report actively exploited vulnerabilities and severe incidents to authorities begins earlier than the rest.
- Full application (~36 months in). The complete set of obligations applies. Products placed on the market must conform.
(Exact dates depend on the official publication — always confirm against the current regulation.)
What to do now
The preparation window is the cheap time. Stand up your SBOM generation, wire in vulnerability monitoring, and start the evidence habit while there's no deadline pressure. Teams that treat the runway as free time will be doing three years of work in the last three months.
Proofwright is built to get you ready across the whole timeline, not just at the deadline.