What actually changes on 11 September 2026

The EU Cyber Resilience Act sets a hard reporting duty that begins on 11 September 2026. Once a manufacturer has a reasonable degree of certainty that a vulnerability in one of its products is being actively exploited, or that a severe incident has hit the security of that product, the clock starts. An early warning must reach the EU cybersecurity agency ENISA and the relevant national CSIRT within 24 hours, routed through a single reporting platform that notifies both at once.

The 24-hour warning is not the end of it. A fuller notification is due within 72 hours, and a final report within 14 days once a corrective or mitigating measure is available. The trigger is not full forensic proof. An ongoing investigation does not stop the clock, so the practical question for an owner is simple: could your team detect the signal, decide it qualifies, and file inside one working day?

Why this reaches products you already sold

The point that catches many operators off guard is scope. The obligation is not limited to products launched after the deadline. As long as a product with digital elements remains on the EU market on or after 11 September 2026, its vulnerabilities and severe incidents fall under the reporting duty, including legacy units and older lines still being sold. A connected sensor, a machine controller, or a software component shipped years ago can pull you into a 24-hour filing.

This is where the exposure sits for a typical Mittelstand manufacturer. The engineering was signed off long ago, the product is mature, and no one owns a 24-hour reporting playbook for it. The current Commission guidance from March 2026 is the most authoritative reading available, but it is still in draft and not formally adopted, so some detail may shift. The core timelines and the reach into existing products are already clear enough to plan against.

What an owner can sensibly check now

Start with an honest map of what you actually sell that has digital elements, including embedded software and connected features in older lines. Then ask who inside the company would first hear that one of those products is being exploited, and how that reaches a decision-maker who can authorise a filing. If the honest answer is that the message would sit in an inbox over a weekend, you have found the gap. A named owner, a defined path, and a rehearsed 24-hour drill matter more here than a thick policy document.

None of this is legal advice, and the final shape of the guidance is not yet fixed. But the direction is set, and the deadline is close. Treating the reporting duty as an operational readiness question now, rather than a compliance memo later, is what separates the firms that file calmly from the ones that scramble. The work is mostly process and ownership, not new technology.