Source: OJ L 2024/2847, 20.11.2024

Current language: EN

Article 71 Entry into force and application

Summary What does Article 71 of the CRA regulation say?

This is the entry into force and application article, which is a standard closing provision in EU regulations.

It establishes when the Cyber Resilience Act becomes legally binding and when its obligations must actually be complied with.

Notably, while the regulation enters into force shortly after publication, full application is deferred to give economic operators and Member States time to prepare.

Two sets of provisions are carved out for earlier application, specifically the reporting obligations in Article 14 and the conformity assessment body framework in Chapter IV.

Important points:

  • The regulation applies in full from 11 December 2027, giving businesses time to prepare for compliance.
  • Article 14 (vulnerability and incident reporting obligations for manufacturers) applies earlier, from 11 September 2026.
  • Chapter IV (Articles 35 to 51), covering notified bodies and conformity assessment procedures, applies from 11 June 2026.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

    1. This Regulation shall apply from 11 December 2027.

    2. However, Article 14 shall apply from 11 September 2026 and Chapter IV (Articles 35 to 51) shall apply from 11 June 2026.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod