Definition
A September 2026 hard deadline for software and hardware suppliers to meet EU cybersecurity standards, including 24-hour early warning notification and 72-hour vulnerability disclosure timelines. Organizations selling connected or software products into the EU must comply or face penalties and market access restrictions.
Why it matters
Unlike the AI Act (which has multi-year implementation), the CRA is hard-deadline regulatory compliance. Non-compliance means you cannot legally sell into EU markets. For AI infrastructure vendors and SaaS platforms, CRA compliance is now operationally critical.