⚠ NCSC: Week 18: Parcel phishing with a devious twist – The "double phishing" scam 🔴 CVE: CVE-2026-40393 (CVSS 8.1) — In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can o… 📰 New article: The CISO Game in Chiasso: What a Simulated Cyber Crisis Teaches That No Presentation Ever Could ⚠ NCSC: Week 18: Parcel phishing with a devious twist – The "double phishing" scam 🔴 CVE: CVE-2026-40393 (CVSS 8.1) — In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can o… 📰 New article: The CISO Game in Chiasso: What a Simulated Cyber Crisis Teaches That No Presentation Ever Could
← Back to articles
Regulation 7 April 2026 11 min read

The EU Cyber Resilience Act's First Deadline Is in Five Months — Are Swiss Manufacturers Ready?

Most organisations know the CRA's full compliance date is December 2027. Far fewer have internalised that the vulnerability and incident reporting obligations begin on 11 September 2026 — covering products already on the market. Swiss manufacturers selling into the EU have until September to build processes they do not yet have.

MS

Marco Scarito

7 April 2026

11 min read

The EU Cyber Resilience Act entered into force on 10 December 2024. Its full compliance deadline — the date by which all manufacturers of products with digital elements must meet all CRA requirements — is 11 December 2027. That date is what appears in most compliance roadmaps, board presentations, and vendor communications. It is also not the most urgent deadline Swiss organisations face under the CRA.

Article 14 of the CRA establishes reporting obligations for actively exploited vulnerabilities and severe security incidents affecting products with digital elements. These obligations apply from 11 September 2026 — fourteen months before the full compliance deadline, and five months from today. Any Swiss company that manufactures hardware or software products placed on the EU market must be capable of detecting, assessing, and reporting qualifying vulnerabilities to ENISA and their national CSIRT within 24 hours of detection. If that capability does not exist today, five months is not a comfortable runway.

What the September Deadline Actually Requires

From 11 September 2026, manufacturers subject to the CRA must implement a three-tier reporting process for qualifying security events. The first notification — an early warning — must reach both ENISA and the competent national CSIRT within 24 hours of the manufacturer becoming aware of an actively exploited vulnerability in their product. A full technical notification must follow within 72 hours. A final report is required within 14 days of a corrective measure becoming available for actively exploited vulnerabilities, or within one month for severe incidents not involving active exploitation.

The reporting channel will be ENISA's CRA Single Reporting Platform (SRP), which the agency is required to have operational by 11 September 2026. Manufacturers report once to the SRP, and the notification is simultaneously made available to the CSIRT in the country where the manufacturer has its principal establishment. Swiss manufacturers, as non-EU entities, will need to identify which EU member state's CSIRT is their competent authority based on their EU market operations — typically the CSIRT of the country where their EU legal entity or authorised representative is registered.

◆ Key Takeaway

The September 2026 deadline is not theoretical. It applies to products already on the EU market before the full CRA compliance date of December 2027. A Swiss manufacturer that shipped IoT devices, industrial controllers, software platforms, or any other product with digital elements to EU customers before December 2027 must still comply with the reporting obligations from September 2026 onward — even for legacy products they consider stable or end-of-life.

Who Is In Scope

The CRA applies to any product with digital elements placed on the EU market in the course of commercial activity. The regulation defines a product with digital elements broadly: any software or hardware product that includes a direct or indirect data connection to a device or network. This encompasses an exceptionally wide range of products. Routers, switches, firewalls, IoT devices, medical equipment, industrial automation controllers, enterprise software, operating systems, mobile applications, cloud-connected devices, and embedded firmware all fall within scope if they are sold into the EU market.

For Swiss companies, the geographic scope is determined not by where the company is headquartered but by where the product is sold. A Zurich-based industrial automation company selling programmable logic controllers to German manufacturers is fully in scope. A Geneva software firm whose platform is licensed by French hospitals is fully in scope. A Ticino hardware manufacturer whose network devices are distributed across EU retail channels is fully in scope. The CH-to-EU bilateral trade relationship does not provide an exemption — CRA obligations attach to market placement, not manufacturer nationality.

Open-source software developed without commercial intent is largely exempted, but the exemption is narrower than many open-source maintainers assume. If the software is monetised through commercial support, commercial licensing, or integration into a paid product, the commercial activity threshold may be met. Swiss technology companies that maintain open-source projects with commercial derivatives should assess their scope position carefully.

The Capability Gap Most Organisations Have Not Closed

Meeting the September 2026 reporting obligation requires three distinct organisational capabilities that most manufacturers — including sophisticated technology companies — do not currently have fully operational.

The first is product inventory and Software Bill of Materials (SBOM) coverage. You cannot report an actively exploited vulnerability in your product within 24 hours if you do not know whether your product contains the affected component. The 24-hour clock begins when you become aware of the vulnerability — and regulatory interpretation is likely to include awareness through public CVE databases and vendor advisories, not just direct private notification. A manufacturer who discovers three weeks after a CVE is published that their product contained the vulnerable library has potentially already exceeded the reporting window. Continuous SBOM maintenance with automated matching against vulnerability feeds is the only operational approach that makes 24-hour compliance achievable at scale.

The second capability is a defined incident classification process that distinguishes between qualifying CRA reportable events and routine vulnerability management activities. Not every CVE affecting a product component triggers CRA reporting — the obligation is specifically tied to actively exploited vulnerabilities and severe incidents. Organisations need a documented decision framework that security teams can apply consistently, under time pressure, to determine whether a given situation crosses the reporting threshold.

The third capability is an established communication path to the ENISA SRP and to the relevant national CSIRT. This sounds administrative but has real operational complexity. Swiss manufacturers need to have identified their authorised EU representative or principal establishment, registered with the relevant CSIRT, tested the reporting channel before an actual incident forces them to use it for the first time, and integrated the reporting workflow into their existing incident response procedures.

The Swiss Domestic Dimension

Switzerland is not passively watching the CRA from outside the EU's regulatory perimeter. The Federal Council has tasked BACS, BAKOM, and SECO with preparing a draft law on the cyber resilience of digital products aligned with the CRA and the NIS2 Directive, with a target publication date of autumn 2026. Switzerland's trajectory is clearly toward domestic regulation that mirrors CRA requirements — meaning Swiss manufacturers who build CRA compliance capability now are not simply managing EU export obligations; they are also preparing for what will become a domestic requirement.

The existing Swiss Information Security Act already establishes a parallel reporting obligation for critical infrastructure operators: notification to the NCSC within 24 hours of a significant cyber incident. Manufacturers in critical infrastructure sectors are therefore already operating under a 24-hour reporting clock on the operational side. Extending that discipline to the product vulnerability reporting domain required by the CRA is architecturally similar even if the specific triggers and channels differ.

A Five-Month Compliance Roadmap

For Swiss manufacturers who need to close the capability gap before September 2026, the following sequencing reflects the dependencies between required actions.

April–May: Scope confirmation and product inventory. Confirm which products are in scope for the CRA based on EU market presence. For each in-scope product, establish or update the SBOM. Identify all third-party components and their current version status against known vulnerability databases. This exercise will frequently surface surprises — components that teams believed were up to date but are not, or dependencies inherited through the supply chain that were never explicitly tracked.

May–June: EU representative and CSIRT registration. If your organisation does not have an EU legal entity, identify and appoint an authorised representative in an EU member state. Determine which national CSIRT has competence for your reporting obligations. Review the ENISA SRP documentation and begin familiarisation with the platform ahead of its operational launch.

June–July: Reporting process design and documentation. Draft and approve internal procedures for identifying CRA-reportable events, escalating to the responsible decision-maker, preparing the notification, and submitting through the SRP. Integrate these procedures into your existing incident response playbooks. Define roles and responsibilities clearly — including who has authority to make the "reportable event" determination under time pressure.

August: Tabletop exercise and process validation. Run at least one tabletop exercise simulating a CRA-reportable event from initial detection through to final report submission. Identify gaps in the process, test the communication path to the relevant CSIRT, and document lessons learned. Incorporate corrections before the September deadline.

◆ Key Takeaway

The September 2026 CRA reporting deadline is the most concrete and immediately actionable compliance obligation currently facing Swiss manufacturers with EU market presence. The December 2027 full compliance date has dominated planning discussions, but the September deadline requires operational capability — not just policy documents. Five months is sufficient time to build that capability. It is not sufficient time to delay starting.

The Broader Signal

The CRA's September 2026 reporting deadline is the EU's first operationally binding cybersecurity obligation focused specifically on the product security lifecycle rather than the organisational security posture. It signals a clear regulatory direction: manufacturers are responsible for the security of their products throughout the product's operational life, not just at the point of sale. The 24-hour vulnerability disclosure requirement applies even to products shipped years before the CRA's entry into force — as long as they remain on the market and the vulnerability is actively exploited.

For Swiss manufacturers, this is the moment to treat product security not as an engineering discipline separate from compliance, but as a regulated activity with defined obligations, documented processes, and audit-ready evidence. The organisations that build this capability in the next five months will be well-positioned not only for September 2026 but for the full CRA compliance framework in December 2027 and for the equivalent Swiss domestic regulation that follows.