Article 71 Entrée en vigueur et application

Summary What does Article 71 of the CRA regulation say?

This is the entry into force and application article, which is a standard closing provision in EU regulations.

It establishes when the Cyber Resilience Act becomes legally binding and when its obligations must actually be complied with.

Notably, while the regulation enters into force shortly after publication, full application is deferred to give economic operators and Member States time to prepare.

Two sets of provisions are carved out for earlier application, specifically the reporting obligations in Article 14 and the conformity assessment body framework in Chapter IV.

Important points:

The regulation applies in full from 11 December 2027, giving businesses time to prepare for compliance.
Article 14 (vulnerability and incident reporting obligations for manufacturers) applies earlier, from 11 September 2026.
Chapter IV (Articles 35 to 51), covering notified bodies and conformity assessment procedures, applies from 11 June 2026.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

1. Le présent règlement entre en vigueur le vingtième jour suivant celui de sa publication au Journal officiel de l’Union européenne.
1. Le présent règlement est applicable à partir du 11 décembre 2027.
2. Toutefois, l’article 14 est applicable à partir du 11 septembre 2026 et le chapitre IV (articles 35 à 51) à partir du 11 juin 2026.

Table of contents

Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.

Relevant recitals