Artikel 71 Ikraftträdande och tillämpning

Summary What does Article 71 of the CRA regulation say?

This is the entry into force and application article, which is a standard closing provision in EU regulations.

It establishes when the Cyber Resilience Act becomes legally binding and when its obligations must actually be complied with.

Notably, while the regulation enters into force shortly after publication, full application is deferred to give economic operators and Member States time to prepare.

Two sets of provisions are carved out for earlier application, specifically the reporting obligations in Article 14 and the conformity assessment body framework in Chapter IV.

Important points:

The regulation applies in full from 11 December 2027, giving businesses time to prepare for compliance.
Article 14 (vulnerability and incident reporting obligations for manufacturers) applies earlier, from 11 September 2026.
Chapter IV (Articles 35 to 51), covering notified bodies and conformity assessment procedures, applies from 11 June 2026.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

1. Denna förordning träder i kraft den tjugonde dagen efter det att den har offentliggjorts i Europeiska unionens officiella tidning.
1. Denna förordning ska tillämpas från och med den 11 december 2027.
2. Artikel 14 ska dock tillämpas från och med den 11 september 2026 och kapitel IV (artiklarna 35–51) ska tillämpas från och med den 11 juni 2026.

Table of contents

Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.

Relevant recitals