While the Cloud and AI Development Act grabbed the headlines, a second European clock is ticking — and it is already armed. From 11 September 2026, the reporting obligations under Article 14 of the Cyber Resilience Act (CRA) apply. Unlike CADA, which is still a proposal, the CRA is already adopted law. This deadline is hard.
What the reporting obligation entails
As soon as an organisation becomes aware of an actively exploited vulnerability or a serious security incident, a staged timeline applies: an early warning within 24 hours, a full notification within 72 hours, and a final report within 14 days after a corrective measure becomes available. The notifications run through the Single Reporting Platform operated by the EU Agency for Cybersecurity (ENISA).
Together with NIS2: a 24-hour mandate
The CRA does not stand alone. For essential and important entities — healthcare, energy, government, critical infrastructure — an early-warning obligation within 24 hours already applies under NIS2. Together they form what is known in practice as a 24-hour cyber mandate: regulated organisations must know, at very short notice, exactly what they are running, which components are exploitable, and report it.
You can only report what you can see
The core of the challenge is visibility. Most organisations know their software list, but not the dependencies buried deep within that software — the vulnerable library inside an application, the kind of Log4Shell that standard inventories miss. Without an up-to-date Software Bill of Materials (SBOM) and visibility into which vulnerabilities are actually being exploited, a report within 24 hours is a hope rather than a process.
“Sovereignty is not only about where your data sits, but also about whether you can account for your supply chain — demonstrably, and on time.”
The sovereign angle
For Sovereign AI-Grid, this fits seamlessly into the wider story: European, independent and demonstrably accountable infrastructure. Where CADA puts a yardstick to the compute side of sovereignty, the CRA gives the cyber side a hard, tested deadline. For regulated sectors that is not a "nice to have" but the threshold for entry — and the work starts now, not in September.
The CRA is laid down in Regulation (EU) 2024/2847; the reporting obligations apply to products with digital elements made available on the European market. The full text and explanation are available on Shaping Europe's digital future.
Compliance-by-design for regulated sectors
See how Sovereign AI-Grid helps healthcare and other critical sectors combine sovereignty with accountability.
Solutions for healthcare & welfare →