Skip to content
Enterprise
🇩🇪 Deutsch 🇬🇧 English 🇫🇷 Français
Start your 90-day trial
Datargo OneEnterprise Single-pane-of-glass cockpit for enterprises. All modules from one source. Learn more
Flagships
Datargo Monitor Availability and security posture. Datargo CRM Support hub for every brand.
Operations & commerce
Datargo ID SSO and MFA for the whole suite. Datargo ERP GoBD-compliant commercial core.
Trust & crypto
NextPKINew Certificate lifecycle, 47-day ready.
Bundle of the month
Reliability Bundle

Datargo Monitor + NextPKI as a single billed package. NIS2 evidence and certificate lifecycle from one cockpit.

Learn more
By outcome
Reliability & security NIS2 evidence from monitoring + incident. Customer service hub Live chat, tickets, multi-brand. Identity & SSO One identity for all modules.
By compliance
NIS2-Evidence Evidence at the press of a button. DORA resilience Financial sector, register of information. ISO 27001 & GoBD Annex A controls and e-invoicing.
By size
Solo & indie team Productive in 5 minutes. Mid-market SSO, audit trail, multi-brand. Enterprise & public sector Hundreds of seats, region pinning.
Sovereignty Kit
NIS2 evidence package

Ready-made Datargo Monitor and Datargo CRM controls, mapped against NIS2 obligations. Start straight into the pilot.

Read the NIS2 whitepaper
Learn
Documentation Module guides, API reference, quick start. Best-practice guides NIS2 setup, multi-brand Datargo CRM, SSO rollout. Blog Release notes, compliance news, roadmap.
Trust
Trust Center Hosting, certificates, sub-processors. Status-Page Live availability of all Datargo modules. Legal & privacy DPA, sub-processor list.
Customers
Customer stories Case studies from finance, public, tech. Partner program System integrators, implementers, MSPs. Events & webinars it-sa, EIC, NIS2 roadshows.
From the cockpit
47-day TLS from 2029

NextPKI is already prepared for the new CA/B Forum reality. Whitepaper and migration guide available now.

Read the whitepaper
Platform Datargo Monitor Datargo CRM Datargo ID Datargo ERP NextPKI
Datargo One Pricing Compliance
Language
🇩🇪 Deutsch 🇬🇧 English 🇫🇷 Français
Start your 90-day trial Book a call
Skip to content
Compliance & Product Security

The Cyber Resilience Act: What 11 September 2026 Means for Makers of Digital Products

09.06.2026 · 3 min read

The first binding CRA obligations apply from 11 September 2026. What reporting actively exploited vulnerabilities, SBOMs and security by design mean in practice for manufacturers, importers and distributors.

In about three months a regulation turns into operational reality. From 11 September 2026 the first binding obligations of the Cyber Resilience Act (Regulation (EU) 2024/2847) take effect, and they happen to be the ones that demand the most process: reporting actively exploited vulnerabilities and severe security incidents. The remaining product and conformity obligations follow with full application on 11 December 2027.

Anyone who manufactures, imports or distributes products with digital elements in the EU should therefore treat September not as a distant date, but as the day a working reporting path has to exist.

What begins on 11 September 2026

The CRA requires manufacturers to report an actively exploited vulnerability or a severe security incident through a staged procedure. An early warning goes to the responsible CSIRT and to ENISA within 24 hours, a fuller notification follows within 72 hours, and a final report comes later. This runs through a single European reporting platform.

The distinction from NIS2 matters: there, an affected entity reports incidents in its own operations. Under the CRA, the manufacturer reports a vulnerability in its product, regardless of which customer is affected by its exploitation. Both regimes can apply at once, and they call for different reporting paths.

What is added by December 2027

The reporting duty is only the first building block. With full application, the CRA demands demonstrable security across the entire product lifecycle:

  • Security by design: security is part of development, not a later add-on. This includes secure default settings and an attack surface kept as small as possible.
  • Software Bill of Materials (SBOM): manufacturers must know and document the components and dependencies they ship. Without this inventory, a new vulnerability leaves the simple question unanswered: is my product affected?
  • Vulnerability management and updates: security updates must be provided for at least five years, or for the expected lifetime of the product if that is shorter.
  • CE marking: from December 2027, products with digital elements may no longer be placed on the EU market without CRA conformity.

There is no exemption for small and medium-sized enterprises. Anyone making or importing covered products falls under the regulation regardless of size.

What this means in practice

The reporting duty from September is organisationally harder than the short deadline suggests. Twenty-four hours to an early warning is no time to start clarifying who is responsible. It requires a named owner in advance, a documented process, and the technical ability to detect an incident promptly at all.

This is where two topics that are often handled separately come together: detecting (monitoring and security posture) and evidencing (a traceable record of who reported what and when). Anyone who has already built both for NIS2 or ISO 27001 can build on it. In our Datargo Monitor module this pattern of continuous monitoring and auditable evidence is built in, but the regulatory requirement stands independently of any tool: without reliable detection, every reporting deadline runs empty.

What is worth doing now

Three steps pay off before September. First, clarify which of your own products count as “products with digital elements” and thus fall within scope. Second, set up the reporting process for actively exploited vulnerabilities, with clear ownership and the 24-hour, 72-hour and final-report deadlines. Third, begin building an SBOM, because it is the precondition for being able to say at all, in an emergency, whether you are affected.

The 11th of September 2026 marks not the end of preparation, but the start of the obligation. The work behind it, detection and documentation, cannot be caught up in 24 hours.

Back to the blog

Datargo Datargo

The European Business Operations Platform. Monitoring, customer service, identity, accounting, and certificates in one sovereign suite. Auditable by design. Made in Germany.

EU hosting, Frankfurt GDPR-native Made in Germany
Platform
  • Datargo One
  • Datargo Monitor
  • Datargo CRM
  • Datargo ID
  • Datargo ERP
  • NextPKI
Solutions
  • Reliability & Posture
  • Customer service hub
  • Identity & SSO
  • Commerce & GoBD
  • Scaling
Compliance
  • NIS2 evidence
  • DORA resilience
  • ISO 27001 mapping
  • GoBD & e-invoicing
  • Sovereignty
Industries
  • Financial services
  • Public sector
  • Health & pharma
  • Industry & TISAX
  • SaaS & tech
Resources
  • Trust Center
  • Documentation
  • Status page
  • Customer stories
  • Partner program
  • Blog
Company
  • Datargo One for enterprises
  • Start your 90-day trial
  • Book a call
  • Contact
  • Careers
© 2026 Datargo GmbH. All rights reserved.
Imprint Privacy Terms DPA SLA Sub-processorsDORA / NIS2
Germany · English

Datargo® and Databurg® are registered trademarks of Datargo GmbH. All other product names, logos, and trademarks mentioned are the property of their respective owners.

Cookies & optional features. Datargo uses technically necessary cookies. Optionally we enable comfort features such as our live-chat support, an in-house Datargo service that processes personal data in the process. You can accept everything or keep only the necessary cookies.

More in the privacy policy