The EU Cyber Resilience Act (CRA) entered into force on December 10, 2024. While most of the requirements and provisions will not apply until December 2027, the reporting obligations for exploited vulnerabilities will be enforced from September 11, 2026. That gives manufacturers exactly nine months to prepare for and comply with the obligations.

Vulnerability reporting — the CRA’s overlooked obligation

Under the CRA, manufacturers must notify actively exploited vulnerabilities and severe security incidents affecting their products with digital elements, including products already on the EU market before the CRA. The reporting requirements include:

• In 24 hours of becoming aware, an early warning notification indicating the regions the impacted products are available
• In 72 hours of becoming aware, a full notification including the nature of the vulnerability and the mitigating measures taken
• In 14 days after a corrective measure is available, a final report detailing the vulnerability and the security update to remedy the vulnerability

Among these, the 72-hour full vulnerability notification is likely to be the most time sensitive one. The manufacturer needs to provide information about the general nature of the exploit and the vulnerability, as well as any corrective or mitigating measures taken by the manufacturer, and corrective or mitigating measures that users can take. For manufacturers without a security testing program already in place, it can be a daunting task.

Evaluating and remediating exploited vulnerabilities

The reporting obligations require the manufacturer to provide information about the vulnerability and its exploitation, as well as any corrective measures taken. Article 14 (2) (b) of the Cyber Resilience Act states:

“A vulnerability notification … shall provide general information about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken.”

Therefore, when a manufacturer becomes aware of an actively exploited vulnerability, time is critical. Lucent Sky AVM helps teams quickly understand the root cause by providing detailed analysis of the source code, binary files, and third-party components of the software. This insight allows developers to pinpoint the exact location where the vulnerability originates from.

Beyond understanding the vulnerabilities, Lucent Sky AVM offers automated remediation tailored to the application’s context, greatly reducing the time and effort needed to implement fixes to correct or mitigate the vulnerabilities. When a manufacturer becomes aware that their product has an exploited vulnerability, Lucent Sky AVM helps them quickly understand the nature of the vulnerability and prepare a security update to remedy the defect — both mandated by the CRA’s reporting obligations.

Monitoring and updating vulnerable third-party components

Under the EU CRA, manufacturers must also report vulnerabilities in third-party components integrated into their products, unless those vulnerabilities cannot be exploited in the product’s context. Lucent Sky AVM addresses this challenge through comprehensive dependency analysis, identifying and continuously monitoring known vulnerabilities in third-party components.

One of the biggest challenges for developers is determining whether a vulnerable component is exploitable in their product. Lucent Sky AVM’s binary analysis traces whether the application actually invokes the vulnerable portions of a component, enabling teams to make informed decisions on the next steps. Combined with real-time intelligence that identifies secure, compatible updates of vulnerable third-party components, Lucent Sky AVM empowers manufacturers to maintain compliance and reduce risk without disrupting development.

Preventing vulnerabilities from getting “actively exploited”

Disclosing an actively exploited vulnerability is responsible and required under CRA, but it can also harm a manufacturer’s reputation. The most effective way to avoid such disclosures is to identify and remediate vulnerabilities before they are discovered or exploited.

Lucent Sky AVM integrates advanced static analysis with intelligent remediation algorithms, enabling continuous detection and remediation of security flaws during development. By addressing issues such as injection flaws, cross-site scripting, and insecure configurations early in the lifecycle, Lucent Sky AVM reduces the likelihood of these vulnerabilities being exploited in production. It can be used at any stage of the SDLC to provide accurate analysis and automatic remediation that empowers developers to deliver secure software efficiently.

Act now – only nine months until the reporting obligations apply

Compliance with the EU Cyber Resilience Act is not optional for manufacturers who want to market their digitally enabled products in the European Union. Starting September 11, 2026 — exactly nine months from now — organizations must be ready to meet the reporting obligations for actively exploited vulnerabilities. Failure to comply could mean penalties and loss of access to the EU market.

Lucent Sky offers a comprehensive solution to help organizations efficiently meet the cybersecurity requirements of CRA and accelerate their software security process. Schedule a call to learn how Lucent Sky AVM can help your organization get ready for CRA’s reporting obligations.