The EU's Cyber Resilience Act was built on a reasonable premise: connected devices — routers, smart locks, industrial sensors, baby monitors — ship with insecure defaults and unpatched firmware because there was never a legal cost to shipping them that way. Regulation (EU) 2024/2847 tries to attach that cost. On September 11, 2026, one of its sharpest teeth activates: manufacturers who become aware that a vulnerability in their product is being actively exploited, or that a severe security incident has hit it, must notify ENISA and their national CSIRT within 24 hours, file a full report within 72 hours, and close it out within 14 days, under Article 14.
A survey ENISA published on June 24, 2026 suggests a large share of the companies this obligation targets are not close to able to comply. The SME CRA Survey Report polled 194 organizations across 31 countries — small hardware and software makers, disproportionately the kind of company that builds the IoT devices the CRA was written for — and found that while 66% had heard of the Act before being asked, practical readiness lagged far behind awareness. Just 35% of respondents (67 of 194) maintain a software bill of materials, the component-level inventory that lets a manufacturer even know whether a newly disclosed library vulnerability affects its product. Without one, the 24-hour clock starts from a position of not knowing what's inside the box.
Incident response is the weakest link, by ENISA's own scoring
ENISA scored respondents across five domains — governance and documentation, risk management and security-by-design, vulnerability and patch management, incident response and product life-cycle management, and staff competence — and found "incident response and product life cycle management is the weakest area overall, particularly for microcompanies." Medium-sized firms scored roughly a point higher than microcompanies across every domain, and awareness itself tracked size closely: 94% among medium companies, 74% among small ones, just 62% among microenterprises — which made up 27% of respondents.
That gradient matters because the CRA's reporting duty does not scale down for small manufacturers the way the underlying maturity gap does. The obligation to notify within 24 hours applies to a two-person embedded-systems shop the same way it applies to a division of Bosch. The regulation does carve out one piece of proportionality: micro and small enterprises cannot be fined specifically for missing the 24-hour early-warning window, though they still owe the 72-hour and 14-day filings. Everyone else faces fines up to €15 million or 2.5% of global turnover for reporting failures, per the Crowell & Moring analysis of the deadline.
Steelmanning the deadline
The case for holding the line on September 11 is not frivolous. IoT botnets built from unpatched routers and cameras have caused real damage — Mirai-class attacks are a decade-old warning, not a hypothetical — and a voluntary disclosure norm has manifestly failed to fix that. A hard, harmonized reporting clock forces manufacturers to build the muscle they'd otherwise keep deferring, and a single EU-wide platform beats today's patchwork of 27 different national CSIRT reporting formats. Delay has a cost too: every month the deadline slips is a month more unpatched, undisclosed IoT vulnerabilities sit in the field unreported to anyone who could coordinate a fix.
But the regulator isn't ready either
What undercuts the case for enforcing September 11 exactly as scheduled is that ENISA's own infrastructure for receiving these reports is behind. The Single Reporting Platform — the centralized tool meant to let manufacturers notify ENISA and the relevant national CSIRT simultaneously — was still not operational as of late June 2026, with ENISA committing only to have it live by the deadline itself. A regulation that expects a two-person microenterprise to have detection-triage-escalation processes in place by a fixed date, while the regulator's own submission channel is still being built in the final quarter before that date, is not a model of proportionate rollout. It is a schedule set by legislative text rather than operational readiness on either side.
What proportionate enforcement looks like from here
The fix is not to weaken the reporting duty — early warning of actively exploited vulnerabilities is exactly the kind of externality regulation should correct, and the CRA's core logic holds. The fix is enforcement discipline: national CSIRTs and ENISA should treat the first two quarters after September 11 as a supervised bring-up period for genuine SMEs, prioritizing technical assistance and the documentation templates 70%+ of survey respondents asked for over fines, reserving penalties for manufacturers who ignore the duty entirely rather than those who file late or imperfectly while building capability. The Commission's parallel Digital Omnibus push to cut SME administrative burden by 35% by 2029 is the right instinct; it should extend explicitly to CRA reporting mechanics, not just paperwork elsewhere in the rulebook. A regulation is only as credible as the readiness of the system enforcing it, and right now, by ENISA's own measurement, neither side of that system is where September 11 assumes it will be.