The Deadline That Does Not Care Where You Are Incorporated
On September 11, 2026, a new compliance obligation takes effect across the European Union that extends, without qualification, to every manufacturer of connected products sold in the EU market — regardless of whether their factory floor is in Frankfurt, Shenzhen, or Bengaluru. Article 14 of the EU Cyber Resilience Act (CRA) requires manufacturers to report actively exploited vulnerabilities in their connected products to the European Union Agency for Cybersecurity (ENISA) through a newly established Single Reporting Platform (SRP) within 24 hours of becoming aware of them. A 72-hour full notification follows, and a final report must be submitted within 14 days of issuing a corrective measure. For severe security incidents, the final report deadline extends to one month.
A June 2026 client alert from law firm Crowell confirmed what the CRA's text already makes plain: non-EU manufacturers — including India-based IoT producers selling into the EU — are equally and fully subject to these obligations under Article 14. The regulation does not recognize corporate nationality. It recognizes where the product is placed on the market. Penalties for non-compliance with reporting obligations run to €15 million or 2.5% of global annual turnover, whichever is higher.
Why the Reporting Requirement Is Defensible
Before weighing the compliance burden this places on Indian manufacturers, the strongest case for the regulation deserves honest acknowledgment. Actively exploited vulnerabilities in connected consumer products — routers, cameras, smart meters, industrial sensors — have historically spread at speed once discovered, often cascading across networks before manufacturers acknowledge a flaw exists. Requiring manufacturers to notify ENISA within 24 hours of confirmed active exploitation — rather than waiting until a patch is ready — gives national Computer Security Incident Response Teams (CSIRTs) the visibility to coordinate mitigation and warn downstream users before the window of harm widens. On those grounds, mandatory early notification is a proportionate response to a documented systemic risk in IoT ecosystems.
The legitimate policy question is not whether the reporting obligation is justified, but whether the compliance architecture is calibrated fairly for manufacturers at different scales and geographies.
The Scale of India's Exposure
India's electronics exports to the European Union currently stand at approximately $12 billion annually, according to figures cited by India Cellular and Electronics Association (ICEA) chairman Pankaj Mohindroo — with projections reaching $50 billion by 2031 as the India-EU free trade agreement removes tariffs on most categories. Connected devices form a growing share of this export basket: IP cameras, routers, wearables, industrial IoT components, and smart meters are increasingly manufactured in India under the government's Production Linked Incentive scheme.
These are not hypothetical exposures. An Indian manufacturer of home routers or surveillance cameras that sells any volume into the EU is now subject to a hard legal obligation commencing in weeks. If that product experiences an actively exploited firmware vulnerability being used in the wild anywhere in the EU, the manufacturer must file an early warning with ENISA within 24 hours of learning of it, regardless of the manufacturer's location or the sophistication of their legal team.
The Compliance Infrastructure Gap
India does have a domestic cyber incident reporting framework. CERT-In's April 2022 Directions under Section 70B of the IT Act, 2000, require covered entities to report specified cyber incidents — including attacks on IoT devices and associated systems — within six hours of detection. That window is considerably shorter than the EU's 24 hours. And TEC 31318:2021, the Telecommunication Engineering Centre's Code of Practice for Securing Consumer IoT, establishes baseline security requirements including no default passwords, secure update mechanisms, and mandatory vulnerability disclosure policies.
But neither instrument creates an ENISA-equivalent reporting obligation for Indian manufacturers with EU market access. CERT-In's six-hour rule is a domestic incident reporting obligation, not a product-level vulnerability disclosure framework tied to EU market access. TEC 31318 establishes design requirements, not a reporting channel to a foreign regulator. The gap between what India's regulatory architecture currently demands and what the EU CRA now requires is structural, not cosmetic.
An Indian manufacturer receiving intelligence that its router firmware is being actively exploited in Germany must, within 24 hours, transmit an early warning through ENISA's SRP — a platform designed primarily around EU-established entities that designate their national CSIRT coordinator for routing purposes. For a mid-sized exporter based in Pune or Chennai with no EU subsidiary and no dedicated compliance team, the mechanics of filing through SRP and escalating to ENISA within a single business day are genuinely non-trivial. Larger players with European sales offices will absorb this more readily; mid-market exporters scaling up under PLI will not.
The Brussels Effect and What India Should Do
The broader pattern here is the classic Brussels Effect in action. Indian IoT manufacturers who want EU market access will build CRA-compliant vulnerability disclosure processes into their product pipelines. Over time, 24-hour internal escalation workflows, formal security contact points, and dedicated vulnerability tracking systems will become their global defaults — not just EU-bound requirements. That outcome is genuinely good for product security at scale, and it aligns with India's own stated aspirations in TEC 31318.
But it imposes structuring costs that fall disproportionately on smaller exporters without existing compliance infrastructure — precisely the category that PLI has been most successful at expanding. The most proportionate near-term response would be for MEITY or CERT-In to issue guidance specifically for Indian manufacturers with EU market access, clarifying how domestic CERT-In incident reports intersect with EU CRA Article 14 obligations, and exploring whether a coordinated notification mechanism can reduce duplicative reporting burdens. The EU-India Trade and Technology Council, which has cybersecurity explicitly on its agenda, is the natural venue to pursue a bilateral coordination framework — one under which Indian manufacturers can route notifications through CERT-In, which then forwards to ENISA with timestamps preserved.
September 11, 2026 is not a soft deadline. Indian IoT exporters have 74 days. The compliance clock does not wait for bilateral agreements to catch up.