The CRA enters into force on 11 December 2024; from 11 December 2027, all new products must comply with CRA requirements, including risk assessment, vulnerability remediation, and regular security updates; vulnerability and incident reporting is mandatory from 11 September 2026.