Euralarm calls for “stop-the-clock” mechanism on Cyber Resilience Act timeline

The paper highlights that while industry fully supports the objectives of Regulation (EU) 2024/2847, the current timeline presents serious structural challenges. In particular, incident and vulnerability reporting obligations are scheduled  to apply from September 2026, despite the absence of essential operational guidance and infrastructure.

Euralarm stresses that key elements required for compliance are not yet in place, including:

• Reporting platforms and interfaces
• Procedural guidance and templates
• Defined formats and coordination mechanisms
• Operational clarity from ENISA and national authorities

Without these, manufacturers and other economic operators face binding legal obligations without the practical tools to comply, creating legal uncertainty and risks of inconsistent implementation across Member States.

Euralarm also points to limited readiness among national Computer Security Incident Response Teams (CSIRTs), many of which are still adapting to requirements under NIS2, further complicating timely implementation. To address these implementation challenges, Euralarm proposes the following measures:

• Postponing reporting obligations until at least three months after the necessary systems and guidance are fully operational
• Delaying the application of essential cybersecurity requirements until at least one year after the horizontal harmonised standards become available
• Aligning timelines with broader EU initiatives, including simplification discussions under the Digital Omnibus package

In addition, Euralarm calls for adjustments to the Commission Delegated Regulation of 16 February 2026 to avoid regulatory gaps and ensure continuity between existing and future frameworks. The paper underscores that these proposals are  intended to support effective and enforceable  cybersecurity implementations   by ensuring  legal certainty, operational feasibility and coherent implementation across the EU.