cd /news/ai-policy/the-eu-cyber-resilience-act-has-an-e… · home topics ai-policy article
[ARTICLE · art-64306] src=dev.to ↗ pub= topic=ai-policy verified=true sentiment=· neutral

The EU Cyber Resilience Act Has an EOL Problem — and the Deadline Isn't the One You Think

The EU Cyber Resilience Act's vulnerability reporting obligations begin September 11, 2026, not the widely cited December 2027 deadline. End-of-life components in shipped products create compliance gaps, as manufacturers cannot provide security updates for unsupported dependencies. The project endoflife.ai provides tools to track lifecycle dates and risk-rank remediation priorities.

read3 min views1 publishedJul 18, 2026

Originally published at endoflife.ai.

Most conversations about the EU Cyber Resilience Act (Regulation (EU) 2024/2847) anchor on one date: the main obligations apply from December 11, 2027. That date is real — and comfortably far away, which is exactly the problem.

Buried inside the CRA is a much nearer deadline: the vulnerability and incident reporting obligations begin September 11, 2026. That's weeks away, not next year's problem. And the debt those obligations expose is one most teams have never inventoried: every end-of-life component sitting inside a product they ship.

The CRA applies to "products with digital elements" placed on the EU market — software and connected products, regardless of where the manufacturer is based. Under the regulation as adopted, manufacturers must:

Here's the collision: you cannot provide security updates for a product whose components no longer receive security updates. An EOL library inside a shipped product is a support-period promise you cannot keep. Before the CRA, that was tech debt. Under the CRA, it's a compliance gap with a fine attached.

(Not legal advice — obligations vary by product category; verify against the regulation text and current guidance.)

These aren't hypotheticals — they're the most common findings in real dependency scans, with dates verified against vendor lifecycle data:

Component EOL date Status today
Debian 10 base images Sep 10, 2022 ~4 years unpatched
AngularJS (any version) Dec 31, 2021 ~4.5 years unpatched
OpenSSL 3.0 Sep 7, 2026
dies 4 days before the CRA reporting deadline
.NET 8 Nov 10, 2026 dies during the CRA's first reporting quarter

That OpenSSL line is worth a second look: the TLS library embedded in half the world's software loses upstream support four days before the CRA's reporting obligations begin.

The real danger isn't the deadline — it's the arithmetic in front of it. Component inventory takes months. Remediation takes quarters. Migrating off every EOL dependency competes directly with your product roadmap. A team that starts discovery in 2027 has already missed the runway; the reporting obligations will be a year old before their inventory is done.

Four working parts, all automatable:

curl https://api.endoflife.ai/v1/status/dotnet/8

Lifecycle dates tracked against a live source, not a spreadsheet — vendors move dates; a January export is a liability by June. endoflife.ai/eol-watch tracks what's coming, and every product page publishes an .ics calendar feed.

Risk-ranked remediation — an inventory with two hundred findings needs an ordering. Risk scores rank components by recency, exposure, and exploitation signals, so the migration queue starts with the components most likely to produce exactly the incidents the CRA makes reportable.

A plan for components you can't migrate in time — commercial extended-support vendors keep security patches flowing for EOL components, which maps directly onto the "updates during the support period" obligation. It's a bridge, not a destination — but for a 2026 deadline, bridges matter.

The CRA converts lifecycle hygiene from an engineering virtue into a market-access requirement for the EU. The teams treating it as a 2027 problem are the ones who will discover, in 2027, that it was a 2026 problem.

Full breakdown with verified dates: endoflife.ai/article-eu-cra-eol-compliance

── more in #ai-policy 4 stories · sorted by recency
── more on @eu cyber resilience act 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/the-eu-cyber-resilie…] indexed:0 read:3min 2026-07-18 ·