{"slug": "the-eu-cyber-resilience-act-has-an-eol-problem-and-the-deadline-isn-t-the-one", "title": "The EU Cyber Resilience Act Has an EOL Problem — and the Deadline Isn't the One You Think", "summary": "The EU Cyber Resilience Act's vulnerability reporting obligations begin September 11, 2026, not the widely cited December 2027 deadline. End-of-life components in shipped products create compliance gaps, as manufacturers cannot provide security updates for unsupported dependencies. The project endoflife.ai provides tools to track lifecycle dates and risk-rank remediation priorities.", "body_md": "*Originally published at endoflife.ai.*\n\nMost conversations about the EU Cyber Resilience Act (Regulation (EU) 2024/2847) anchor on one date: the main obligations apply from **December 11, 2027**. That date is real — and comfortably far away, which is exactly the problem.\n\nBuried inside the CRA is a much nearer deadline: **the vulnerability and incident reporting obligations begin September 11, 2026.** That's weeks away, not next year's problem. And the debt those obligations expose is one most teams have never inventoried: every end-of-life component sitting inside a product they ship.\n\nThe CRA applies to \"products with digital elements\" placed on the EU market — software and connected products, regardless of where the manufacturer is based. Under the regulation as adopted, manufacturers must:\n\nHere's the collision: **you cannot provide security updates for a product whose components no longer receive security updates.** An EOL library inside a shipped product is a support-period promise you cannot keep. Before the CRA, that was tech debt. Under the CRA, it's a compliance gap with a fine attached.\n\n(Not legal advice — obligations vary by product category; verify against the regulation text and current guidance.)\n\nThese aren't hypotheticals — they're the most common findings in real dependency scans, with dates verified against vendor lifecycle data:\n\n| Component | EOL date | Status today |\n|---|---|---|\n| Debian 10 base images | Sep 10, 2022 | ~4 years unpatched |\n| AngularJS (any version) | Dec 31, 2021 | ~4.5 years unpatched |\n| OpenSSL 3.0 | Sep 7, 2026 |\ndies 4 days before the CRA reporting deadline |\n| .NET 8 | Nov 10, 2026 | dies during the CRA's first reporting quarter |\n\nThat OpenSSL line is worth a second look: the TLS library embedded in half the world's software loses upstream support **four days before** the CRA's reporting obligations begin.\n\nThe real danger isn't the deadline — it's the arithmetic in front of it. Component inventory takes months. Remediation takes quarters. Migrating off every EOL dependency competes directly with your product roadmap. A team that starts discovery in 2027 has already missed the runway; the reporting obligations will be a year old before their inventory is done.\n\nFour working parts, all automatable:\n\n```\ncurl https://api.endoflife.ai/v1/status/dotnet/8\n# \"is_eol\": false — until November 10, 2026.\n```\n\n**Lifecycle dates tracked against a live source, not a spreadsheet** — vendors move dates; a January export is a liability by June. [endoflife.ai/eol-watch](https://endoflife.ai/eol-watch) tracks what's coming, and every product page publishes an .ics calendar feed.\n\n**Risk-ranked remediation** — an inventory with two hundred findings needs an ordering. [Risk scores](https://endoflife.ai/risk-score) rank components by recency, exposure, and exploitation signals, so the migration queue starts with the components most likely to produce exactly the incidents the CRA makes reportable.\n\n**A plan for components you can't migrate in time** — commercial extended-support vendors keep security patches flowing for EOL components, which maps directly onto the \"updates during the support period\" obligation. It's a bridge, not a destination — but for a 2026 deadline, bridges matter.\n\nThe CRA converts lifecycle hygiene from an engineering virtue into a **market-access requirement** for the EU. The teams treating it as a 2027 problem are the ones who will discover, in 2027, that it was a 2026 problem.\n\nFull breakdown with verified dates: [endoflife.ai/article-eu-cra-eol-compliance](https://endoflife.ai/article-eu-cra-eol-compliance)", "url": "https://wpnews.pro/news/the-eu-cyber-resilience-act-has-an-eol-problem-and-the-deadline-isn-t-the-one", "canonical_source": "https://dev.to/endoflifeai/the-eu-cyber-resilience-act-has-an-eol-problem-and-the-deadline-isnt-the-one-you-think-294b", "published_at": "2026-07-18 02:15:28+00:00", "updated_at": "2026-07-18 02:57:27.518444+00:00", "lang": "en", "topics": ["ai-policy", "developer-tools"], "entities": ["EU Cyber Resilience Act", "endoflife.ai", "OpenSSL", "Debian", "AngularJS", ".NET"], "alternates": {"html": "https://wpnews.pro/news/the-eu-cyber-resilience-act-has-an-eol-problem-and-the-deadline-isn-t-the-one", "markdown": "https://wpnews.pro/news/the-eu-cyber-resilience-act-has-an-eol-problem-and-the-deadline-isn-t-the-one.md", "text": "https://wpnews.pro/news/the-eu-cyber-resilience-act-has-an-eol-problem-and-the-deadline-isn-t-the-one.txt", "jsonld": "https://wpnews.pro/news/the-eu-cyber-resilience-act-has-an-eol-problem-and-the-deadline-isn-t-the-one.jsonld"}}