WondTech faithful, pay attention: the real deadline for the EU Cyber Resilience Act (CRA) is much closer than you might think! Yes, the main obligations of the Act apply from December 11, 2027, and that sounds comfortably far away. But in reality, there's a much nearer deadline buried inside the CRA that will catch many off guard: the vulnerability and incident reporting obligations begin on September 11, 2026. Yep, that's not next year's problem; that's just weeks away. This regulation applies to 'products with digital elements' placed on the EU market, whether they're software or connected products, regardless of where the manufacturer is based. So, what exactly do these new rules demand from manufacturers? They must know their components, requiring SBOM-style documentation. They also need to handle vulnerabilities and provide security updates throughout a declared support period for their products. Crucially, they must report actively exploited vulnerabilities and severe incidents, and this starts from September 11, 2026. If companies fail to comply, they could face penalties up to the higher of €15 million or 2.5% of their global annual turnover for the most serious infringements. Here's the real collision point: you simply cannot provide security updates for a product whose components no longer receive security updates. Think of an end-of-life (EOL) software library sitting inside a product you ship. That's a support-period promise you cannot keep. Before the CRA, this was considered tech debt or a challenge. But under the CRA, it transforms into a glaring compliance gap with a significant fine attached. These aren't distant hypotheticals; they are common findings in real dependency scans today. For example, Debian 10 base images reached EOL on September 10, 2022, meaning they've been unpatched for about 4 years. AngularJS (any version) hit EOL on December 31, 2021, making it about 4.5 years unpatched. OpenSSL 3.0 will reach EOL on September 7, 2026 — just four days before the CRA's reporting deadline! Even .NET 8 will reach EOL on November 10, 2026, right in the middle of the CRA's first reporting quarter for vulnerabilities. If you're a company shipping software or connected products into the EU, it's time to start inventorying your components and addressing any EOL components now. Don't wait for 2027; the real call to action is much, much closer.