Most organisations’ vulnerability management processes are not built for the CRA’s mandatory 24‑hour reporting of actively exploited vulnerabilities, let alone the required 72‑hour follow‑up submissions. This session highlights the gaps that will matter most when these obligations take effect—from real‑time detection and exploitation confirmation to dependency visibility, evidence capture, and integration across AppSec, SecOps, and product teams. Using practical examples, we explore where current processes fail and what must be modernised: automation, intelligence feeds, cross‑team workflows, and documentation readiness. Attendees will leave with concrete steps to rebuild their AppSec operations for speed, accuracy, and CRA compliance before regulatory pressure makes the choice for them.