← Back to CRA Insights
Vulnerability handling

Inside the ENISA Single Reporting Platform: How CRA Vulnerability Reports Actually Flow

Generated image

The ENISA Single Reporting Platform (SRP) is the one system through which every CRA vulnerability report must flow from 11 September 2026. One submission. One platform. Routed automatically to the right authorities.

The catch: as of late June 2026, the platform is not yet live. ENISA has committed to having it operational by the reporting start date, but the registration instructions, access mechanics, and onboarding materials are still being published. That leaves manufacturers with a narrow window - and a clear imperative to build their internal process now, before the tool arrives.

This article is general guidance, not legal advice. For binding interpretations, consult the official regulation text or qualified legal counsel.


What the SRP actually is - and what it isn't

The SRP is established under Article 16 of Regulation (EU) 2024/2847 (the Cyber Resilience Act). Its purpose is consolidation. Before it existed, a manufacturer selling into multiple EU Member States would theoretically need to notify each national CSIRT separately. The SRP eliminates that.

Manufacturers submit notifications electronically through the platform, which automatically routes them to the designated CSIRT coordinator (based on the manufacturer's main establishment) and ENISA simultaneously. The coordinator CSIRT then disseminates the notification to CSIRTs in other Member States where the product is available - that secondary routing is the CSIRT's job, not yours.

A few things the SRP is not:

  • Not an API (yet). ENISA has confirmed no SRP API will be provided at this stage. Submissions are manual, through an online form. That means a qualified person must be ready to log in and populate fields under time pressure.
  • Not a substitute for internal triage. The platform receives your report; it does not help you decide whether a signal qualifies as active exploitation. That judgment happens before you open a browser.
  • Not optional. Emailing your national CSIRT directly is not a valid substitute. The SRP is the only mandatory channel.

Open-source software stewards also report through the SRP, to the extent they are involved with products with digital elements under Article 24(3).


How a report flows through the platform

Understanding the flow helps you design the internal process that feeds it. There are three submission stages, all through the same platform endpoint.

1
24-hour early warning

Filed within 24 hours of becoming aware of an actively exploited vulnerability or a severe incident. At this stage you do not need a root cause analysis or a patch. You confirm awareness, flag whether malicious or unlawful acts are suspected, and provide an initial severity assessment. The clock starts at awareness, not forensic confirmation — if you have reasonable belief of active exploitation, report.

2
72-hour notification

A fuller account submitted within 72 hours. This should include an initial assessment of severity and impact, affected product versions, and any corrective or mitigating measures already taken. The platform routes this to the same coordinator CSIRT and ENISA simultaneously.

3
Final report

Due within 14 days of a corrective or mitigating measure being available for actively exploited vulnerabilities, or within one month of the 72-hour notification for severe incidents. This is a description of the vulnerability or incident, its severity and impact, and the remediation applied. The final report is tied to a fix being available — you cannot file it on a fixed calendar date if the fix isn't ready.

Once submitted, the coordinator CSIRT disseminates the notification without delay to other relevant CSIRTs in Member States where the product is available, and to market surveillance authorities as needed. For sensitive reports, dissemination can be delayed - but that brake belongs to the authority, not to you. You cannot unilaterally hold back a report on sensitivity grounds.

Isometric diagram showing a manufacturer's laptop submitting a single report to a central EU platform hub, which then routes arrows simultaneously to a national CSIRT building and an ENISA building, with secondary arrows from the CSIRT fanning out to multiple Member State CSIRT icons across a simplified EU map

Platform status: what's confirmed, what's still pending

Here is an honest summary of where things stand as of late June 2026.

ENISA SRP: confirmed vs. pending
ItemStatusNotes
Go-live date✅ Confirmed11 September 2026, coinciding with mandatory reporting start
Testing period✅ ConfirmedA testing period is expected before go-live
Registration instructions & access manual⚠️ PendingENISA indicated these would be published during June 2026; verify on the ENISA SRP page
Reporting fields (data structure)✅ PublishedENISA published the required data fields in its updated FAQ (Q16)
API access❌ Not providedNo SRP API at this stage; submissions are manual
Voluntary reporting⚠️ Post-launchVoluntary reporting functionality enabled after 11 September 2026
Helpdesk (SME focus)✅ PlannedENISA will operate a helpdesk, with particular attention to SMEs

The European Commission's CRA reporting page confirms that ENISA launched a public tender and procured services from a contractor to assist with the development of the SRP, and that a testing period is expected before the go-live date. Watch both the Commission page and the ENISA SRP page for registration details as they are published.

star Important

The obligation is fixed; the tool is still arriving. The 24-hour, 72-hour, and 14-day deadlines apply in full from 11 September 2026 regardless of when ENISA publishes the final onboarding materials. Build your internal process now — do not wait for the platform to go live before starting.


Who must file - and who your coordinator CSIRT is

The reporting duty sits with the manufacturer of the product with digital elements placed on the EU market. If you are an importer or distributor, the obligation falls on the manufacturer - but you should know who that is and whether they have a process in place.

Your coordinator CSIRT is determined by where your organisation has its main establishment in the EU. If you are based outside the EU, it is determined by where your EU-authorised representative is established. Manufacturers select the coordinating CSIRT at the point of filing; that CSIRT then disseminates the notification to other Member States where the product is available.

One practical note: micro and small enterprises are exempt from fines specifically for missing the 24-hour early warning timing, but they are not exempt from reporting - and the 72-hour and final-report obligations carry no such relief for any company size.


What to build before the platform goes live

The work that matters most right now does not depend on the SRP being accessible. Here is what to put in place.

1. Designate who watches and who files

Identify the person responsible for monitoring exploitation signals - CVE feeds, threat intelligence, your coordinated vulnerability disclosure (CVD) inbox, and customer reports. Separately, identify who has authority to make the call that a signal qualifies as "actively exploited" and who submits the report. Name a backup for each role. Write it down.

2. Map your products to the filing entity

If you have multiple product lines or legal entities, establish which legal entity is the manufacturer for each product. The SRP registration will require your legal name, main establishment address, and the products you are registering. Resolve any ambiguity before a real incident forces the question.

3. Pre-draft your early-warning template

The 24-hour early warning does not require a root cause analysis. It requires: confirmation of awareness, whether malicious acts are suspected, and an initial severity assessment. Draft a template now. Get it approved. The 24-hour clock does not pause while you write from scratch.

4. Wire your CVD intake into this process

Your coordinated vulnerability disclosure process is the upstream feed for CRA reporting. A researcher report that confirms active exploitation in the wild starts the Article 14 clock. Make sure your CVD intake has a clear escalation path to the person who files SRP reports.

5. Know when the final report is due

The final report is not due on a fixed calendar date after the incident. It is due within 14 days of a corrective or mitigating measure being available for actively exploited vulnerabilities, and within one month of the 72-hour notification for severe incidents. That means your fix timeline directly affects your reporting timeline. Track both together.

6. Register and do a dry run as soon as the platform opens

When ENISA publishes the access manual and registration instructions, register immediately. Do not wait for a real incident to be your first attempt at navigating the platform. Run a tabletop exercise timed from signal to filed early warning.


A readiness check: where does your process stand?

Use this widget to assess the gaps in your current CRA reporting readiness before the SRP goes live.


Where to go next

lightbulb Tip

The SRP onboarding materials, registration instructions, and any implementing acts that affect report formats will land in the coming weeks. Subscribe to The CRA Brief at /subscribe to get a plain-English summary the moment anything changes — so you can register and run your dry run before 11 September arrives.