Thanks to visit codestin.com
Credit goes to digital-strategy.ec.europa.eu

Skip to main content
European Commission logo
Shaping Europe’s digital future

Cyber Resilience Act - Reporting obligations

As of 11 September 2026, manufacturers are required to report actively exploited vulnerabilities and severe incidents impacting the security of products with digital elements.

What are the main rules?

The CRA requires manufacturers to notify actively exploited vulnerabilities and severe incidents having an impact on the security of their product with digital elements. They need to submit an early warning within 24 hours of becoming aware, and a full notification within 72 hours. A final report needs to be submitted no later than 14 days after a corrective measure is available for actively exploited vulnerabilities and within a month for severe incidents.

Manufacturers report only once through the CRA Single Reporting Platform (SRP). The notification is addressed to the Computer Security Incident Response Team (CSIRT) where they have their main establishment and, unless particularly exceptional circumstances apply, the information is made available simultaneously to ENISA. The CSIRT initially receiving the notification will share without delay the notification with all the other CSIRTs on the territory of which the product with digital elements has been made available.  

In exceptional circumstances and based on justified cybersecurity-related grounds, the CSIRT may decide to delay dissemination to other CSIRTs: on 11 December 2025, the Commission adopted a delegated act further specifying the terms and conditions for applying such cybersecurity-related grounds.

When will the CRA Single Reporting Platform be finalised?

Pursuant to Article 16 of the CRA, ENISA is tasked with the establishment of the CRA Single Reporting Platform (SRP).

ENISA launched a public tender and has procured services from a contractor to assist with the development of the SRP.

The Single Reporting Platform will be operational by 11 September 2026 (date of entry into application of the CRA reporting requirements), with a testing period before then.

ENISA published maintains an FAQ on the CRA SRP, available at this link.

Relevant cooperation bodies

Reference documents and links

Frequently Asked Questions on the CRA implementation

Frequently Asked Questions on the CRA SRP

Delegated act on CSIRTs withholding notifications to be disseminated through the Single Reporting Platform (adopted, publication pending objection period)

Related Content

Big Picture

Cyber Resilience Act

Introducing the Cyber Resilience Act: the EU's new plan to make sure all digital products are safe from cyber threats. This important rulebook requires that devices and software are designed, updated, and maintained to protect users in our increasingly digital world. Experience a safer, more connected future where your security comes first.

Last update

23 April 2026

Print as PDF