NEW: CRA vulnerability reporting begins 11 September 2026 — is your product ready? Check now →

How-to · 05 Apr 2026 · 6 min read

ENISA Single Reporting Platform (SRP), explained

How the ENISA SRP works, who registers, what gets reported, and how the 24h / 72h / 14-day timeline plays out in practice.

From 11 September 2026, the EU CRA’s reporting obligations kick in. Manufacturers placing products with digital elements on the EU market must report actively exploited vulnerabilities and severe incidents to the relevant national CSIRT and to ENISA. The reporting infrastructure is the Single Reporting Platform (SRP).

What the SRP actually is

The SRP is a central EU intake system operated by ENISA. Manufacturers submit a notification once; the platform routes it to the appropriate national CSIRT based on where the manufacturer (or its EU authorised representative) is established.

Goals:

  • One platform instead of 27 national portals
  • Common schema for vulnerability and incident reports
  • Automated cross-border information sharing where appropriate

Who registers

Every manufacturer of in-scope products. Importers and distributors do not need their own registration if the original manufacturer is registered. Non-EU manufacturers register through their authorised representative.

Registration is free. You provide:

  • Company / authorised representative legal entity
  • Manufacturer contact and security contact
  • Product portfolio summary (categories, not full SBOM)
  • Member State of establishment (drives CSIRT routing)

What triggers a report

Two events:

  1. An actively exploited vulnerability in a product with digital elements you placed on the EU market
  2. A severe incident that has an impact on the security of one of your products

“Actively exploited” is the key phrase — it means there is reasonable evidence that a malicious actor has used the vulnerability. A theoretical CVE is not an actively exploited vulnerability. A CVE that the same researcher who found it has demonstrated exploiting in the wild generally is.

The 24h / 72h / 14d timeline

The clock starts when a sufficiently informed person inside the company becomes aware.

  • Within 24 hours: Submit an early warning. Short notification: “we are aware, this product is affected, this is the suspected nature”.
  • Within 72 hours: Submit a vulnerability notification. More detail: nature, impact, mitigations applied or recommended.
  • Within 14 days: Submit a final report. Root-cause analysis, full corrective measures, lessons learned.

Microenterprises and SMEs benefit from extended early-warning timelines where reasonable. The 72h and 14d are not similarly extended.

How to prepare

Three steps in order of priority:

  1. Register the manufacturer profile in advance. Do not wait for an incident. The SRP will publish onboarding material in 2026 — get your profile before September.
  2. Decide who has authority to file. The 24-hour clock is too tight for ambiguous escalation paths. Pick named people, write the runbook, publish it internally.
  3. Run a tabletop exercise. The first time you submit through the SRP UI should not be in production. Walk through a hypothetical vulnerability end-to-end.

What if you under-report?

Failure to report is a manufacturer-obligation breach. The cap is €10 million or 2% of global annual turnover, whichever is higher. Honest interpretation gets considered — wilful concealment does not.

What about over-reporting?

The CRA does not penalise reasonable over-reporting. If you genuinely don’t know whether a vulnerability is being actively exploited, it’s safer to file the early warning. The SRP can downgrade or close a notification later.

Tooling

The platform itself is provided by ENISA. We build the CRA Incident Reporter on top — pre-formatted templates, internal approval workflows, and clocks tied to the moment you flag awareness. Optional, but it’s the difference between a calm Tuesday filing and a panicked Saturday filing.

Free Compliance Assessment

Is Your Product CRA Ready?

Get a free personalised CRA compliance briefing for your specific product type — delivered to your inbox. No spam, no sales calls.

  • Understand your exact product category (default, Class I, or Class II)
  • Get a checklist of your specific obligations and deadlines
  • Receive guidance on SBOM, vulnerability management, and reporting
  • Early access to our CRA Compliance Manager tool (launching 2026)
  • Weekly CRA news digest — ENISA updates, regulatory guidance

Get Your Free CRA Brief

Takes 60 seconds · Completely free

🔒 No spam. Unsubscribe anytime. Processed in accordance with GDPR.