The Single Reporting Platform (SRP) provided for in the Cyber Resilience Act (CRA) shall become a technical tool to use for the reporting of actively exploited vulnerabilities and incidents impacting products with digital elements operating in the EU Digital Single Market.
The SRP will be used by CSIRTs and manufacturers for mandatory reporting and could be used by any natural/legal persons for voluntary reporting.
The CRA mandates manufacturers of products with digital elements to report actively exploited vulnerabilities and severe incidents having an impact on the security of the product as of 11 September 2026 onwards using the Single Reporting Platform. Throughout 2025 and 2026, ENISA is undertaking a number of necessary steps to support the successful implementation of the platform.
The CRA brings transparency to the vulnerability disclosure processes and strengthens how EU CSIRTs can mitigate risks stemming from vulnerabilities.
Further information: Regulation - 2024/2847 - EN - EUR-Lex
Frequently Asked Questions
This is a collection of frequently asked questions on Cyber Resilience Act Single Reporting Platform (CRA SRP). Document is intended for publication on ENISA website and to be updated during implementation of CRA SRP
Please see also information about CRA reporting https://digital-strategy.ec.europa.eu/en/policies/cra-reporting in particular FAQ file there https://ec.europa.eu/newsroom/dae/redirection/document/122331
- What is the Cyber Resilience Act’s Single Reporting Platform (CRA SRP)?
-
The CRA SRP is an electronic system designed to simplify the reporting obligations for manufacturers under the Cyber Resilience Act. It allows for manufacturers to report actively exploited vulnerabilities and severe incidents having an impact on the security of products with digital elements only once, rather than having to notify multiple national authorities individually.
- Who is responsible for establishing and managing the platform?
-
ENISA is tasked with establishing, managing, and maintaining the day-to-day operations of the CRA SRP. ENISA must also ensure the platform's security and implement appropriate technical and organisational measures to protect the information submitted.
- When will the Single Reporting Platform be operational?
-
The platform is scheduled to be operational by 11 September 2026. This coincides with the date when the mandatory reporting obligations for manufacturers officially enter into application (art.14 of Cyber Resilience Act). A testing period is expected to take place before this date.
- What must be reported via the platform?
-
Manufacturers must use the platform to notify two specific types of events:
- Actively Exploited Vulnerabilities: Vulnerabilities in products with digital elements that are known to be currently exploited by a malicious actor.
- Severe Incidents: Incidents that have a severe impact on the security of the product with digital elements (e.g., compromising availability, authenticity, integrity, or confidentiality); the criteria for severity are defined in Article 14(5).
- What else can be reported in the platform?
-
The platform will also offer functionality to allow voluntary reporting. Any natural or legal person may notify on a voluntary basis:
- Vulnerabilities contained in a product with digital elements;
- Cyber threats that could affect the risk profile of a product with digital elements;
- Incidents having an impact on the security of a product;
- Near misses that could have resulted in an incident.
- What are the deadlines for reporting?
-
Manufacturers must adhere to a multi-stage reporting timeline via the platform:
- Early Warning: Without undue delay and in any case within 24 hours of becoming aware of the vulnerability or incident.\
- Vulnerability/Incident Notification: Without undue delay and in any case within 72 hours of becoming aware, providing general information and an initial assessment.
- Final Report:
- For vulnerabilities: No later than 14 days after a corrective measure (e.g., patch) is available.
- For severe incidents: Within 1 month after the initial notification.
- How does the Single Reporting Platform operate?
-
Manufacturers submit notifications electronically through the platform, which automatically routes them to the designated CSIRT coordinator (based on the manufacturer's main establishment) and ENISA simultaneously. The CSIRT then disseminates the information without delay to other relevant CSIRTs in Member States where the product is available, and to market surveillance authorities as needed. For sensitive reports, dissemination may be delayed on security grounds, with ENISA informed and able to recommend broader sharing if risks are systemic. The platform incorporates security measures to protect confidentiality.
- How do I know what is my designated CSIRT?
-
Your designated CSIRT is determined by your location of establishment:
If you are established in the EU: Your designated CSIRT is the national CSIRT designated as the coordinator in the Member State where you have your main establishment. (please see CRA Art 14(7) for more details)
If you are NOT established in the EU: Your designated CSIRT is the one designated as coordinator in the Member State where your authorised representative is established. (please see CRA Art 14(7) for more details)
- What are the responsibilities of key entities involved with the CRA SRP?
-
- Manufacturers: Submit timely notifications and comply with the other obligations established by the CRA.
- ENISA: Manages the platform, processes reports, prepares biennial trend reports (first due within 24 months of the reporting obligations starting), operates a helpdesk (especially for SMEs), and discloses fixed vulnerabilities to the European Vulnerability Database.
- CSIRTs Designated as Coordinators: Receive and assess reports, decide on dissemination delays, inform market surveillance authorities and the public if necessary, and provide helpdesk support alongside ENISA.
- European Commission: Adopts delegated and implementing acts (e.g., for delay criteria and report formats), evaluates the platform's effectiveness, and supports coordination of enforcement activities.
- Market Surveillance Authorities: Receive disseminated information and enforce compliance, such as through investigations or corrective actions.
- Who receives the reports submitted to the platform?
-
As a general rule, when a manufacturer submits a report to the CRA SRP, it is simultaneously notified to:
- The CSIRT (Computer Security Incident Response Team) designated as the coordinator in the Member State where the manufacturer is established.
- ENISA (unless particularly exceptional circumstances apply).
The CSIRT designated as coordinator that initially receives the notification is then responsible for disseminating it without delay to other relevant CSIRTs across the EU via the platform.
- Can the dissemination of a report be delayed or withheld?
-
Yes. In exceptional circumstances, the receiving CSIRT may decide to delay or withhold the dissemination of a notification to other Member States. This is strictly limited to cases where immediate dissemination is justified on security related grounds (e.g., if spreading the information would pose an even greater security risk).
The European Commission adopted a delegated act on 11 December 2025 to further specify the terms and conditions for applying these grounds. [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=PI_COM:C(2025)8407]
In particularly exceptional circumstances, ENISA will not receive the full content of the 72-hour notification. This is only the case where, in the 72-hour notification, the manufacturer actively marks that at least one of the conditions listed in points (a) to (c) of Article 16(2) applies. In such case, ENISA only receives partial information, until the receiving CSIRT discloses the full notification.
- How does the platform ensure security?
-
ENISA is legally required to take appropriate measures to manage risks to the platform's security and must notify the CSIRTs Network and the Commission of any security incidents affecting the platform itself.
- How is the CSIRTs network involved?
-
As provided in CRA Article 16 ENISA is engaging the CSIRTs Network in development and future testing of the CRA SRP.