CRA Vulnerability Reporting: ENISA SRP Onboarding (Art. 14)

The EU Cyber Resilience Act (Regulation (EU) 2024/2847) routes every manufacturer's Article 14 reports through one channel: the ENISA Single Reporting Platform (SRP), established under Article 16. The platform is not yet live. ENISA is developing it under Article 16(5); it goes operational when Article 14 starts to apply on 11 September 2026 (Article 71(2)). This page covers what manufacturers should prepare now, the expected registration flow, and how to wire an internal escalation that fits the 24-hour clock. For cadences see vulnerability reporting.

Summary

  • The SRP is the only Article 14 channel. Article 14(1) and 14(3) require manufacturers to notify ENISA and the coordinator CSIRT "via the single reporting platform established pursuant to Article 16". National CSIRT email is not a substitute.
  • Register before the first reportable event. The 24h Article 14(1) clock does not pause for onboarding. A typical onboarding window of around a week assumes credentials, contacts and product portfolio data are already in order.
  • Manufacturers are the obligated parties. Importers and distributors do not file Article 14 reports; they inform the manufacturer (Article 19(5) second subparagraph; Article 20(4) second subparagraph). Authorised representatives can file on behalf of a non-EU manufacturer if the AR mandate covers it.
  • Two contacts, two channels. The Article 13(17) single point of contact is the user-facing channel. The SRP registration contact is the authority-facing channel. Both are required, and they should not be the same address.
  • CSIRT routing follows the main establishment. Article 14(7) sends notifications to the CSIRT designated as coordinator in the Member State of main establishment, with a fallback chain for non-EU manufacturers.
11 Sep 2026
Reporting starts
Article 71(2)
24h
SRP early warning
Article 14(1)
7 days
Typical onboarding
register before any reportable event
€15M / 2.5%
Top-tier fine
Article 64(2)

Onboarding is a deadline, not an item on a backlog: registration must precede the first event that hits the 24h clock.

What the CRA says about the SRP

Article 16(1) is the constitutive provision:

For the purposes of the notifications referred to in Article 14(1) and (3) and Article 15(1) and (2) and in order to simplify the reporting obligations of manufacturers, a single reporting platform shall be established by ENISA. The day-to-day operations of that single reporting platform shall be managed and maintained by ENISA. The architecture of the single reporting platform shall allow Member States and ENISA to put in place their own electronic notification end-points.

Three operational facts follow. First, ENISA operates the platform, but Member States plug in their own electronic notification end-points. Second, Article 14(7) says the notification "shall be submitted using the electronic notification end-point of the CSIRT designated as coordinator of the Member State where the manufacturers have their main establishment in the Union and shall be simultaneously accessible to ENISA": one submission, two recipients. Third, Article 16(2) gives the receiving CSIRT the duty to disseminate the notification to other CSIRTs whose territory the manufacturer has flagged as affected. Cross-border routing happens inside the platform.

The SRP also receives Article 15 voluntary reports and is the channel for the 72-hour notification and the final report under Article 14(2) and 14(4). Both streams share the same SRP and the same registration.

Who must register

Article 14 applies to manufacturers of products with digital elements. The reporting duties in Article 14(1) and 14(3) are addressed to the manufacturer and only to the manufacturer.

Importers and distributors have lighter duties. Under Article 19(5) second subparagraph, an importer who becomes aware of a vulnerability "shall inform the manufacturer without undue delay about that vulnerability"; distributors carry the equivalent duty under Article 20(4) second subparagraph. Neither registers on the SRP, neither files Article 14 reports, neither inherits the 24h clock. See importer and distributor.

A non-EU manufacturer can route Article 14 obligations through an authorised representative under Article 18, provided the mandate covers reporting. Article 18(2) excludes Article 13(1) to (11), Article 13(12) first subparagraph and Article 13(14) from the AR mandate, but does not exclude Article 14, so a written mandate that explicitly covers Article 14 reporting is enforceable. The AR holds SRP credentials and submits notifications on the manufacturer's behalf.

Pre-registration prerequisites

Six inputs the organisation must have ready before registration. Missing any one of them at registration time blocks onboarding.

Requirement Article anchor What you need
Legal entity in the Member State of main establishment Article 14(7) An unambiguous legal-entity record that lets the SRP assign the coordinator CSIRT (the State "where the decisions related to the cybersecurity of its products with digital elements are predominantly taken").
Article 13(17) single point of contact Article 13(17) third subparagraph A user-facing channel that "shall not limit such means to automated tools". Auto-reply-only mailboxes do not qualify. Published in the Annex II information to users.
Separate authority-facing security contact Article 14 + Article 16(5) (expected) A second contact for ENISA and the coordinator CSIRT, distinct from the 13(17) user-facing channel. The same mailbox should not handle both.
Identity credentials Article 16(5) (specification pending) EU manufacturers should expect eIDAS-recognised electronic identification. Non-EU manufacturers verify identity through the AR chain. Exact technical credentials are part of the Article 16(5) specifications.
Product portfolio inventory Article 14(2)(a) A current list of products and the Member States where each has been made available. Without it, the early warning cannot indicate the affected territories correctly.
Documented internal escalation Article 14(1) A written procedure that gets the organisation from detection to SRP submission inside 24 hours, with out-of-hours coverage. "Without undue delay and in any event within 24 hours" leaves no room for ad hoc escalation.

Timeline: from today to first reportable event

SRP timeline: ENISA build and manufacturer preparation either side of the 11 September 2026 cutover A two-by-two diagram. Rows split ENISA's responsibility from the manufacturer's. Columns split the timeline at 11 September 2026: pre-cutover preparation on the left, post-cutover live operation on the right. ENISA pre-cutover is building the platform under Article 16(5) specifications and Article 14(10) implementing acts; ENISA post-cutover is the SRP receiving every Article 14 notification. The manufacturer pre-cutover prepares legal entity, separate 13(17) and SRP contacts, product portfolio, 24h escalation SLA, and AR mandate where applicable; post-cutover the manufacturer is registered and runs the 24-hour Article 14(1) early-warning clock at first event. SRP cutover: ENISA build and manufacturer prep on either side of 11 Sep 2026 11 Sep 2026 PRE-CUTOVER (today → 11 Sep 2026) POST-CUTOVER (Article 14 applies) ENISA Manufacturer Building the SRP Art. 16(5) specifications Art. 14(10) implementing acts SRP operational Receives every Article 14 report CSIRT routing under Art. 14(7) + 16(2) Prepare Legal entity, separate contacts, product portfolio, 24h SLA, AR mandate Registered, 24h-ready First event triggers Art. 14(1): awareness → 24h early warning
11 September 2026 is fixed by Article 71(2). Pre-cutover is preparation; post-cutover is regulated reporting against a 24-hour clock. We will refresh this page once ENISA publishes the live registration flow.
The SRP is not yet operational

ENISA is building the platform under Article 16(5) in cooperation with the CSIRTs network. The exact registration screens, credential mechanism, and electronic notification end-points are subject to the Article 16(5) specifications and the Article 14(10) implementing acts. The framework below reflects the regulation's text and what is publicly known as of 2026-05-05; verify against current ENISA guidance before treating any specific UI step as final. The 11 September 2026 cutover for Article 14 applicability is fixed by Article 71(2).

Expected registration flow

The exact registration screens depend on the Article 16(5) specifications and the Article 14(10) implementing acts, both of which are still being finalised. We will refresh this section once ENISA publishes the live flow. Based on the regulation's text, expect the registration to verify the legal entity, capture the SRP authority contact (distinct from the Article 13(17) user contact), record the product portfolio with its Member-State coverage, and assign the coordinator CSIRT under Article 14(7). After registration, the same end-point handles every later submission: 24-hour early warning, 72-hour notification, intermediate reports on CSIRT request (Article 14(6)), and the final report.

Internal escalation: hitting the 24h clock

Article 14(1) starts the clock at awareness, not at confirmation. The hard part is getting from "we just learned" to "we just submitted" inside 24 hours, including out-of-hours.

Step Inside 24h? Notes
Detection Yes Internal engineering, customer reports, monitoring, threat intel, CVD intake. Triage paths for "actively exploited" and "severe incident" must be distinct.
Triage Yes Use severity scoring signals (CVSS / EPSS / KEV) as inputs. Exploitation evidence is the Article 14(1) trigger; severity alone is not.
Legal review In parallel A serial wait for legal sign-off loses the 24h. Article 14(2)(a) lets the manufacturer flag sensitivity; Article 16(2) lets the platform withhold dissemination on cybersecurity grounds.
SRP early warning Yes Article 14(2)(a) or 14(4)(a).
72h notification After 24h Article 14(2)(b) or 14(4)(b).
Final report 14 days (vuln) / 1 month (incident) Article 14(2)(c) from corrective measure available; Article 14(4)(c) from the 72h notification. Different clocks.

A triage process that "usually takes 48 hours" is structurally non-compliant.

CSIRT routing

Article 14(7) routes the notification to the CSIRT in the Member State of main establishment ("where the decisions related to the cybersecurity of its products with digital elements are predominantly taken"). For manufacturers without a main establishment in the Union, the third subparagraph applies a four-step fallback: AR's Member State, then importer, then distributor, then user concentration. After submission, Article 16(2) handles cross-border dissemination to CSIRTs in other affected Member States.

Common pitfalls

  • Registering only after the first reportable event. The 24h clock does not stop for onboarding. Register well before 11 September 2026.
  • A generic security@ with auto-reply. Conflicts with Article 13(17) third subparagraph for the user-facing channel and is unfit for the SRP authority channel.
  • No or stale products mapped to the registration. Article 14(2)(a) requires the early warning to indicate affected Member States; without a current inventory, the early warning is incomplete.
  • No internal SLA for the 24h clock. Detection-to-submission needs an explicit time budget.
  • Filing via national CSIRT email. Articles 14(1) and 14(3) name the SRP. Email to a national CSIRT is not equivalent.
  • Treating the AR as a forwarding address. A non-EU manufacturer's AR mandate under Article 18(1) must explicitly cover Article 14 reporting and the AR must hold SRP credentials.

Frequently Asked Questions

Is the SRP live today?

No. ENISA is developing the platform under Article 16(5) in cooperation with the CSIRTs network. Article 71(2) fixes the operational date at 11 September 2026, when Article 14 starts to apply. The platform's exact registration flow, credential mechanism, and electronic notification end-points are subject to the Article 16(5) specifications and the Article 14(10) implementing acts. Treat current public guidance as provisional and verify against ENISA before relying on any specific UI step.

When does the SRP go live for manufacturer reporting?

Article 71(2) says: "Article 14 shall apply from 11 September 2026". That is when manufacturers must be able to submit through the SRP. The platform's operational go-live is set by ENISA under Article 16(5) and the implementing acts under Article 14(10); verify against current ENISA guidance closer to the date.

Do importers and distributors register on the SRP?

No. Their duty is to inform the manufacturer about a vulnerability under Article 19(5) second subparagraph (importers) and Article 20(4) second subparagraph (distributors). Article 14 reporting through the SRP is the manufacturer's obligation.

Can a non-EU manufacturer register directly?

The route is normally through an authorised representative under Article 18(1), with a written mandate that covers Article 14 reporting. The AR holds the SRP credentials and files on the manufacturer's behalf. The AR cannot replace the manufacturer for obligations excluded by Article 18(2) (Article 13(1) to (11), Article 13(12) first subparagraph, Article 13(14)).

What if our SRP submission fails?

The SRP is the named channel under Article 14(1) and 14(3). If the platform is unavailable, contact the coordinator CSIRT through the published contact for its electronic notification end-point and document the failure. The 24h clock is not suspended by tooling problems; aim for best-effort notification within the window plus a complete record of why the SRP was unreachable.

Is the Article 13(17) single point of contact the same as the SRP registration contact?

No. Article 13(17) is a user-facing channel that "shall not limit such means to automated tools" and is published in the Annex II information to users. The SRP registration contact is an authority-facing channel for ENISA and the coordinator CSIRT. Both are required and they should not share a mailbox.

Next steps to be ready for 11 September 2026

  1. Track ENISA guidance on the SRP and the Article 16(5) specifications. Subscribe to ENISA updates and the Member State coordinator CSIRT bulletin so the day the registration flow opens, the team knows.
  2. Designate an SRP point of contact distinct from the Article 13(17) user-facing single point of contact.
  3. Document the internal escalation flow from detection to early warning, with an explicit SLA inside 24 hours and out-of-hours coverage.
  4. Run a tabletop exercise that simulates an actively exploited vulnerability and verifies an SRP submission can complete within the Article 14(1) window. Use the current ENISA-published reporting form template as a stand-in until the real form is final.
  5. If you rely on an authorised representative, confirm the Article 18(1) AR mandate covers Article 14 reporting and that the AR holds SRP credentials and a current product portfolio mapping.
  6. Confirm the Member State CSIRT routing under Article 14(7) matches your actual main establishment.
  7. For cadences and the legal definition of "actively exploited", continue with vulnerability reporting; for the handling regime see vulnerability handling; for manufacturer obligations in full, see the role page.