CRA Reporting Starts in September
The Cyber-Resilience Act (CRA) reporting clock starts on 11 September 2026. From that date, manufacturers must report actively exploited vulnerabilities and severe incidents affecting the security of products with digital elements through the ENISA Single Reporting Platform (SRP) (Commission reporting guidance, ENISA SRP page).
This is not the same as the full CRA application date in December 2027. Most product security and CE-marking obligations arrive later. But Article 14 reporting starts earlier, and it is operationally demanding: teams need a process that can turn a vulnerability signal into a regulatory decision inside a 24-hour window.
What has to be reported
The reporting obligation covers two tracks:
- Actively exploited vulnerabilities in a product with digital elements.
- Severe incidents that have an impact on the security of the product.
Manufacturers report through the CRA SRP, which is intended to notify the relevant national CSIRT and ENISA through a single channel.
The timing is tight
The Commission describes a staged reporting process:
| Step | Timing |
|---|---|
| Early warning | Within 24 hours of becoming aware |
| Full notification | Within 72 hours of becoming aware |
| Final report for an actively exploited vulnerability | No later than 14 days after a corrective measure is available |
| Final report for a severe incident | Within one month of the 72-hour notification |
The difficult part is not filling in a form. The difficult part is deciding quickly whether a product issue is reportable, who has authority to submit, and what facts are good enough for the first notification.
Why teams should prepare now
ENISA says the SRP is scheduled to be operational by 11 September 2026, with testing and preparation material before that date (ENISA SRP page). The Commission's reporting page, updated in June 2026, confirms that reporting will be routed through the SRP (Commission reporting guidance).
Do not wait for September to design the internal workflow. By then, the first 24-hour clock may already be running.
What to prepare
Before the deadline, manufacturers should have:
- A named reporting owner and backup.
- A vulnerability triage process that identifies possible active exploitation.
- A product inventory that links affected software, firmware, and hardware versions to markets where the product is available.
- A decision tree for when legal, product security, engineering, and leadership must be involved.
- Draft templates for the early warning, 72-hour notification, and final report.
- A recordkeeping process that preserves the evidence behind each reporting decision.
Handbook resources
- CRA Overview maps CRA obligations to engineering tasks.
- Vulnerability Disclosure explains how to receive and handle vulnerability reports.
- Patch Cadence helps turn vulnerability decisions into remediation timelines.
- Secure-by-Design Evidence Pack shows how to preserve evidence for later inspection.
The practical takeaway
September 2026 is not a paperwork milestone. It is the point where regulators start receiving live vulnerability and incident reports under the CRA. If your product security process cannot answer "is this reportable?" inside a day, it needs work before the SRP goes live.
