Piotr Polak

Cybersecurity and standardization expert

Cyber Resilience Act - reporting obligations

Published January 2, 2026

As of 11 of September 2026, the reporting obligations of manufacturers required by the Cyber Resilience Act will be enforced.

Reporting Process

Manufacturers must report actively exploited vulnerabilities and severe incidents affecting the security of products already on the EU market.

Definitions

Actively exploited vulnerability
A flaw that has been reliably proven to be exploited by a malicious actor without the system owner’s permission.
Severe incident
An event that negatively affects—or could affect—the product’s ability to protect the availability, authenticity, integrity, or confidentiality of its data or functions.

Reporting Deadlines

  1. Initial report: Within 24 hours of awareness (early warning)
  2. Full report: Within 72 hours
  3. Final report: Within 14 days of implementing a corrective measure

Submission Platform

  • Reports will be submitted via the CRA Single Reporting Platform, developed by ENISA
  • Expected launch: 11 September 2026

Distribution

  • Notifications will be forwarded to a coordinating CSIRT designated by ENISA
  • Shared with relevant CSIRTs in all EU member states where the products are available

Preparing for Reporting Obligations

Manufacturers should:

Establish Monitoring and Reporting Capabilities

  • Implement systems and processes to continuously monitor for product vulnerabilities and product related security incidents.
  • Ensure the team responsible for cybersecurity can quickly detect, document, and escalate relevant events.

Impact Assessment and Risk Mitigation

  • Be able to assess the impact of any detected vulnerability or incident on the product and its users.
  • Implement procedures to mitigate risks promptly, including patches, updates, or other corrective measures.

Prepare Reporting Procedures

  • Set up processes to submit reports through the CRA Single Reporting Platform once it is operational (expected by 11 September 2026).
  • Ensure reports can meet the required timelines:
    • Initial report: within 24 hours of awareness
    • Full report: within 72 hours
    • Final report: within 14 days of applying corrective measures

Train Teams and Assign Responsibilities

  • Assign a dedicated team or individual responsible for compliance with CRA reporting requirements.
  • Train staff on recognizing vulnerabilities, assessing severity, and following reporting protocols.

Document Everything

  • Maintain detailed records of detected vulnerabilities, incidents, assessments, and mitigation measures.
  • Documentation will help demonstrate compliance if audited by regulators.