What is the ENISA single reporting platform (SRP)?

Alexis Hirschhorn· CEO, Acuna16 July 2026

Direct answer

The single reporting platform is the central system ENISA must establish under Article 16 of the Cyber Resilience Act for manufacturers to report actively exploited vulnerabilities and severe incidents from 11 September 2026. It routes each report to the relevant national CSIRT and ENISA, replacing scattered, authority-by-authority reporting with one entry point.

Key Facts

  • Legal basis: CRA Article 16; used to meet the Article 14 reporting duties.
  • Operated and maintained by ENISA; single entry point for mandatory and voluntary reports.
  • Manufacturers must use it from 11 September 2026.
  • Handles the 24h early warning, 72h notification and the final report.
  • Status confirmed 16 July 2026: not yet live; pre-operational testing phase.
  • Initial rollout will not include APIs — reporting will be via manual portal entry, not system-to-system. Build your internal process now so you can report the moment the platform opens.

The single reporting platform (SRP) is the technical system that the Cyber Resilience Act requires ENISA to establish and run so that manufacturers can meet their reporting obligations through one channel rather than reporting separately to every national authority (Art. 16). From 11 September 2026, manufacturers of products with digital elements must use the platform to report actively exploited vulnerabilities and severe incidents, following the Article 14 clock of a 24-hour early warning, a 72-hour notification and a 14-day final report. The platform forwards each submission to the relevant national CSIRT and to ENISA, and it can also receive voluntary reports. **Status as of 16 July 2026:** The platform is not yet live and remains in a pre-operational testing phase. ENISA's initial rollout will not include APIs for automated, system-to-system reporting. Manufacturers should expect to file reports through a manual web portal when the platform opens on 11 September 2026. The practical implication: organisations that plan to automate their reporting workflow will need to plan for a manual-entry period at launch, and should not defer building their internal detection and 24-hour escalation process on the assumption that tooling gaps will excuse late reports. The legal duty begins on 11 September 2026 regardless of platform readiness.

What's next

See how Acuna handles this