With Reporting Due on 11 September 2026, ENISA's Single Reporting Platform Is Still Not Live
Od 11. září 2026, the Cyber Resilience Act switches on one of its hardest deadlines: manufacturers must report aktivně zneužívané zranitelnosti a závažné incidenty, and they must do it through a single EU tool, the Single Reporting Platform run by ENISA. As of 29 June 2026, that platform is not yet live. With the clock now under three months from the start date, the gap between the obligation and the tool is the story manufacturers need to plan around.
What the platform is
The reporting duties sit in Article 14 of the CRA. The platform itself is the system established pursuant to Article 16: a single electronic entry point so a manufacturer files once, rather than notifying many national authorities separately. A submitted report is routed at the same time to the national CSIRT designated as coordinator for the manufacturer's main establishment and to ENISA. ENISA is tasked with building, managing and securing the platform, and with running a helpdesk, with particular attention to SMEs.
K Single Reporting Platform is not yet operational. ENISA has scheduled it to be live by 11. září 2026, the date the reporting duties begin, with a testing period expected beforehand. ENISA has said it will publish access and registration instructions, training, and dry-run support materials during June 2026. Until the platform is live there is no production system through which to file an Article 14 notification, so the priority now is the internal process that will feed it, not the submission tool.
The clock that does not wait for the tool
The reporting timeline is fixed and tight. Once a manufacturer becomes aware of an actively exploited vulnerability or a severe incident, it must send an early warning within 24 hours, a fuller notification within 72 hours, and a final report no later than 14 dní after a corrective measure is available for a vulnerability, or within one month of the notification for a severe incident. These windows start from awareness, not from the platform going live. A manufacturer that detects a live, exploited flaw in the days around the start date will still be on a 24-hour clock.
Who can hit pause, and who cannot
It is worth being precise about where the flexibility sits. The manufacturer has no discretion to delay: the 24, 72 and 14-day obligations apply in full. What can be delayed is the onward dissemination of a report by the receiving authority. Under a delegated act the Commission adopted on 11 December 2025, the CSIRT that first receives a notification may, on narrow security-related grounds, hold back from passing it to other CSIRTs and ENISA. That brake belongs to the authority, not the company filing the report.
What to do before 11 September 2026
Waiting for the platform to appear is not a plan. The work that matters now does not depend on the tool being live. Manufacturers and developers should identify the designated CSIRT they would notify, based on their main establishment in the EU or, if outside the EU, their authorised representative. They should stand up an internal detection and triage process able to recognise an actively exploited vulnerability and a severe incident, and to assemble the early-warning, notification and final-report content on a 24, 72 and 14-day rhythm. And they should watch for ENISA's onboarding materials so that registration and a dry run are done before a real incident forces a first attempt. The obligation arrives on a fixed date; the readiness to meet it has to be built before the tool shows up.