ENISA reporting: what to have ready before 11 September 2026
From that date, an actively exploited vulnerability starts a 24-hour reporting clock. What triggers it, what each submission contains, and the one-page process that keeps you out of trouble.
Updated 2026-07-02
What triggers the obligation
Two events, defined in Art. 14: (1) an actively exploited vulnerability in your product — someone is using the flaw in the wild, not just a CVE existing; (2) a severe incident having an impact on the security of your product — think compromised build pipeline, stolen signing keys, malicious update shipped.
'Becoming aware' starts the clock. A credible report from a researcher, a customer, your own monitoring — awareness is when a reasonable manufacturer would conclude exploitation is likely occurring, not when you finish a three-week internal investigation.
The three submissions
- ▸Early warning — within 24 hours. Minimal: product, nature of the event, whether you suspect exploitation, which Member States are affected. Its purpose is speed, not completeness.
- ▸Notification — within 72 hours. The substance: nature of the vulnerability/incident, severity, affected versions, mitigations taken and available to users, IoCs if any.
- ▸Final report — within 14 days of a corrective measure being available (vulnerabilities) or 1 month after notification (incidents): full description, root cause, remediation, lessons.
Where you file
One place: the ENISA Single Reporting Platform (SRP), which routes to your national CSIRT and ENISA. You report once — the platform handles distribution. ENISA is running onboarding, training material and dry-runs ahead of the deadline; register as soon as your national CSIRT opens the flow, because the 24-hour clock does not pause for account creation.
The one-page process every team needs
- ▸WHO detects: name the alert channels (OSV/scanner alerts, security@ mailbox, researcher reports) and who watches them — including weekends.
- ▸WHO decides: one named person (plus backup) with authority to declare 'actively exploited' — do not decide by committee at 3 a.m.
- ▸WHO files: named reporter with SRP credentials, plus backup. Pre-drafted early-warning template.
- ▸THEN: 72h notification owner, comms to users, fix shipping, final report owner. Rehearse once per year; the first rehearsal always finds a broken assumption.
What happens if you miss it
Reporting failures carry fines up to €10M or 2% of global turnover — separate from the €15M/2.5% tier for essential-requirement violations. More practically: a missed deadline creates a paper trail of non-compliance attached to an actual security event, which is the worst possible position with a market surveillance authority.
Where do you stand today?
Run the free 3-minute Risk Check: scope verdict, risk class, readiness score, prioritized fixes.
Or get compliance on autopilot at launch:
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.