CRAdarCheck

Guides

ENISA reporting: what to have ready before 11 September 2026

From that date, an actively exploited vulnerability starts a 24-hour reporting clock. What triggers it, what each submission contains, and the one-page process that keeps you out of trouble.

Updated 2026-07-02

What triggers the obligation

Two events, defined in Art. 14: (1) an actively exploited vulnerability in your product — someone is using the flaw in the wild, not just a CVE existing; (2) a severe incident having an impact on the security of your product — think compromised build pipeline, stolen signing keys, malicious update shipped.

'Becoming aware' starts the clock. A credible report from a researcher, a customer, your own monitoring — awareness is when a reasonable manufacturer would conclude exploitation is likely occurring, not when you finish a three-week internal investigation.

The three submissions

  • Early warning — within 24 hours. Minimal: product, nature of the event, whether you suspect exploitation, which Member States are affected. Its purpose is speed, not completeness.
  • Notification — within 72 hours. The substance: nature of the vulnerability/incident, severity, affected versions, mitigations taken and available to users, IoCs if any.
  • Final report — within 14 days of a corrective measure being available (vulnerabilities) or 1 month after notification (incidents): full description, root cause, remediation, lessons.

Where you file

One place: the ENISA Single Reporting Platform (SRP), which routes to your national CSIRT and ENISA. You report once — the platform handles distribution. ENISA is running onboarding, training material and dry-runs ahead of the deadline; register as soon as your national CSIRT opens the flow, because the 24-hour clock does not pause for account creation.

The one-page process every team needs

  • WHO detects: name the alert channels (OSV/scanner alerts, security@ mailbox, researcher reports) and who watches them — including weekends.
  • WHO decides: one named person (plus backup) with authority to declare 'actively exploited' — do not decide by committee at 3 a.m.
  • WHO files: named reporter with SRP credentials, plus backup. Pre-drafted early-warning template.
  • THEN: 72h notification owner, comms to users, fix shipping, final report owner. Rehearse once per year; the first rehearsal always finds a broken assumption.

What happens if you miss it

Reporting failures carry fines up to €10M or 2% of global turnover — separate from the €15M/2.5% tier for essential-requirement violations. More practically: a missed deadline creates a paper trail of non-compliance attached to an actual security event, which is the worst possible position with a market surveillance authority.

Where do you stand today?

Run the free 3-minute Risk Check: scope verdict, risk class, readiness score, prioritized fixes.

Or get compliance on autopilot at launch:

Educational guidance on Regulation (EU) 2024/2847 — not legal advice.