CRA June 11 notifying-authority deadline — first hard CRA milestone with ENISA SRP manual and Secure Update Mechanisms advisory published

11 June is the Cyber Resilience Act's first mandatory milestone: EU member states must designate the national authority responsible for assessing and notifying conformity assessment bodies (CABs) for Important and Critical product classes (OpenSSF policy blog, 2026-06-03; ENISA SRP page). Without designated notifying authorities, manufacturers of products such as operating systems, firewalls, smart cards, HSMs and smart meter gateways cannot obtain the third-party certificates needed by the December 2027 full-application date. In the same window ENISA published: (1) the access and registration manual for the CRA Single Reporting Platform (SRP) — the platform manufacturers must use from 11 September 2026 to report actively exploited vulnerabilities within 24 h (early warning) and 72 h (full notification); (2) a draft Technical Advisory on Secure Update Mechanisms for SME manufacturers (public consultation to 10 July). The 90-day window to SRP operational date is shorter than it appears: software vendors deploying into EU environments should validate their vulnerability-disclosure pipeline now, not in September.