CRA reporting obligation lands 11 September — ENISA Single Reporting Platform access manual due, dry-runs before go-live

The first Cyber Resilience Act obligation to bind, from 11 September 2026, requires manufacturers of products with digital elements to report actively exploited vulnerabilities (24-hour early warning + 72-hour notification + final report) and severe incidents through ENISA's Single Reporting Platform (EC Digital Strategy; ENISA SRP). ENISA committed to publishing access manuals and registration instructions during June 2026 with a dry-run period before go-live. Swiss companies exporting products with digital elements to the EU are directly in scope, with NCSC/GovCERT.ch as the designated national-CSIRT counterpart for the simultaneous-notification routing. With the deadline ~82 days out, in-scope manufacturers should begin SRP registration preparation and build the 24/72-hour reporting workflow into their PSIRT process now.