Most coverage of the Single Reporting Platform (SRP) focuses on the obligation. Manufacturers must report actively exploited vulnerabilities and severe incidents through the platform once the rules apply on 11 September 2026. Less discussed is the platform's second function, which is voluntary reporting open to a much wider set of contributors and a broader set of report types.
This post explains what the SRP accepts on a voluntary basis, who can submit it, and why that matters for the European vulnerability picture. For the mandatory side, see our guide to the SRP reporting form and its data fields and how reporting is routed to ENISA and national authorities.
Two functions in one platform
The SRP is established under Article 16 of the Cyber Resilience Act as a single entry point that simplifies manufacturers' reporting obligations. That is its primary job. Alongside the mandatory channel, the platform offers a voluntary reporting function that any natural or legal person may use.
The distinction is worth holding clearly. The mandatory channel is for manufacturers and, where they are involved with products with digital elements, open-source software stewards. The voluntary channel is for everyone. A security researcher, a downstream integrator, a customer, or another vendor can all submit a voluntary report. The platform widens the funnel of useful signal reaching ENISA and the national CSIRTs without forcing every contributor into the obligation framework that binds manufacturers.
What you can report voluntarily
The voluntary function accepts four categories, and they reach further than the mandatory channel does.
- Vulnerabilities contained in a product with digital elements. Not only those that are actively exploited, which is the mandatory trigger, but vulnerabilities in general.
- Cyber threats that could affect the risk profile of a product with digital elements.
- Incidents having an impact on the security of a product, beyond the severe-incident threshold that triggers mandatory reporting.
- Near misses that could have resulted in an incident.
The contrast with the mandatory scope is the point. Mandatory reporting is narrow and high-bar. It applies to vulnerabilities with reliable evidence of active exploitation, and to incidents that severely affect the security of a product. Voluntary reporting deliberately lowers the bar so that early, weaker, or non-product-owner signals still have a route into the system. A near miss is, by definition, something that did not become a reportable incident. The platform still wants to know.
When the voluntary function turns on
The mandatory and voluntary functions do not arrive together. The platform is scheduled to be operational by 11 September 2026, matching the date the manufacturer reporting obligations enter application. ENISA has indicated that the voluntary reporting functionality will be enabled in the SRP after that date.
So the sequencing is mandatory first, voluntary second. Manufacturers preparing for the obligation should plan around the September 2026 milestone for their own filing. Researchers and other parties who want to contribute voluntary reports should expect the function to come online afterward rather than at launch.
Why this matters for manufacturers
Even though voluntary reporting is open to anyone, manufacturers have a direct stake in it. A vulnerability in your product can reach ENISA and the relevant CSIRTs through a voluntary report filed by someone else, before you have filed anything yourself. That changes the posture. It is one more reason to run a mature coordinated disclosure process so that researchers come to you first, and so that you become aware of issues in time to meet your own 24-hour and 72-hour obligations if exploitation is confirmed.
The voluntary channel also reflects the CRA's broader aim, which is transparency across the disclosure process and a stronger ability for EU CSIRTs to mitigate risk from vulnerabilities. The more signal that flows in, including threats and near misses that would never meet a mandatory threshold, the earlier the ecosystem can see a pattern forming.
Preparing for both channels
For a manufacturer, the practical implication is to maintain a single, well-run intake regardless of which channel a report eventually travels through. A researcher who can reach you easily through a coordinated disclosure portal is a researcher who is less likely to route a finding into the voluntary channel before you have had a chance to respond. And a clean internal record of vulnerabilities, threats, and near misses positions you to file accurately and fast on the mandatory side when an issue crosses the active-exploitation line.
The SRP's voluntary function is not an obligation you carry. It is a feature of the environment you operate in, and treating it as such is part of being ready for the regime that begins on 11 September 2026.