Establishment of the Single Reporting Platform and ENISA's Vulnerability Coordination Role

Article 16 establishes that ENISA shall set up, maintain, and operate a single reporting platform through which manufacturers submit their Article 14 notifications. This platform provides a standardised, secure channel for the early warning (24-hour), notification (72-hour), and final report submissions required under Article 14.

The single reporting platform is designed to eliminate the fragmentation that would result if each member state operated its own bespoke notification system. Without a single platform, manufacturers selling across multiple EU member states would need to file separate notifications in each jurisdiction's system, with potentially different formats, authentication requirements, and submission procedures.

By providing a single submission point, the platform reduces administrative burden on manufacturers while ensuring that all notifications reach the appropriate national CSIRT and are simultaneously available to ENISA for EU-level coordination.

Although submissions go through a single platform, Article 16 ensures that notifications are routed to the appropriate national CSIRT based on the manufacturer's location or the affected product's market. The platform handles this routing automatically, so manufacturers need not identify the correct national authority for each submission.

Where a vulnerability affects products sold in multiple member states, the platform may route notifications to multiple national CSIRTs simultaneously or sequentially, ensuring all relevant national authorities receive the information. ENISA also receives a copy of all notifications, enabling the EU-level picture to be maintained.

The routing logic also accounts for situations where the manufacturer is established in a third country - in such cases, notifications may be routed through the national CSIRT in the member state where the product is primarily marketed or where the authorised representative is established.

Article 16 requires that the single reporting platform use standardised technical formats for notifications. Standardisation enables automated processing, reduces errors, and facilitates integration with vulnerability management systems at national CSIRTs and ENISA.

The expected format for notifications aligns with CSAF (Common Security Advisory Framework) conventions and STIX/TAXII threat intelligence standards where applicable. Manufacturers should design their internal vulnerability management workflows to produce outputs in formats compatible with the platform's submission requirements.

ENISA publishes technical specifications for the submission format, which manufacturers should integrate into their CVD tooling well before the CRA application date. CVD Portal supports automated submission-ready report generation in the required formats.

Article 16 requires that the single reporting platform handle notification data with appropriate confidentiality protections. Vulnerability information submitted before a patch is publicly available is commercially sensitive and, if leaked, could facilitate exploitation of the reported vulnerability. The platform must therefore implement strong access controls ensuring that notification data is accessible only to authorised national CSIRT personnel and ENISA staff.

Manufacturers submitting notifications can expect that:

• Notification content will not be shared with third parties without the manufacturer's consent, except as necessary for coordination with national authorities
• Published vulnerability information (for example, EVDB entries) will be delayed or redacted until a fix or workaround is available
• Personal data included in notifications (such as security researcher contact details) will be handled in accordance with GDPR

Manufacturers should review the platform's terms of use and privacy notice before first submission to understand the data handling framework.

For manufacturers with significant product portfolios and active vulnerability management programmes, the Article 16 platform needs to integrate smoothly with internal CVD tooling. Manual submission for every vulnerability in a large product portfolio is operationally unsustainable - manufacturers should plan for API-based or automated submission where the volume of notifications warrants it.

ENISA is expected to provide an API for programmatic submission to the platform, enabling manufacturers' vulnerability management platforms and CVD portals to submit notifications automatically when the relevant thresholds are met.

CVD Portal's integration with the Article 14 reporting infrastructure enables manufacturers to submit notifications directly from the platform, with automatic population of required fields from the vulnerability record and automatic timeline tracking against the 24-hour and 72-hour deadlines.

ENISA is responsible for establishing and operating the single reporting platform and the European Vulnerability Database (EVDB) that underpins it. The following sections describe ENISA's specific functions under Article 16.

Article 16 tasks ENISA with establishing and maintaining the European Vulnerability Database (EVDB). The EVDB serves as the EU-level registry for vulnerabilities affecting CRA-regulated products, complementing the global CVE programme coordinated by MITRE/NVD.

The EVDB allows manufacturers to register vulnerabilities in their products with standardised identifiers (European Vulnerability Identifiers or EVIs), enabling structured tracking and reporting of vulnerability lifecycles. For manufacturers subject to Article 14 reporting obligations, the EVDB is the downstream repository where their notifications ultimately contribute to an EU-wide vulnerability intelligence picture.

The EVDB is also intended to serve as a resource for market surveillance authorities, security researchers, and downstream users who need to assess their exposure to known vulnerabilities. By centralising vulnerability information, the EVDB aims to improve the EU's collective ability to monitor the security state of digital products and respond to emerging threats.

Article 16 gives ENISA a coordination role in the EU's vulnerability disclosure ecosystem. Where a vulnerability in a CRA-regulated product affects multiple manufacturers, multiple product categories, or has systemic implications for critical infrastructure, ENISA may coordinate the disclosure process to ensure:

• All affected manufacturers are notified simultaneously
• Disclosure timelines are coordinated to avoid one manufacturer's advisory revealing the vulnerability before others are ready
• National CSIRTs in affected member states receive timely and accurate information
• The EVDB entry for the vulnerability is comprehensive and accurate

This coordination role is particularly important for vulnerabilities affecting widely-deployed standards, protocols, or common components - situations where a single CVE may affect hundreds of manufacturers and millions of products simultaneously.

Article 16 recognises that the EVDB does not operate in isolation - it must interface with the global vulnerability management ecosystem, including the MITRE CVE programme, the NVD, and national vulnerability databases maintained by CERT organisations in member states.

ENISA is responsible for establishing data exchange arrangements with these international databases to avoid duplication and to ensure that vulnerability information registered in the EVDB is synchronised with global CVE records. For manufacturers, this means that vulnerabilities disclosed through the CRA Article 14 process will contribute to both EU-specific and global vulnerability intelligence.

Manufacturers should familiarise themselves with both the EVDB and the global CVE programme. The processes for registering CVEs (through CNA - CVE Numbering Authorities) are established, and ENISA is expected to become a CNA covering EU-specific vulnerabilities.

Beyond database operations, Article 16 establishes ENISA as a source of guidance and advice for manufacturers, national authorities, and other stakeholders on CRA implementation. ENISA's advisory functions include:

• Publishing implementation guidance on CRA obligations for manufacturers across different product categories
• Developing technical guidelines on CVD policy best practices, SBOM formats, and CSAF advisory standards
• Providing guidance to national CSIRTs on handling Article 14 notifications
• Advising the Commission on the development of implementing acts and common specifications
• Publishing annual reports on the state of CRA implementation and the vulnerability landscape for digital products

Manufacturers should actively monitor ENISA's publications as the CRA's application date approaches, as guidance documents will clarify many practical compliance questions that the regulation itself leaves open.

Article 16 connects with Article 14 to establish ENISA's central role in processing vulnerability and incident notifications from manufacturers. Under Article 14, manufacturers report severe vulnerabilities to their national CSIRT, which forwards notifications to ENISA. ENISA aggregates these notifications, maintains statistics, identifies trends, and coordinates cross-border responses.

The practical infrastructure for this - the single reporting platform referenced in Article 16 - is designed and operated under ENISA's coordination. Manufacturers who submit Article 14 notifications to their national CSIRT are indirectly contributing to the EU-wide vulnerability intelligence that ENISA maintains.

ENISA also plays a role in the early warning process: where a notification indicates a vulnerability that may affect critical infrastructure or a large number of users, ENISA can escalate the alert to national cybersecurity authorities across the EU.