← CRA Glossary
CRA Legal Terms

ENISA — EU Agency for Cybersecurity

ENISA (the European Union Agency for Cybersecurity) is the EU's dedicated cybersecurity agency, headquartered in Athens with offices in Brussels. Under the CRA, ENISA operates the central EU vulnerability registry, receives Article 14 notifications of actively exploited vulnerabilities, and publishes guidance supporting manufacturer compliance.

ENISA (the European Union Agency for Cybersecurity) is the EU's dedicated cybersecurity agency, headquartered in Athens with offices in Brussels. Under the CRA, ENISA operates the central EU vulnerability registry, receives Article 14 notifications of actively exploited vulnerabilities, and publishes guidance supporting manufacturer compliance.

CRA Legal Terms
Free CVD portal →

What Is ENISA?

The European Union Agency for Cybersecurity (ENISA), established by the EU Cybersecurity Act (Regulation (EU) 2019/881), is the EU's primary cybersecurity agency. Its mandate includes providing expertise to EU institutions and member states, developing certification frameworks (European Cybersecurity Certification Schemes), producing threat landscape reports, publishing cybersecurity good practice guides, and coordinating the EU's response to large-scale cybersecurity incidents. ENISA's role expanded significantly with the CRA, which assigns it specific operational responsibilities relating to vulnerability notification and the EU vulnerability registry.

CRA reference:Article 14, Article 16

ENISA's CRA Notification Role

Article 14 of the CRA requires manufacturers to notify ENISA when they become aware of a vulnerability in their product that is being actively exploited. The notification timeline is:

  • 24 hours — initial notification confirming the vulnerability and exploitation status.
  • 72 hours — early warning with preliminary impact assessment and initial mitigations.
  • 14 days — final report with full technical details, CVSS score, affected versions, remediation, and fix availability.

ENISA receives these notifications centrally and disseminates relevant information to national CSIRTs and affected operators of essential services. Manufacturers must identify the correct ENISA notification contact (typically the ENISA's vulnerability reporting portal, with CSIRT-to-CSIRT coordination for complex cases).

CRA reference:Article 14, Article 16

ENISA Vulnerability Registry

Article 16 of the CRA tasks ENISA with operating a European vulnerability registry — a centralised EU database of vulnerabilities reported under the CRA. This registry complements (not replaces) the global CVE programme. Key characteristics:

  • Manufacturers who report actively exploited vulnerabilities under Article 14 contribute to the registry.
  • ENISA coordinates with national CSIRTs to ensure timely information flow to operators of critical infrastructure.
  • The registry is expected to integrate with CSAF-based advisory distribution and the CVE ecosystem.
  • ENISA publishes aggregated threat intelligence based on registry data in its annual ENISA Threat Landscape report.

Manufacturers should expect the registry to become an important mechanism for demonstrating regulatory compliance with Article 14 obligations.

CRA reference:Article 16

ENISA Guidance for Manufacturers

ENISA publishes substantial guidance relevant to CRA compliance that manufacturers should treat as authoritative reference material:

  • ENISA CVD Good Practice Guide — detailed guidance on implementing coordinated vulnerability disclosure policies, PSIRTs, and security advisories.
  • ENISA Threat Landscape (annual) — the EU's authoritative threat intelligence report, relevant for threat modelling.
  • Guidelines on Security of IoT — security design requirements aligned with CRA essential requirements.
  • ENISA SBOM Good Practices — guidance on SBOM generation, maintenance, and use.
  • European Cybersecurity Certification Schemes — relevant for Critical product certification.

ENISA guidance does not have the same legal force as the CRA itself, but market surveillance authorities treat it as the regulatory reference standard for assessing compliance quality.

CVD Portal makes ENISA — EU Agency for Cybersecurity compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Do we notify ENISA directly or through a national CSIRT?+

Article 14 requires notification to ENISA and to the relevant national CSIRT. In practice, the CRA establishes a single-entry-point model: manufacturers submit notifications through the ENISA vulnerability reporting portal, which then coordinates with national CSIRTs. Manufacturers should monitor ENISA's published guidance on the notification procedure as the portal and process are rolled out ahead of the June 2026 Article 14 application date.

What is the ENISA Threat Landscape report and do we need to use it?+

The ENISA Threat Landscape (ETL) is ENISA's annual report cataloguing the most significant cybersecurity threats affecting the EU. It is not a mandatory compliance document, but it is a key reference for threat modelling and risk assessment under the CRA. Market surveillance authorities may ask manufacturers to demonstrate that their threat models reflect current threats; citing the ETL as a reference source demonstrates systematic analysis.

Does ENISA publish a list of actively exploited vulnerabilities similar to CISA KEV?+

Not yet — as of early 2026, ENISA does not publish a public catalogue of actively exploited vulnerabilities equivalent to the CISA Known Exploited Vulnerabilities (KEV) catalogue. The EU vulnerability registry established by Article 16 is expected to perform this function once operational. Until then, manufacturers should use CISA KEV, vendor security bulletins, and commercial threat intelligence feeds to monitor for active exploitation of vulnerabilities in their products.

Related terms

CSIRT — Computer Security Incident Response TeamA CSIRT is a team that coordinates responses to cybersecurity incidents, typically operating at a national or sector level. Under the CRA, manufacturers must notify the relevant national CSIRT within 24 hours of discovering an actively exploited vulnerability in their product, alongside simultaneous notification to ENISA.EU Cyber Resilience Act (CRA)The EU Cyber Resilience Act (Regulation (EU) 2024/2847) is a horizontal EU regulation that establishes mandatory cybersecurity requirements for products with digital elements placed on the EU market. It entered into force on 10 December 2024, with most obligations applying from 11 December 2027.Vulnerability HandlingVulnerability handling is the complete lifecycle process through which a manufacturer identifies, evaluates, remediates, and discloses security vulnerabilities in its products. Annex I Part II of the CRA makes robust vulnerability handling a mandatory ongoing obligation for all manufacturers of products with digital elements.Coordinated Vulnerability Disclosure (CVD)CVD is the process by which a security researcher privately reports a vulnerability to the affected vendor, who then develops and releases a fix before the vulnerability is made public. Under the EU Cyber Resilience Act, manufacturers of products with digital elements are legally required to establish a CVD process.

CRA articles using this term

Article 14Active Exploitation and Incident Reporting — 24h, 72h, and 14-Day ObligationsArticle 13Coordinated Vulnerability Disclosure Obligations for ManufacturersArticle 11Reporting Obligations for Manufacturers — Notifying Authorities

Browse the full CRA Compliance Checklist

See how ENISA — EU Agency for Cybersecurity fits into your complete CRA compliance programme.

View checklists →