Commission Sets the Rules for Delaying Dissemination of CRA Reports

The European Commission has published a Delegated Regulation, adopted in December 2025, specifying the conditions under which the dissemination of notifications submitted under the Cyber Resilience Act may be delayed. The instrument fills in a part of the reporting machinery that the CRA itself left to be detailed later, and it directly affects how the most sensitive reports will move through ENISA's Single Reporting Platform (SRP).

What the mechanism does

Under the CRA, a manufacturer files a notification once through the SRP. The platform routes it simultaneously to the coordinating CSIRT, determined by the manufacturer's main establishment under Article 14(7), and to ENISA. The coordinating CSIRT then disseminates the information without delay to other relevant CSIRTs in member states where the product is available, and to market surveillance authorities as needed.

The default is speed. The Delegated Regulation carves out the exception. For sensitive reports, onward dissemination may be held back on security grounds. The logic is straightforward. Widely circulating technical detail about an actively exploited vulnerability before a fix is available can itself increase risk by widening the pool of actors who know how to exploit it. The delay mechanism lets the system balance situational awareness against the danger of amplifying an exploitable weakness.

How it connects to the reporting form

The mechanism is not abstract. It surfaces in the SRP reporting form as a field. When a manufacturer submits a vulnerability notification, the form includes a "considered sensitivity of information" field, where the manufacturer can flag that the report warrants restricted handling. That flag feeds the decision a coordinating CSIRT makes about whether to delay onward distribution under the conditions the Delegated Regulation sets out.

For manufacturers, this means the sensitivity judgement is part of the filing, not an afterthought. Deciding in advance who in the organisation makes that call, and on what basis, is a sensible item to settle before the reporting obligation begins to apply on 11 September 2026.

Where it sits in the legal stack

The SRP's legal basis is Article 16(1) of the CRA, which tasks ENISA with establishing and operating the platform. Articles 14 to 17 set out the wider reporting ecosystem, including the 24-hour early warning, the 72-hour notification, and the final report. The December 2025 Delegated Regulation is the implementing layer that specifies the delayed-dissemination conditions the primary regulation pointed to.

Manufacturers tracking CRA implementation should treat the Delegated Regulation as part of the operational detail to absorb alongside the Commission's "FAQs on the CRA Implementation" and its draft guidance Communication on applying the CRA, a final version of which the Commission has said it will adopt shortly.

The timeline ahead

The SRP is scheduled to be operational by 11 September 2026, the date manufacturer reporting obligations enter application, with a testing period expected beforehand. ENISA has indicated that registration manuals and instructions for the platform will be provided during June 2026. The delayed-dissemination rules are now part of the framework that will govern how reports flow once that platform goes live.