The Cyber Resilience Act establishes a single reporting platform, operated by ENISA, as the common entry point for Article 14 notifications. The manufacturer files once, and the system distributes the notification to the parties that need it. This avoids forcing manufacturers to submit separately to multiple national bodies during a live incident.
Each notification reaches two kinds of recipient at the same time. ENISA holds the EU-level view, operates the platform, and supports coordination across borders, with safeguards that allow particularly sensitive technical detail to be restricted where wide circulation would itself increase risk. In parallel, the notification reaches the CSIRT designated as coordinator in the relevant member state, which can act operationally within its territory.
Because exploited vulnerabilities rarely respect borders, the architecture supports onward notification to other affected member states, turning a single filing into Union-wide situational awareness. For the manufacturer, the work is readiness: verified platform access, a known national CSIRT contact, and the ability to produce a structured, accurate notification inside a tight window.
This is the third article in our six-part CRA reporting series.
Read the full guide on our blog.
Read More