Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] Fwd: CRA updates - SMEs, reporting platform and FOSS attestations
  • From: Steffen Zimmermann <steffen.zimmermann@xxxxxxx>
  • Date: Fri, 13 Feb 2026 17:17:43 +0000
  • Accept-language: de-DE, en-US
  • Arc-authentication-results: i=3; mx.microsoft.com 1; spf=pass (sender ip is 52.17.62.50) smtp.rcpttodomain=eclipse.org smtp.mailfrom=vdma.eu; dmarc=pass (p=quarantine sp=reject pct=100) action=none header.from=vdma.eu; dkim=pass (signature was verified) header.d=vdma.eu; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=vdma.eu] dkim=[1,1,header.d=vdma.eu] dmarc=[1,1,header.from=vdma.eu])
  • Arc-authentication-results: i=2; mx.avanan.net; arc=pass; dkim=none header.d=none
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=vdma.eu; dmarc=pass action=none header.from=vdma.eu; dkim=pass header.d=vdma.eu; arc=none
  • Arc-message-signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NhUtVj5ew1E65Mr6FPvghW0YRtS6Jc8yNL6ArwYuoL8=; b=IO5QlJfVVcS/r2n9eDLyNSj08vRoTpPGU0+Shmkbt2iiNzRGEeUHORIlaMNbw5O2RkmxhhMF7lr9VbZ9fuaQiia/5ZD8qsmHEG4V6KNPblz1zTIGDz+Grb1nw2vY7ZVcVHm8GDskrXo5veK9bVVvpTjGs88wpn1rXKNhZVATQX4JSjz3SCupwrBwFY8veUs/TO2x/T0FjF8BBFDzuOy4CkAqmD0lgikbWlg1RXvriaUFRlwgDdi2s6qReMsTp1k7QEamRukYSimnE7XPVtkHF8Nq5uetspiSTix+nfjrJGHIH0226qi+xSpH15CYXdK+XC19MvrjUck+mY4stLx4TQ==
  • Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=avanan.net; s=arcselector01; t=1771003081; h=from : to : subject : date : message-id : content-type : mime-version; bh=NhUtVj5ew1E65Mr6FPvghW0YRtS6Jc8yNL6ArwYuoL8=; b=Z3lNhSGIMf+JuEjrHfgQVaXl+yk/xV8jt1gOgTuMw5R9acKKRvD8ahSk0TCug92RWLDME Lk17bnGeuILSVyWRtDpOQgcxARL9gYX10S/dBxE9htd0j7MTscbUzLhbSLWVsU86TgjqizW 2PnALgdJeUk9Q/S0f64Dg3uZ4j/nYOw=
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NhUtVj5ew1E65Mr6FPvghW0YRtS6Jc8yNL6ArwYuoL8=; b=na6mySRUmNEaLrfuk0Du1Z4xyCzoxpLM2oVxDaHkJtbPkkFCzi3CIkUBYisKTT6q93qy1U0GRyioR0P6V77elvoFFQi5OQdsru8A8bTMCSUXv21lXwRx5sqsRpqlMVPC/Zq4VcB6H4hIryCizqUuHzRFvaPvkkU62hYUmsEtTGHZ9NjzGWJa0PTG8mOPETHUYQI6wWvzW0oaka9I/SMUBRJ0u+RQvptpVbJA2qX/iye0kKnlejgnKAum5CBwWubOGfDz+w+0DrZds+yTc4hL539fi0HNpcJyzE/MasXbvJQKv81d0Nc5RATf7h17ETPOjN6C5sm8LevyR/ihVRgcIg==
  • Arc-seal: i=3; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=u1r7dLQyvDBxel0tspQVzp4QQKbUNzvZ/8BV3l2Pke9cSF2vf5ao6mQgSOZCJ1xv3Ra9/EWE/wMQ0kW7LOueZdexF+vAt9YkVFQnbL9gJ+Voy/3P3IczdGn/LnDTo5w1McgbqmdSV8cxU1wK+7F0LDXKeXkdL56ilG4kG8xQsROgdCdYffue0VIHd3nh9En67nWlmWkwY7kGEz/mz/4p1IUBvog7kiy5CgEIK6kIf1CRdObpMFAVtyO/oCT1V3skIPaPkJCJSEAu2OdU7szMIg0WJfwoFHKVtTJADjnd0VWyscVuC+Blo1z4zJ4yU4KEaOYAXbX9UBYi2wg6nNGg+A==
  • Arc-seal: i=2; cv=pass; a=rsa-sha256; d=avanan.net; s=arcselector01; t=1771003081; b=ENzDw6+dOtR6Gr9glxJbJnitdTbNLKlVTKlquNfSOjJqO3pXtPqOFHQzGtLqJ1Mz7zcbm sIjH1D3T8I1+nmeQwNaZ2HHSA5GBRxxaOvpAw3Vqs9qUu5IkAtSWMomMHzZhb25ASLjmmB/ 3lzeeDx33JlDVxhdhr2uAZv8rY1dUTc=
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=rlIqhau/6dQbCzxrIJjlDzjvncWmnHxhpbzahHItdwP55/yfWGHO3p9/ZxN8dQK28jBD0WH2dJvAJ6VJkzV+J9KhCxN5nXFT9T3IxBKIu/jJiqn7R5QZmnkcDtgU3MrBikUGesW/4GwwdIBxucjeeqRhJ2Tli+lBAVL/AmxESzyVRs+g0a5k1aS43wjziyxVm8UdsxHdqEj38kI548dVHnB5BIEfPQLaTWPD60QmqzfZ1NzcRQUgoVxs4N6OaxCTmwjezPJZCApN+xV0tIxlzi5pBedVPxDX8pf0H2eDRBY/MUlUkBbFTMkGI8PaaLFQnANkm4Y4yIfVk2xcPxvFvA==
  • Delivered-to: open-regulatory-compliance@xxxxxxxxxxx
  • List-archive: <https://www.eclipse.org/mailman/private/open-regulatory-compliance/>
  • List-help: <mailto:open-regulatory-compliance-request@eclipse.org?subject=help>
  • List-subscribe: <https://www.eclipse.org/mailman/listinfo/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://www.eclipse.org/mailman/options/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=unsubscribe>
  • Thread-index: AdydCBoThnteVObJStOysGKNFe9JrgAANdaAAABbDdgAAHK8AAAACb2q
  • Thread-topic: [open-regulatory-compliance] Fwd: CRA updates - SMEs, reporting platform and FOSS attestations
Dear Dave,

Public info can be found here, although the „electronic submission“ is cryptic wording for a webform 😉

https://www.enisa.europa.eu/topics/product-security-and-certification/single-reporting-platform-srp

How does the Single Reporting Platform operate?

Manufacturers submit notifications electronically through the platform, which automatically routes them to the designated CSIRT coordinator (based on the manufacturer's main establishment) and ENISA simultaneously. The CSIRT then disseminates the information without delay to other relevant CSIRTs in Member States where the product is available, and to market surveillance authorities as needed. For sensitive reports, dissemination may be delayed on security grounds, with ENISA informed and able to recommend broader sharing if risks are systemic. The platform incorporates security measures to protect confidentiality. 


Who receives the reports submitted to the platform?

As a general rule, when a manufacturer submits a report to the CRA SRP, it is simultaneously notified to:

  • The CSIRT (Computer Security Incident Response Team) designated as the coordinator in the Member State where the manufacturer is established.
  • ENISA (unless particularly exceptional circumstances apply).

The CSIRT designated as coordinator that initially receives the notification is then responsible for disseminating it without delay to other relevant CSIRTs across the EU via the platform.



Viele Grüße,

 

Steffen Zimmermann

Industrial Security @ VDMA

 

 

 

Von: open-regulatory-compliance <open-regulatory-compliance-bounces@xxxxxxxxxxx> im Auftrag von Dave Russo via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx>
Datum: Freitag, 13. Februar 2026 um 18:14
An: open-regulatory-compliance@xxxxxxxxxxx <open-regulatory-compliance@xxxxxxxxxxx>
Cc: Dave Russo <drusso@xxxxxxxxxx>
Betreff: Re: [open-regulatory-compliance] Fwd: CRA updates - SMEs, reporting platform and FOSS attestations

Thank you for this additional information - has this been stated anywhere publicly?

Thanks,
Dave

On 2/13/26 12:04 PM, Steffen Zimmermann via open-regulatory-compliance wrote:
Dear all,

Most interesting point is about the Single Reporting Platform. After talking with ENISA, is is clear that in September we will only have a web dashboard secured with the EU Login where manufacturers (or others) can report vulnerabilities manually via a standardized form.

An API is under construction but will not be ready before 2027.
Anyhow, the good news is that there will only be one reporting system, not many. So, no national portals for reporting vulnerabilities. This will be handled by the SRP.

Viele Grüße,

 

Steffen Zimmermann

Industrial Security @ VDMA

 

 

 

Von: open-regulatory-compliance <open-regulatory-compliance-bounces@xxxxxxxxxxx> im Auftrag von Juan Rico via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx>
Datum: Freitag, 13. Februar 2026 um 17:51
An: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Cc: Juan Rico <juan.rico@xxxxxxxxxxxxxxxxxxxxxx>
Betreff: [open-regulatory-compliance] Fwd: CRA updates - SMEs, reporting platform and FOSS attestations

Dear ORC Community,

find below the email sent to the CRA Network by the European Commission. It includes very useful information for SMEs and the single reporting platform, as well as the link to the survey shared few days ago by our colleagues of FSFE.

Have a great weekend,
Juan

---------- Forwarded message ---------
From: CNECT-CRA@xxxxxxxxxxxx <CNECT-CRA@xxxxxxxxxxxx>
Date: Fri, 13 Feb 2026 at 17:45
Subject: CRA updates - SMEs, reporting platform and FOSS attestations
To: CNECT-CRA@xxxxxxxxxxxx <CNECT-CRA@xxxxxxxxxxxx>


Dear CRA Network,

 

Please find below some updates that may be of interest in relation to the implementation of the Cyber Resilience Act (CRA).

 

ENISA SME Cyber Resilience Act Survey

A few days ago, ENISA launched a survey for SMEs with the aim to understand the overall level of CRA awareness amongst SMEs, how ready and mature they feel for it, and what kind of support they would find most useful. The results will provide input to ENISA and the Commission on measures to best support SMEs in their CRA implementation efforts. Please participate in the survey where relevant and / or share it with you contacts!

https://url.avanan.click/v2/r02/___https://ec.europa.eu/eusurvey/runner/CRASMESurvey___.YXAxZTp2ZG1hOmE6bzpjZGQ4MGJlOTdhM2MwMGE5NmNhYzQ5YjU1ZjQ3MWExYjo3OjkwYzM6OWMxOGRiNWU2ZmMwNTRlY2ZiNjg0ZWE0OWQ4Mzk4ZjM4MmZkZGEyYzA5N2JhZjk2ZGY3M2VjNGYwNjQ2NWM3ODp0OlQ6Rg

 

ENISA CRA SRP

Under the CRA, ENISA is responsible for establishing and operating the CRA Single Reporting Platform. Today, ENISA launched a new webpage with frequently asked questions on reporting obligations and the development of the Single Reporting Platform.

Single Reporting Platform (SRP) | ENISA

 

Survey on voluntary attestations for free and open-source software

The German Federal Office for Information Security (BSI) and the Free Software Foundation Europe (FSFE) have put together a survey to gather input on how voluntary security attestation programmes for open-source software could work under Article 25 of the Cyber Resilience Act. The survey is open until 28 February.

CRA Article 25 — Attestation for Open-Source Software

 

We take the occasion to wish you a pleasant weekend.

 

Best wishes,
CRA Team


_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

Back to the top