European Commission updates CRA reporting obligations page with operational incident/vulnerability reporting timelines and references delegated act on CSIRT dissemination delays

The European Commission updated its official CRA “Reporting obligations” page (last update shown: 16 February 2026). The update provides operational details that compliance teams can use to implement vulnerability-handling and reporting processes linked to CRA Annex I Part II (vulnerability handling), including: (1) reporting applicability date for actively exploited vulnerabilities and severe incidents (stated as applying as of 11 September 2026); (2) expected notification sequencing/timelines (early warning within 24 hours; full notification within 72 hours); and (3) final report timing (≤14 days after corrective measure is available for actively exploited vulnerabilities; within a month for severe incidents). The page also points to an EU delegated act adopted on 11 December 2025 related to circumstances under which CSIRTs may delay dissemination, which is relevant for organizations designing reporting workflows via the Single Reporting Platform ecosystem. This is not an Annex I text amendment, but an authoritative Commission implementation/guidance update affecting how Annex I-linked processes are operationalized.