European Commission updated CRA “Reporting obligations” page with SRP reporting mechanics and timelines (early warning/notifications/final report)

The European Commission updated its CRA “Reporting obligations” policy page (last update shown as 16 February 2026). While not amending Annex I text, the page provides official, practical clarification of CRA reporting mechanics tied to vulnerability handling (closely linked to Annex I baseline/essential requirements around vulnerability handling and lifecycle security). It summarizes expected reporting timelines (e.g., early warning within 24 hours, notification within 72 hours, and final report deadlines) and references the Single Reporting Platform (SRP) framework and related delegated act context for CSIRTs withholding notifications. Compliance teams can use this as an authoritative reference for setting up incident/vulnerability reporting processes aligned with CRA expectations.