← Back to Blogregulation

ENISA's Role in CRA Enforcement

ENISA plays a central role in the CRA framework — receiving Article 14 vulnerability reports, maintaining the EUVD, publishing guidance, and coordinating with national authorities. This post explains what ENISA does and how manufacturers interact with it.

CRAReady Team·

ENISA's Central Role

The European Union Agency for Cybersecurity (ENISA) sits at the centre of the CRA's operational framework. Unlike market surveillance authorities (which are national), ENISA operates at the EU level, providing a single point of aggregation for vulnerability intelligence across member states.

The European Vulnerability Database (EUVD)

ENISA operates the European Vulnerability Database (EUVD) at euvdb.europa.eu. This is the platform through which manufacturers submit Article 14 incident reports. The EUVD aggregates vulnerability information from multiple sources — national CSIRTs, manufacturers, and CVE repositories — to provide a unified European vulnerability intelligence resource.

Manufacturers should register on the EUVD platform well before September 2026 when Article 14 obligations begin. Do not leave registration until an incident occurs.

Receiving and Processing Article 14 Reports

When a manufacturer submits an Article 14 early warning, ENISA:

  1. Acknowledges receipt and assigns a tracking identifier
  2. Shares the report with the relevant national CSIRT(s)
  3. Aggregates the report into the EUVD vulnerability database
  4. May coordinate disclosure and mitigations with national authorities
  5. Escalates to market surveillance authorities if the manufacturer appears non-compliant with response timelines

ENISA's Guidance Role

Beyond receiving reports, ENISA publishes significant technical guidance to support CRA implementation:

  • Technical specifications for SBOM formats and minimum fields
  • Guidance on CVD policy templates and best practices
  • Threat landscape reports that inform CRA risk assessments
  • Guidance for notified bodies on assessing Class I and II products

ENISA guidance does not have the force of law, but regulators and notified bodies treat it as authoritative. Manufacturers who deviate from ENISA guidance carry the burden of explaining why their alternative approach is equivalent.

Coordination with National CSIRTs

ENISA coordinates the network of national CSIRTs across the EU. When a vulnerability is reported that affects infrastructure in multiple member states, ENISA coordinates multi-country response. Manufacturers may find themselves being contacted simultaneously by ENISA and their national CSIRT when significant incidents are reported.

ENISA's Role in Harmonised Standard Development

ENISA provides significant input into the development of harmonised European standards for the CRA. Manufacturers applying standards to satisfy CRA requirements should monitor ENISA's published guidance on which standards provide presumption of conformity for which Annex I requirements.

Ready to assess your CRA compliance obligations?

Try the Free Applicability Checker
ENISA's Role in CRA Enforcement | CRAReady Blog