Meroi Security is proud to share that our founder and CEO, Julian Meroi, hosted a CRA-focused webinar with Lucent Sky – Zerone on a topic that many product teams are now urgently preparing for: CRA reporting obligations.
The session, “200 days to CRA Reporting Obligations: What to report, when and where”, clarified what is actually reportable under the CRA, when the reporting clock starts, and how to build a “24-hour-ready” capability well before the reporting obligations go live.
Watch the full webinar:
CRA Reporting Obligations Webinar on Youtube HERE
CRA Reporting Obligations Webinar on Zerone website: HERE
Below you find a summary of the topics discussed.

From Reporting Burden to Competitive Advantage
During the session, Julian explained how CRA reporting readiness is not “admin work” — it is an operational capability that directly impacts EU market access and customer trust:
Reduce EU Buyer Friction
Procurement and security teams increasingly ask “how fast can you detect, triage, and communicate?” A credible reporting process shortens security questionnaires and approval cycles.
Protect Market Access
CRA reporting obligations start earlier than the full CRA timeline. Being ready before September 2026 prevents last-minute chaos and avoids missed deadlines.
Limit Incident Cost and Brand Damage
A tested workflow enables faster containment, clearer customer guidance, and less disruption when an exploited vulnerability or severe incident occurs.
Turn Transparency into Trust
Clear advisories, affected-version identification, and evidence-backed notifications signal maturity to EU customers and regulators.
Julian also shared five key insights for success:
- Mandatory reporting is limited — it is not “all vulnerabilities.” Focus on what is truly in scope (actively exploited vulnerabilities and severe incidents).
- Define an internal “awareness trigger” so the reporting clock starts consistently and defensibly.
- Prepare templates for the 24h / 72h / final reporting phases before you need them.
- Build a workflow to identify affected versions quickly and publish mitigations and user actions.
- Run a tabletop dry-run so your 24-hour capability works under pressure.
CRA Reporting Obligations: What to Report, When, and Where
This webinar focused on the practical rules that product teams must operationalise under CRA reporting obligations:
What is covered
Mandatory reporting is limited to:
- Actively exploited vulnerabilities in your product (with credible evidence of exploitation)
- Severe incidents impacting product security (e.g., compromise of your update/release channel enabling malicious code execution)
Who the reporting obligations apply to
The primary duty holder is the manufacturer. You may also be in scope as “manufacturer” if you sell under your own brand (rebranding) or make a substantial modification and re-release. Special cases include limited scope for open-source software stewards, and micro/small enterprises are exempt from administrative fines specifically for missing the 24h early-warning deadline.
When the clock starts
The countdown starts when you become aware. The webinar recommended defining “awareness” internally as a credible, triaged signal — and keeping evidence, especially for “actively exploited” determinations.
What to submit and when (the 3-phase model)
- ≤24h: Early warning
- ≤72h: Notification (vulnerability notification or incident notification, depending on the trigger)
- Final report: timing depends on trigger (e.g., within 14 days after fix/mitigation is available for actively exploited vulnerabilities; within 1 month after the 72h notification for severe incidents)
Where you must report
Reports are submitted via the ENISA Single Reporting Platform (SRP). The notification is sent to the CSIRT coordinator and ENISA, and CSIRTs disseminate to other Member States (with limited exceptions, e.g., coordinated disclosure scenarios).
Webinar Recap: 200 Days to CRA Reporting Obligations
In partnership with Zerone and Lucent Sky, this session provided a pragmatic checklist for what must be in place before September 2026, with a focus on speed, evidence, and repeatability.
What you need in place by Sep 2026 (“24h-ready” capability)
- PSIRT triage + a clear awareness trigger
- Reporting templates (24h / 72h / final)
- Affected-version identification + mitigation workflow
- User notification channel + advisory format
- Dry-run tabletop exercise
How automation and security tooling can help
- Evaluate and remediate exploited vulnerabilities faster, with remediation guidance tailored to application context
- Monitor and update vulnerable third-party components, including dependency analysis to determine exploitability in your product
- Produce reporting-ready evidence (affected versions, mitigations, and required user actions)
How Meroi Security Can Help
Meroi Security offers comprehensive CRA readiness support for manufacturers and technology companies:
EU Representative Office
Act as your official EU point of contact for CRA, NIS2, GDPR and other regulations.
CRA Readiness Program
From scoping and gap analysis to reporting playbooks, internal triggers, evidence templates, and technical file alignment.
Reporting Obligations Implementation
Set up PSIRT workflows, run tabletop exercises, implement affected-version identification and advisory formats, and ensure your 24h/72h/final reporting process is operational.
Technical Implementation
Deploy CI/CD scanning, vulnerability management, post-market monitoring, and incident response systems to support fast detection and evidence production.
Training and Capacity Building
Equip your engineers, product managers, procurement, and compliance teams with the skills to maintain ongoing compliance.
With our support, you can simplify compliance, accelerate time to market, and convert regulatory obligations into a growth engine.
Book Your Free Consultation
Take the first step toward CRA reporting readiness today.
Book your free 30 minutes consultation and start building your EU market advantage with Meroi Security.





