NEW: CRA vulnerability reporting begins 11 September 2026. Is your product ready? Check now →

News · By Chris · 18 Jun 2026 · 3 min read

CRA update, June 2026: Notified Bodies, ENISA rules, SRP onboarding

The EU Cyber Resilience Act moved on three fronts in June 2026: Notified Body designation opened, ENISA published competence requirements, and SRP onboarding went live ahead of the 11 September reporting deadline.

The EU Cyber Resilience Act’s operational machinery moved in three concrete ways between mid-May and mid-June 2026. If you are a manufacturer preparing for conformity assessment or the September reporting deadline, here is what changed and what to do about it this week.

1. Notified Body designation began on 11 June 2026

Chapter IV of the CRA entered into application a week ago. Member States have now had to designate their notifying authorities and publish the procedures for assessing, designating and notifying Conformity Assessment Bodies. The designation pipeline is officially open.

The reality check: as of mid-June, no CRA Notified Bodies have actually been designated yet, and no harmonised standards have been published in the Official Journal. The deadline by which Member States are expected to ensure a sufficient number of Notified Bodies is 11 December 2026, six months from now. Manufacturers planning the Class I (no-harmonised-standard route), Class II or Critical path should treat Notified Body capacity as the binding constraint of the rest of 2026.

2. ENISA’s competence requirements for CRA Notified Bodies are out

ENISA has published the technical competence requirements that Notified Bodies must meet before they can be assessed, designated, notified and monitored by Member States. This is the operational document that conformity-assessment bodies are now working against to prepare their applications, and the reference clients should request from any Notified Body they engage.

3. ENISA SRP onboarding is live this month

ENISA has begun rolling out access and registration instructions, training materials and dry-run support for the Single Reporting Platform (SRP) throughout June 2026. The platform itself goes live on 11 September 2026, under 90 days from today. Manufacturers without an identified main-establishment CSIRT, an SRP authority contact and a tested reporting runbook are running out of preparation time.

What to do this week

  • Re-confirm your Notified Body engagement targets and submit pre-engagement letters before Q3 ends.
  • Pull ENISA’s competence requirements document and use it to qualify candidate Notified Bodies.
  • Walk through ENISA’s June 2026 SRP onboarding materials and start the registration process now, rather than in September.

For the wider compliance picture, see our CRA compliance guide and the SBOM tutorial. For how the CRA sits alongside the EU’s other cybersecurity laws, read EU CRA vs DORA vs NIS2.

Sources

Free Compliance Assessment

Is Your Product CRA Ready?

Get a free personalised CRA compliance briefing for your specific product type, delivered to your inbox. No spam, no sales calls.

  • Understand your exact product category (default, Class I, or Class II)
  • Get a checklist of your specific obligations and deadlines
  • Receive guidance on SBOM, vulnerability management, and reporting
  • Early access to our CRA Compliance Manager tool (launching 2026)
  • Weekly CRA news digest: ENISA updates, regulatory guidance

Get Your Free CRA Brief

Takes 60 seconds · Completely free

🔒 No spam. Unsubscribe anytime. See our privacy policy.