ENISA — European Union Agency for Cybersecurity
ENISA (European Union Agency for Cybersecurity) is the EU’s central body for cybersecurity expertise and coordination. Under the Cyber Resilience Act, ENISA becomes the mandatory reporting point for vulnerabilities in connected products — manufacturers must notify ENISA within 24 hours of becoming aware of an actively exploited vulnerability.
Key Facts
| Detail | Information |
|---|---|
| Full name | European Union Agency for Cybersecurity |
| Former name | European Network and Information Security Agency (until 2019) |
| Established | 2004 |
| Permanent mandate | EU Cybersecurity Act (Regulation 2019/881) |
| Headquarters | Athens, Greece (operational centre in Heraklion, Crete) |
| Budget (2024) | ~€25 million |
| Staff | ~100 experts |
| Key role under CRA | Central vulnerability reporting platform (CSIRT coordination) |
ENISA’s Role in the CRA Ecosystem
1. Vulnerability Reporting Hub
Under the CRA, ENISA operates the single reporting platform for the EU:
| Trigger | Reporting Deadline | Information Required |
|---|---|---|
| Actively exploited vulnerability discovered | 24 hours — early warning to ENISA | Product affected, vulnerability nature, severity, exploitation status |
| Follow-up notification | 72 hours | Detailed technical assessment, corrective measures planned |
| Final report | 14 days | Root cause, full remediation, affected product versions, patch status |
Critical for manufacturers: If your product is deployed across the EU and a CVE is published for one of your SBOM components, you must notify ENISA within 24 hours if there is evidence of exploitation. This requires automated vulnerability monitoring — manual tracking is insufficient at scale.
2. EU Cybersecurity Certification
ENISA develops EU-wide certification schemes under the Cybersecurity Act:
| Scheme | Status | Scope |
|---|---|---|
| EUCC (EU Common Criteria) | Adopted | ICT products evaluated under Common Criteria |
| EUCS (EU Cloud Services) | In development | Cloud service providers |
| EU5G (5G Security) | In development | 5G network equipment and components |
| CRA certification | Expected | Critical product categories under CRA |
3. Coordination & Advisory
| Function | Description |
|---|---|
| CSIRTs Network | Coordinates national Computer Security Incident Response Teams |
| EU-CyCLONe | Cyber crisis management for large-scale incidents |
| Threat landscape | Annual “ENISA Threat Landscape” report — the EU’s primary threat intelligence publication |
| Guidance | Publishes implementation guidelines for NIS2, CRA, and cybersecurity standards |
| Training | ENISA Academy — cybersecurity training for professionals and policymakers |
ENISA and the NIS2 Directive
While CRA covers product vulnerability reporting to ENISA, NIS2 covers organizational incident reporting:
| Aspect | CRA → ENISA | NIS2 → CSIRT |
|---|---|---|
| Who reports | Product manufacturers | Essential/important entities |
| What is reported | Product vulnerabilities | Cybersecurity incidents affecting the organization |
| Deadline | 24 hours (early warning) | 24 hours (initial notification) |
| What happens next | ENISA coordinates EU-wide response | National CSIRT coordinates local response |
| Overlap | A product vulnerability that causes an organizational incident triggers both reporting obligations |
Impact on Hardware Manufacturers
For companies building connected hardware products for the EU market:
- Set up ENISA reporting process — Establish internal procedures for 24/72h/14d vulnerability reporting.
- Automate vulnerability monitoring — Use SBOM monitoring to match your components against the CVE database continuously.
- Designate a PSIRT — Product Security Incident Response Team is the manufacturer’s interface with ENISA.
- Test the process — Conduct tabletop exercises simulating a vulnerability disclosure to validate response time.
This is exactly what our SBOM Monitoring Service automates — continuous CVE matching against your product’s SBOM with pre-formatted ENISA reports ready for submission.
Related Terms
- CRA — The regulation mandating 24-hour vulnerability reporting to ENISA.
- NIS2 — The directive mandating organizational incident reporting, coordinated through ENISA’s CSIRT network.
- CVE — The vulnerability identifiers that trigger ENISA reporting obligations.
- SBOM — The component inventory used to match products against known vulnerabilities for ENISA reporting.