The Sept. 11 SRP Deadline Auto Makers Cannot Ignore

Automotive OEMs face September 11, 2026 deadline to integrate with ENISA's Single Reporting Platform or risk losing EU market access.

18 Jun 2026

European automakers are running out of time. ENISA's Single Reporting Platform requirement takes effect September 11, 2026, giving OEMs and their suppliers fewer than 13 weeks to reach full compliance. Missing it triggers loss of EU market access and exposes executives to personal legal liability. For an industry used to decade-long product cycles, that kind of deadline concentrates minds quickly.

Central to the mandate is a synchronized 24-hour incident reporting obligation spanning three interlocking frameworks: the Cyber Resilience Act, NIS2, and CSA2. Each demands simultaneous disclosure coordination, requiring technical and organizational infrastructure most manufacturers have not yet built. Automotive cybersecurity consultancy PlaxidityX puts it plainly: the countdown is measured in weeks, not years, and preparation must start now to avoid penalties and supply chain disruption that could prove difficult to reverse.

Supply chain exposure sharpens the risk. Tier-1 and Tier-2 suppliers feeding into EU-market vehicles must also align with SRP protocols, meaning one non-compliant partner can compromise an entire vehicle program's market eligibility. Regulators built that interdependency deliberately, spreading cybersecurity accountability across the production chain rather than placing it on a single brand.

Crucially, the obligation reaches well beyond Europe's borders. Any OEM selling into European markets must demonstrate SRP integration regardless of where engineering or manufacturing operations sit, pulling global supply chains into scope. Personal liability provisions for executives close off the option of treating non-compliance as a manageable corporate risk. That calculation no longer holds.

Organizations that move now stand to gain a structural advantage that slower competitors will struggle to close. Waiting carries a specific cost: regulatory action triggered by non-compliance could freeze market access precisely when revenue pressure is highest. This is no longer a roadmap item to revisit next quarter.