Article 14 Incident Reporting: What Manufacturers Must Do
Article 14 of the CRA introduces strict timelines for reporting actively exploited vulnerabilities to ENISA: 24 hours for an early warning, 72 hours for a detailed report, and a final report on resolution. Miss these and you face enforcement action.
What Article 14 Requires
Article 14 of the EU Cyber Resilience Act creates legally binding incident reporting obligations for manufacturers. Unlike most other CRA requirements (which apply from December 2027), Article 14 obligations begin on 11 September 2026 — giving manufacturers significantly less time to prepare.
The trigger is specific: Article 14 applies when a manufacturer becomes aware that a vulnerability in their product is being actively exploited in the wild. This is not a general security incident reporting requirement — it specifically targets exploited product vulnerabilities.
The Three-Stage Reporting Timeline
Stage 1: Early Warning (within 24 hours)
Within 24 hours of becoming aware of an actively exploited vulnerability, manufacturers must submit an early warning to ENISA via the European Vulnerability Database (EUVD) at euvdb.europa.eu. The early warning must include:
- The product concerned (name, version)
- A preliminary description of the exploited vulnerability
- Any immediate mitigations already deployed
This is a heads-up notification — detailed analysis is not required at this stage. The 24-hour window is tight, which is why pre-registering on EUVD and preparing response templates in advance is critical.
Stage 2: Detailed Report (within 72 hours)
Within 72 hours of initial awareness, manufacturers must submit a detailed report updating the early warning. This must include:
- CVE identifier (if assigned — assign one if not yet assigned)
- CVSS score and attack vector
- Affected component(s) identified from the SBOM
- Current exploitation status and geographic scope
- Root cause analysis (preliminary)
- Timeline for delivering a fix
Stage 3: Final Report (upon resolution)
Once a security update is available and the vulnerability is remediated, manufacturers must submit a final report. This confirms the root cause, corrective action, update version, distribution method, and any lessons learned.
Parallel Obligations: National CSIRT
In addition to ENISA, manufacturers must also notify the national CSIRT of the member state where they are established. Each EU member state designates a national CSIRT — contact details are available via ENISA's directory.
Who Is Considered "Aware"?
The 24-hour clock starts when the manufacturer "becomes aware" of active exploitation. This includes:
- Internal telemetry showing exploitation attempts
- Researcher or customer reports of in-the-wild exploitation
- Listing on CISA's Known Exploited Vulnerabilities (KEV) catalogue
- National CSIRT or ENISA advisories
- Credible threat intelligence from security vendors or ISACs
Manufacturers cannot claim unawareness if the exploitation was widely reported in public threat intelligence sources that they should reasonably be monitoring.
Building the Internal Process
The 24-hour window makes ad-hoc incident response impossible. To comply reliably, manufacturers need:
- Monitoring: Automated vulnerability feeds (NVD, OSV, EUVD) cross-referenced against the SBOM
- On-call capability: A defined escalation path with identified decision-makers available outside business hours
- Pre-registration: EUVD accounts registered before an incident occurs
- Templates: Draft report templates for each stage
- Practice: Tabletop exercises run before September 2026
Consequences of Missing Deadlines
Failure to submit the early warning within 24 hours can attract enforcement action from national market surveillance authorities. This may include formal investigations, fines, and — in serious cases — product recalls. Article 14 non-compliance is treated as a significant violation under the CRA's enforcement framework.
Ready to assess your CRA compliance obligations?
Try the Free Applicability Checker