← Back to Blogcompliance

CRA Article 14: How to Handle Vulnerability Disclosure and Incident Reporting

Article 14 requires manufacturers to notify ENISA within 24 hours when a product vulnerability is actively exploited. Here is exactly what that process looks like.

CRAReady Team·

What Article 14 Requires

Article 14 of the EU Cyber Resilience Act creates legally binding incident reporting obligations for manufacturers beginning on 11 September 2026 -- well before the full December 2027 compliance deadline.

The trigger is specific: Article 14 applies when a manufacturer becomes aware that a vulnerability in their product is being actively exploited in the wild. This is not a general incident reporting requirement -- it targets exploited product vulnerabilities.

The Three-Stage Reporting Timeline

Stage 1 -- Early Warning (within 24 hours): Submit an early warning to ENISA via the European Vulnerability Database (EUVD) at euvdb.europa.eu. Include the product name and affected version(s), a preliminary description of the exploited vulnerability, and any immediate mitigations deployed.

Stage 2 -- Detailed Report (within 72 hours): Submit a detailed report including the CVE identifier, CVSS score and attack vector, affected components from the SBOM, current exploitation status, preliminary root cause analysis, and timeline for delivering a fix.

Stage 3 -- Final Report (upon resolution): Confirm the root cause, corrective action taken, update version and distribution method, and lessons learned.

Parallel National CSIRT Notification

In addition to ENISA, manufacturers must notify the national CSIRT of the member state where they are established. Contact details for all EU national CSIRTs are listed in ENISAs directory.

Who Is Considered Aware?

The 24-hour clock starts when the manufacturer becomes aware of active exploitation, including internal telemetry, researcher or customer reports, listing on CISAs Known Exploited Vulnerabilities catalogue, national CSIRT or ENISA advisories, and credible threat intelligence from security vendors.

Building Your Process

Manufacturers need automated vulnerability monitoring cross-referenced against the SBOM, a defined escalation path reachable outside business hours, pre-registered EUVD accounts, draft report templates for all three stages, and at least one tabletop exercise run before September 2026.

Ready to assess your CRA compliance obligations?

Try the Free Applicability Checker