Independent guide to Regulation (EU) 2024/2847 · Status: in force
Understanding the CRA · Reporting

CRA incident & vulnerability reporting

From 11 September 2026, manufacturers must report actively exploited vulnerabilities and severe incidents under Article 14; what to report, the 24-hour, 72-hour and 14-day deadlines, and who receives it.

Approx. 8 min readArticle 14 · 16Applies from 11 Sep 2026

01What must be reported

Article 14 of the Cyber Resilience Act creates two distinct reporting duties for manufacturers of products with digital elements. They are narrower than they first appear: routine bugs and ordinary patches are not in scope. Art. 14

  • Actively exploited vulnerabilities; a vulnerability in your product that is being used in an attack. A vulnerability you discover and patch before it is exploited is handled through your normal vulnerability-handling process, not this reporting channel.
  • Severe incidents; an incident that has a severe impact on the security of the product, for example one that compromises confidentiality, integrity or availability for users.
The test

If a security weakness in your product is actively being exploited, or a security incident has severely affected it, the Article 14 clock starts. Everything else stays within your day-to-day vulnerability handling.

02The three deadlines

Each report unfolds in three stages, measured from the moment you become aware of the exploited vulnerability or severe incident. The windows are tight, which is why readiness matters more than process on the day. Art. 14(2)–(4)

  • Within 24hEarly warning. A first notification that an actively exploited vulnerability or severe incident has occurred, including whether it is suspected to be caused by unlawful or malicious acts.
  • Within 72hVulnerability / incident notification. A fuller account, including an initial assessment, severity and impact, and where available the corrective or mitigating measures taken.
  • Within 14 daysFinal report. Once a corrective measure is available: a description of the vulnerability or incident, its severity and impact, and the remediation applied. For incidents, the deadline runs from when the incident is handled.

03Who you report to

Reports go to ENISA and to the CSIRT designated as coordinator for the Member State concerned. You do not contact each authority separately: the CRA establishes a single reporting platform, built and operated by ENISA, as the common entry point for all notifications. Art. 14 · 16

The platform routes each notification to the relevant national CSIRT and, where needed, to other authorities. In narrow cases; for example where disclosure would create a disproportionate cybersecurity risk; the Regulation allows a notification to be limited, but the default is full and prompt reporting through the platform.

Status · mid-2026

The single reporting platform is not yet generally available. ENISA is still building it (development was put out to tender and contracted), and is publishing registration, onboarding and dry-run material in the run-up. It is intended to be operational by the 11 September 2026 start date, with a testing period before then; so there is no live platform to register with today.

04When it starts

The reporting obligations are the earliest major part of the CRA to take effect. While most provisions apply from 11 December 2027, Article 14 applies from 11 September 2026; 21 months after the Act entered into force. The single reporting platform is intended to be operational by that date. Art. 71

Why this is the first deadline that matters

Unlike CE marking, which you complete once before placing a product on the market, reporting is a live, ongoing duty that begins in September 2026 and can be triggered at any moment thereafter. Being ready is not a one-off project.

Still being finalised

The exact format and procedure for notifications may be specified further by Commission implementing acts, and the harmonised standards that underpin vulnerability handling are expected around 30 August 2026. Both are due to land only shortly before the obligation starts. The practical takeaway: build your internal detection-and-reporting process now; do not wait for the final platform mechanics or a published reporting template, because the duty applies from 11 September 2026 regardless.

05How to be ready

Meeting a 24-hour window is an operational problem, not a paperwork one. The manufacturers who will hit it are the ones who already know what is in their products and watch it continuously.

  • Keep an accurate SBOM; you cannot report on a component you did not know you shipped. Maintain a software bill of materials and keep it current as releases change.
  • Monitor it continuously; match your components against known-vulnerability sources so an actively exploited flaw surfaces in hours, not weeks.
  • Define the process in advance; decide now who decides a report is due, who drafts it and who submits it, so the clock is not spent on internal escalation.
  • Track the underlying requirements; the compliance matrix ties reporting to the wider Annex I vulnerability-handling duties it sits within.

The SBOM & vulnerability analyzer covers the first two: it tracks your bill of materials against the NVD and the EU vulnerability database (EUVD), so an actively exploited component is flagged inside the 24-hour window.

Open the vulnerability analyzer →The CRA, explained →

06Common questions

What must I report under the CRA, and how quickly?

Actively exploited vulnerabilities and severe incidents affecting the security of your product. You must send an early warning within 24 hours of becoming aware, a fuller notification within 72 hours, and a final report within 14 days of a corrective measure being available. Art. 14

When do the reporting obligations start?

11 September 2026; 21 months after the Act entered into force, and well ahead of full application on 11 December 2027.

Who do I report to?

ENISA and the national CSIRT designated as coordinator, through the single reporting platform that ENISA establishes under Article 16. It is a single entry point rather than separate filings.

Do I have to report every bug or vulnerability?

No. Only actively exploited vulnerabilities and severe incidents are reportable. Vulnerabilities you find and fix before exploitation are managed through your ordinary vulnerability-handling process.

Is ENISA's single reporting platform available yet?

Not yet. As of mid-2026 it is still being built under Article 16; ENISA is publishing registration and dry-run material in the run-up and the platform is intended to be operational by 11 September 2026, with a testing period before then.

Is there a standard format or template for reporting yet?

Not a final one. The Commission may specify the format and procedure for notifications through implementing acts, and the harmonised standards underpinning vulnerability handling are expected around 30 August 2026. Prepare your internal process now rather than waiting for the published mechanics; the obligation applies from 11 September 2026 regardless.

Continue reading

Related references

§The CRA, explained

Scope, classes, obligations and the full timeline in plain language.

§SBOM & vulnerability analyzer

Track your components against the NVD and EUVD to meet the 24-hour window.

§The full regulation

Article 14 and 16 in the binding text of Regulation (EU) 2024/2847.

§Frequently asked questions

Concise answers to common stakeholder questions, with references.