Compliance GuideEffective 11 Sept 2026

CRA Article 14 Compliance: 24h / 72h / Final Report

Article 14 of Regulation (EU) 2024/2847 introduces a three-stage reporting cascade for actively exploited vulnerabilities and significant incidents. From 11 September 2026, every EU manufacturer of a product with digital elements has to be ready to file the 24-hour early warning. This page covers the trigger criteria, the three deadlines, and how to operate the workflow.

The three-stage reporting cascade

All three stages submit to ENISA and the relevant national CSIRT via the Single Reporting Platform. The clock starts when the manufacturer becomes aware of the triggering event.

  1. 24 hours

    Early warning

    Notify ENISA and the relevant national CSIRT via the Single Reporting Platform that an actively exploited vulnerability or a significant incident has been identified. The early warning is brief: indication of the issue, suspected unlawful or malicious nature, and any cross-border impact.

  2. 72 hours

    Detailed report

    Submit a detailed report covering the technical nature of the vulnerability or incident, severity, impact, indicators of compromise where available, and any corrective or mitigating measures taken or planned.

  3. +14 days (exploited vulnerabilities) / +1 month (significant incidents)

    Final report

    Submit a final report describing the vulnerability or incident, its severity, root cause, corrective measures applied, and (for significant incidents) any cross-border impact. The clock starts from the original notification.

Two trigger conditions

Article 14 applies to two distinct categories. The reporting process is the same; the qualifying event differs.

Actively exploited vulnerability

A vulnerability in a product with digital elements that the manufacturer has reasonable evidence is being exploited in the wild. Evidence can come from incident response, threat intelligence, third-party reports, or internal telemetry.

Significant incident

A security incident that has a significant impact on the security of the product or on its users. The CRA references criteria including the number of users affected, the duration of the incident, and the geographical spread.

What goes in each report

24h early warning

Identification of the manufacturer and the affected product, indication of the issue (vulnerability or incident), the suspected unlawful or malicious nature where relevant, and any known cross-border impact. The early warning is deliberately short.

72h detailed report

Technical description of the vulnerability or incident, severity, impact assessment, indicators of compromise where available, the corrective or mitigating measures taken or planned, and an updated cross-border impact assessment.

Final report

Detailed description of the vulnerability or incident, including root cause, severity, applied corrective measures, the timeline of events, and (for significant incidents) any cross-border impact. Submitted within 14 days of the original notification for actively exploited vulnerabilities, or within one month for significant incidents.

Frequently asked

When does CRA Article 14 apply?
Article 14 reporting obligations apply from 11 September 2026. The CRA itself entered into force on 10 December 2024. Manufacturers should have their reporting workflow operational well before September 2026 to avoid scrambling when the first trigger event occurs.
Who has to report under Article 14?
Manufacturers placing products with digital elements on the EU market. This includes hardware with software, standalone software, and remote-data-processing components that are necessary for the product to function. Importers and distributors have downstream obligations but the primary Article 14 reporting duty sits with the manufacturer.
What is the Single Reporting Platform?
A reporting platform operated by ENISA that consolidates incident and vulnerability reports submitted under the CRA. It is the official channel for Article 14 reports. National CSIRTs also receive copies through this platform.
What happens if I miss the 24-hour deadline?
Article 64 of the CRA sets administrative fines up to €15 million or 2.5% of global annual turnover for the most serious infringements. Missed reporting deadlines are explicitly within scope. National market surveillance authorities can also issue stop-orders.
Do I have to report low-severity vulnerabilities?
Only if they meet the trigger criteria: actively exploited (vulnerabilities) or significant (incidents). A low-severity vulnerability with no evidence of exploitation does not trigger Article 14. It still falls within the routine CVD process under Article 13.
How does CVD Portal help with Article 14?
CVD Portal tracks all three deadlines (24h, 72h, final report) with hard timers from the moment a triage event is flagged as Article 14-relevant. The Enterprise tier automates submission to the ENISA Single Reporting Platform; Free and Pro tiers provide a guided manual workflow that pre-fills the report template based on triage data.

Make Article 14 boring before September 2026

CVD Portal tracks the 24h, 72h, and final-report deadlines automatically from the moment a triage event is flagged as Article 14-relevant. Free and Pro provide guided manual workflows. Enterprise automates submission to the ENISA Single Reporting Platform.

Start your free portalArticle 14 timeline tool