← CRA Guide
Article 11

Reporting Obligations for Manufacturers — Notifying Authorities

Article 11 complements Article 14 by specifying reporting obligations to market surveillance authorities (MSAs) in addition to ENISA. It also addresses how reports are shared between national authorities and what information manufacturers must provide to users affected by security incidents.

Effective: September 2026Applies to: All manufacturers of products with digital elements sold in the EU market
Free compliance portal →

Article 11 vs Article 14: What Is the Difference?

Articles 11 and 14 both deal with reporting, but to different recipients:

  • Article 14: Report actively exploited vulnerabilities and severe incidents to ENISA (via your national CSIRT) within 24h/72h/14d timelines.
  • Article 11: Additional obligations to notify market surveillance authorities (MSAs) and users of your products about incidents and their impact.

In practice, most critical incidents will trigger both Article 14 (ENISA reporting) and Article 11 (user notification and MSA cooperation) obligations simultaneously.

CRA reference:Article 11, Article 14

User Notification Requirements

Article 11 requires manufacturers to notify users of their products when a security incident or actively exploited vulnerability may affect them. This notification must:

  • Be provided without undue delay after the manufacturer becomes aware of the incident
  • Include information about the nature of the impact
  • Explain what users can do to protect themselves (mitigations, workarounds)
  • Describe when a security update will be available

For consumer products, this typically means a public security advisory on your website. For enterprise products, this may require direct notification to customers via email, support portal, or account managers.

CRA reference:Article 11(3)

Cooperation with Market Surveillance Authorities

Article 11 establishes manufacturers' obligations to cooperate with national market surveillance authorities (MSAs). MSAs have broad investigative powers under the CRA, including the right to:

  • Request technical documentation and conformity assessment records
  • Conduct product testing
  • Require manufacturers to take corrective action
  • Order product recalls or market withdrawals

Manufacturers must maintain records in a format that can be quickly provided to MSAs, and must designate a contact point for regulatory communications.

CRA reference:Article 11(1)–(2)

CVD Portal helps you comply with Article 11 automatically.

Public submission portal, 48-hour acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever.

Start your free portal

Frequently asked

Who are the market surveillance authorities for CRA in my country?+

EU member states must designate national market surveillance authorities (MSAs) for the CRA. These are typically existing national standards or cybersecurity bodies, such as BSI (Germany), ANSSI (France), NCSC (Netherlands), or BEIS/DSIT (UK, though now outside EU scope). Check your national authority's website for CRA-specific guidance.

Do I need to notify users of every vulnerability fixed in a security update?+

Article 11 requires notification when a vulnerability or incident 'may have an impact on' users. Minor security fixes that don't affect user data or product availability can typically be released without individual user notification, though a public changelog entry is good practice. Significant vulnerabilities affecting user security require proactive notification.

Related CRA Articles

Article 14Active Exploitation and Incident Reporting — 24h, 72h, and 14-Day ObligationsArticle 13Coordinated Vulnerability Disclosure Obligations for ManufacturersArticle 10Obligations of Manufacturers — Product Security by DesignAnnex IEssential Cybersecurity Requirements for Products with Digital Elements

Need a CVD policy that satisfies Article 11?

Download a free CRA-compliant template and deploy it in minutes.

Browse templates →