← CRA Guide
Article 14

Active Exploitation and Incident Reporting — 24h, 72h, and 14-Day Obligations

Article 14 introduces the most time-sensitive obligations in the Cyber Resilience Act. When a manufacturer becomes aware that a vulnerability in their product is being actively exploited, or when a severe security incident occurs, they must notify ENISA within strict deadlines — 24 hours for an early warning, 72 hours for a full notification, and 14 days for a final report.

Effective: September 2026Applies to: All manufacturers of products with digital elements sold in the EU market
Free compliance portal →

The Three-Stage Reporting Timeline

Article 14 establishes a three-stage notification process triggered by active exploitation of a vulnerability or a severe security incident:

StageDeadlineWhat to Report
Early Warning24 hoursNotification that exploitation is occurring; basic product and vulnerability information
Vulnerability Notification72 hoursFull notification including CVSS score, affected versions, initial mitigations
Final Report14 daysComplete analysis, root cause, patch or workaround, supply chain impact

All three deadlines are calculated from the moment the manufacturer becomes aware of the active exploitation or incident — not from when exploitation began.

CRA reference:Article 14(1)–(3)

What Triggers Article 14 Reporting

Two conditions trigger Article 14 notification:

  1. Active exploitation — A vulnerability in your product is being actively exploited in the wild. This means there is evidence of real-world attacks using the vulnerability, not just proof-of-concept code.
  1. Severe security incident — A security incident that has (or may have) a significant impact on the security of users of your product, or a significant impact on the internal operations of your organisation.

Not triggered by: Theoretical vulnerabilities, vulnerabilities with no known exploitation, low-severity bugs, or normal vulnerability reports received through your CVD programme that are not actively exploited.

CRA reference:Article 14(1)

Where to Submit — ENISA's Reporting Mechanism

Notifications must be submitted to the competent national authority (typically your national CSIRT or market surveillance authority), which will relay reports to ENISA. Each EU member state will designate a point of contact.

ENISA is establishing a Single Reporting Platform for Article 14 notifications. Until this is operational, manufacturers should contact their national CSIRT directly.

  • Germany: BSI (Federal Office for Information Security)
  • France: ANSSI
  • Netherlands: NCSC-NL
  • Sweden: NCSC-SE
  • Spain: CCN-CERT / INCIBE-CERT

CVD Portal can draft Article 14 notifications in the required format and alert you when deadlines are approaching.

CRA reference:Article 14(1), Article 14(7)

The 24-Hour Early Warning

The 24-hour early warning is not a full technical report — it is a rapid notification that exploitation is occurring. ENISA uses this signal to coordinate cross-border incident response before the full picture is known.

  • Product name and affected version(s)
  • Nature of the vulnerability or incident (brief description)
  • Indication that active exploitation is occurring
  • Geographic scope if known
  • Initial mitigation actions taken (if any)

You do not need to have a root cause analysis or patch ready at this stage. Speed of notification is the priority.

CRA reference:Article 14(2)(a)

The 72-Hour Full Notification

Within 72 hours of becoming aware of active exploitation, you must submit a full vulnerability notification. This expands on the early warning with:

  • CVSS 3.1 (or 4.0) score and vector string
  • CVE identifier (or a request for one if not yet assigned)
  • Affected products, versions, and configurations
  • Description of the impact on confidentiality, integrity, and availability
  • Known attack vectors and exploitation techniques
  • Mitigations available (patches, workarounds, configuration changes)
  • Supply chain impact assessment (are other products affected?)

72 hours is a very tight window for a complete analysis. This means your incident response process must be able to move very quickly when an active exploitation is confirmed.

CRA reference:Article 14(2)(b)

The 14-Day Final Report

The 14-day final report provides ENISA with a complete post-incident analysis. It must include:

  • Root cause analysis
  • Complete remediation details (patch release, advisory publication)
  • CSAF advisory (if applicable)
  • Supply chain coordination actions taken
  • Steps taken to prevent recurrence
  • Lessons learned

If the incident is still ongoing at 14 days, you should submit a progress report explaining what is known and what remains under investigation.

CRA reference:Article 14(2)(c)

Supply Chain Obligations

Article 14 has significant supply chain implications. If a vulnerability affects components you source from third-party vendors, you are still responsible for the Article 14 notification for your product — but you must also:

  1. Notify the component vendor if the vulnerability originates in their component
  2. Coordinate with them on remediation timelines
  3. Report the supply chain dimension in your Article 14 notifications

Conversely, if you are a component supplier and your component is found to be vulnerable, you must notify downstream manufacturers who integrate your component. This creates a notification cascade up and down the supply chain.

CRA reference:Article 14(4)

CVD Portal helps you comply with Article 14 automatically.

Public submission portal, 48-hour acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever.

Start your free portal

Frequently asked

Does Article 14 apply to every vulnerability I discover?+

No. Article 14 only applies when there is active exploitation of a vulnerability in your product or a severe security incident. Vulnerabilities discovered through your CVD programme that are not being actively exploited are handled under Article 13, not Article 14.

What if I can't complete the 72-hour report on time?+

The regulation requires reasonable effort. If a full technical analysis is not possible within 72 hours, submit what you have and note that the report is preliminary. ENISA would rather receive an incomplete but timely notification than a complete report submitted late. Document your reasons for any delay.

How do I know if exploitation is 'active'?+

Active exploitation means there is credible evidence that attackers are using the vulnerability in real attacks. This includes: reports from customers of successful attacks, detection by threat intelligence services, exploitation code seen in the wild, or confirmation from a national CSIRT. A publicly available PoC without confirmed exploitation does not automatically trigger Article 14, but the risk level increases significantly.

Does Article 14 apply to vulnerabilities found by internal security testing?+

No. Article 14 is triggered by active exploitation or severe incidents, not by internally discovered vulnerabilities. Internal vulnerability management is covered under Article 10 (product security requirements) and Article 13 (CVD policy). Article 14 is specifically about responding to real-world attacks.

What is the penalty for missing an Article 14 deadline?+

Missing Article 14 notification deadlines can result in fines up to €15 million or 2.5% of global annual turnover. More immediately, failure to notify can result in product recall orders and increased scrutiny from national market surveillance authorities.

Related CRA Articles

Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersArticle 10Obligations of Manufacturers — Product Security by DesignArticle 11Reporting Obligations for Manufacturers — Notifying AuthoritiesAnnex IEssential Cybersecurity Requirements for Products with Digital Elements

Need a CVD policy that satisfies Article 14?

Download a free CRA-compliant template and deploy it in minutes.

Browse templates →