← CRA Guide
Article 15

Voluntary Reporting of Vulnerabilities and Incidents

Article 15 creates a voluntary reporting pathway alongside the mandatory reporting requirements of Article 14. Manufacturers may voluntarily notify their national CSIRT of vulnerabilities discovered in their products that are not yet actively exploited, near-misses, and security-relevant information that could benefit the broader cybersecurity community. Voluntary notifications under Article 15 are encouraged and acknowledge reporters' good-faith cooperation with EU cybersecurity objectives.

Effective: September 2026Applies to: Manufacturers choosing to voluntarily report vulnerabilities below the Article 14 threshold
Free compliance portal →

What Can Be Voluntarily Reported Under Article 15

Article 15 covers notifications that go beyond — or fall below — the mandatory reporting thresholds of Article 14. Examples of voluntary reports include:

  • Non-actively-exploited vulnerabilities: A vulnerability discovered internally or through your CVD programme that poses risk but is not being exploited in the wild
  • Near-misses and threat intelligence: Attacks that were detected and blocked before causing significant impact, but which indicate emerging threat patterns
  • Supply chain security concerns: Information about vulnerabilities in third-party components that affect your product but are being remediated by the component supplier
  • Systemic security patterns: Observations about recurring vulnerability types or attack patterns affecting a product category that would be useful to national CSIRTs and ENISA

Voluntary notifications supplement the mandatory system and help build a richer picture of the EU's cybersecurity threat landscape.

CRA reference:Article 15(1)

Who Can Submit Voluntary Reports

Unlike Article 14, which applies specifically to manufacturers, Article 15 is broader in scope. Voluntary reports under Article 15 can be submitted by:

  • Manufacturers reporting issues below the Article 14 threshold
  • Open-source software stewards under Article 24 (who are not subject to Article 14)
  • Security researchers who discover vulnerabilities in CRA-regulated products
  • Importers and distributors who become aware of security concerns through the supply chain
  • Users of critical infrastructure who identify security issues in products they deploy

The voluntary nature of Article 15 means there is no penalty for not reporting. However, proactive reporting may be considered positively by market surveillance authorities when assessing a manufacturer's overall good-faith compliance posture.

CRA reference:Article 15

How Voluntary Reports Are Handled

Voluntary notifications under Article 15 are routed through the same national CSIRT infrastructure used for Article 14 mandatory reports. National CSIRTs are required to acknowledge voluntary notifications and may share them with ENISA and other member states' CSIRTs where the information has broader relevance.

  • No enforcement consequences: Submitting a voluntary report does not trigger an investigation or enforcement action against the reporter under the CRA
  • Coordinated disclosure support: National CSIRTs can assist in coordinating disclosure with other affected manufacturers or component suppliers
  • Confidentiality: Sensitive information disclosed in voluntary reports is handled with the same confidentiality protections as mandatory notifications

Manufacturers are encouraged to use the Article 16 single reporting platform for voluntary submissions where it is operationally available.

CRA reference:Article 15(2)

CVD Portal helps you comply with Article 15 automatically.

Public submission portal, 48-hour acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free for Article 14 compliance — for all manufacturers placing products with digital elements on the EU market.

Start your free portal

Frequently asked

Is there any benefit to voluntary reporting under Article 15?+

Yes. Voluntary reporting demonstrates good-faith cooperation with EU cybersecurity objectives, which can positively influence market surveillance authorities' assessment of a manufacturer's compliance culture. It also enables manufacturers to benefit from CSIRT expertise and coordinated disclosure support. In the event of a later investigation, a track record of voluntary reporting is a strong indicator of responsible practice.

Can voluntary reports under Article 15 become mandatory reports under Article 14?+

If circumstances change after a voluntary report — for example, if a voluntarily-reported vulnerability is subsequently found to be actively exploited — the manufacturer must then file a mandatory Article 14 notification. The voluntary report does not substitute for or delay the Article 14 obligation once its trigger conditions are met.

Do I need to use the Article 16 single reporting platform for voluntary reports?+

Article 15 does not mandate use of the Article 16 platform, but ENISA encourages its use for consistency. Manufacturers may also contact national CSIRTs directly. Check with your national CSIRT for preferred submission channels for voluntary notifications — many CSIRTs have existing secure channels for receiving vulnerability intelligence.

Related CRA Articles

Article 13Obligations of ManufacturersArticle 14Active Exploitation and Incident Reporting - 24h, 72h, and 14-Day ObligationsArticle 16Establishment of the Single Reporting Platform and ENISA's Vulnerability Coordination RoleArticle 24Obligations of Open-Source Software Stewards Under the CRA

Need a CVD policy that satisfies Article 15?

Download a free CRA-compliant template and deploy it in minutes.

Browse templates →