Reporting Infrastructure for Article 14 Vulnerability Notifications

Article 29 establishes that ENISA shall set up, maintain, and operate a single reporting platform through which manufacturers submit their Article 14 notifications. This platform provides a standardised, secure channel for the early warning (24-hour), notification (72-hour), and final report submissions required under Article 14.

The single reporting platform is designed to eliminate the fragmentation that would result if each member state operated its own bespoke notification system. Without a single platform, manufacturers selling across multiple EU member states would need to file separate notifications in each jurisdiction's system, with potentially different formats, authentication requirements, and submission procedures.

By providing a single submission point, the platform reduces administrative burden on manufacturers while ensuring that all notifications reach the appropriate national CSIRT and are simultaneously available to ENISA for EU-level coordination.

Although submissions go through a single platform, Article 29 ensures that notifications are routed to the appropriate national CSIRT based on the manufacturer's location or the affected product's market. The platform handles this routing automatically, so manufacturers need not identify the correct national authority for each submission.

Where a vulnerability affects products sold in multiple member states, the platform may route notifications to multiple national CSIRTs simultaneously or sequentially, ensuring all relevant national authorities receive the information. ENISA also receives a copy of all notifications, enabling the EU-level picture to be maintained.

The routing logic also accounts for situations where the manufacturer is established in a third country — in such cases, notifications may be routed through the national CSIRT in the member state where the product is primarily marketed or where the authorised representative is established.

Article 29 requires that the single reporting platform use standardised technical formats for notifications. Standardisation enables automated processing, reduces errors, and facilitates integration with vulnerability management systems at national CSIRTs and ENISA.

The expected format for notifications aligns with CSAF (Common Security Advisory Framework) conventions and STIX/TAXII threat intelligence standards where applicable. Manufacturers should design their internal vulnerability management workflows to produce outputs in formats compatible with the platform's submission requirements.

ENISA publishes technical specifications for the submission format, which manufacturers should integrate into their CVD tooling well before the CRA application date. CVD Portal supports automated submission-ready report generation in the required formats.

Article 29 requires that the single reporting platform handle notification data with appropriate confidentiality protections. Vulnerability information submitted before a patch is publicly available is commercially sensitive and, if leaked, could facilitate exploitation of the reported vulnerability. The platform must therefore implement strong access controls ensuring that notification data is accessible only to authorised national CSIRT personnel and ENISA staff.

Manufacturers submitting notifications can expect that:

• Notification content will not be shared with third parties without the manufacturer's consent, except as necessary for coordination with national authorities
• Published vulnerability information (for example, EVDB entries) will be delayed or redacted until a fix or workaround is available
• Personal data included in notifications (such as security researcher contact details) will be handled in accordance with GDPR

Manufacturers should review the platform's terms of use and privacy notice before first submission to understand the data handling framework.

For manufacturers with significant product portfolios and active vulnerability management programmes, the Article 29 platform needs to integrate smoothly with internal CVD tooling. Manual submission for every vulnerability in a large product portfolio is operationally unsustainable — manufacturers should plan for API-based or automated submission where the volume of notifications warrants it.

ENISA is expected to provide an API for programmatic submission to the platform, enabling manufacturers' vulnerability management platforms and CVD portals to submit notifications automatically when the relevant thresholds are met.

CVD Portal's integration with the Article 14 reporting infrastructure enables manufacturers to submit notifications directly from the platform, with automatic population of required fields from the vulnerability record and automatic timeline tracking against the 24-hour and 72-hour deadlines.