CVD Portal
← Back to Documentation
API Reference

Article 14 Status & Tracking Endpoint

By The CVD Portal Team
4 min read

The Article 14 status endpoint lets an automated agent track a single report's CRA Article 14 reporting obligations end to end: whether the report meets the reporting threshold, how its 24-hour, 72-hour, and final-report deadlines stand right now, and which obligatory fields are still missing before a compliant filing. It is the tracking half of an agent-driven disclosure workflow. It reads only. It never transmits a notification to an authority.

Endpoint

GET /api/v1/vulnerabilities/{id}/article14
Authorization: Bearer <your-api-key>

API access is an Enterprise feature. The submission must belong to the company that owns the API key, otherwise the endpoint returns 404 Submission not found.

Response

{
  "submissionId": "clx123...",
  "reportType": "VULNERABILITY",
  "triggered": true,
  "aiAssessment": {
    "risk": true,
    "rationale": "Actively exploited critical RCE."
  },
  "nextDeadline": {
    "stage": "early_warning",
    "label": "24h early warning",
    "dueAt": "2026-06-26T10:00:00.000Z",
    "state": "approaching",
    "hoursRemaining": 4.5
  },
  "stages": [
    {
      "stage": "early_warning",
      "label": "24h early warning",
      "dueAt": "2026-06-26T10:00:00.000Z",
      "sentAt": null,
      "state": "approaching",
      "hoursRemaining": 4.5,
      "ready": true,
      "missingRequiredFields": [],
      "recommendedFields": []
    }
  ],
  "transmission": "agent_prepares_human_files"
}

Field reference

  • triggeredtrue when the report meets the Article 14 threshold (an actively exploited vulnerability, or a high/critical security incident). When false, the deadline clocks are informational only.
  • aiAssessment — the AI triage read of Article 14 risk, when triage has run. Advisory only. null when triage has not run.
  • nextDeadline — the soonest outstanding (not-yet-filed) stage, classified as ok, approaching, or overdue.
  • stages — every stage with its deadline and readiness. Per-stage state adds two terminal values to the three above: filed once the stage has been submitted, and not_applicable when no deadline anchor exists yet (for example, the final report before the fix is available).
  • ready / missingRequiredFieldsready is true when every obligatory ENISA Single Reporting Platform field for that stage is filled. missingRequiredFields lists what still blocks a compliant filing, by SRP reference and label. recommendedFields lists provide-if-available fields that warn but do not block.
  • transmission — always agent_prepares_human_files. This is a contract reminder: the endpoint prepares and tracks. Submitting the notification to the designated CSIRT and ENISA is a deliberate human action in the dashboard, never automated through the API.

Why filing stays human-gated

A false early warning carries real regulatory and reputational cost. An agent can enrich a report, assess severity, watch the deadline clock, and tell a human exactly which fields are still missing, but the decision to transmit a regulatory notification stays with a person. Design your agent to prepare and alert, then hand off.

Need more help?

Contact Support