Article 14 structures reporting as three escalating reports for the same event. Within 24 hours of becoming aware, the manufacturer submits an early warning, a preliminary alert that flags an actively exploited vulnerability or severe incident. Within 72 hours, a detailed notification provides the substantive technical assessment, affected versions, indicators of compromise, and the measures taken. A final report then closes the event.
The final report's deadline depends on the event type. For an actively exploited vulnerability, it is due within 14 days of a corrective or mitigating measure becoming available. For a severe incident, it is due within one month of the detailed notification. Every clock runs from the moment of awareness, which can form before exploitation is fully confirmed.
Obligations continue after the final report. Authorities may request interim updates during a developing event, and affected users must be informed of the vulnerability and the available fixes. The deadlines are won through preparation: a monitored intake channel, a pre-authorised decision-maker for the early warning, verified platform access, and ready-made report templates.
This is the fourth article in our six-part CRA reporting series.
Read the full guide on our blog.
Read More