Two terms. One letter of difference. Entirely different legal consequences under the Cyber Resilience Act.
The Three-Tier Obligation Framework
- Tier 1: Assess the risk of every vulnerability - no exceptions at the outset
- Tier 2: Track known, exploitable vulnerabilities to closure before placing a product on the market
- Tier 3: Report actively exploited vulnerabilities within 24 hours of awareness
The Critical Distinction
An exploitable vulnerability could theoretically be weaponised - but hasn't been yet. An actively exploited vulnerability is one where an attacker has already succeeded. The first blocks market release. The second triggers mandatory reporting to ENISA and national CSIRTs within 24 hours.
What About Proof-of-Concept Exploit Code?
A published PoC proves exploitation is feasible but doesn't confirm an active campaign. The European Commission has not yet issued definitive guidance on this. Until it does, manufacturers should treat PoC publication as an escalation signal.
September 2026: Already Applies to Products on Market
The reporting obligation takes effect September 2026 - before full product compliance is required - and covers products already sold. If an actively exploited vulnerability is reported against any product you manufacture, the 24-hour clock starts.
Read the full breakdown of the three-tier framework, EUVD monitoring, and reporting timelines.
Read the article