As part of the CRA’s incident reporting framework, manufacturers must adapt their security operations to meet strict notification timelines. Upon becoming aware of an actively exploited vulnerability or an incident with severe impact, entities are legally bound to submit an "early warning" within 24 hours.
Furthermore, a comprehensive incident notification detailing the technical scope and proposed mitigation measures must follow within 72 hours. ENISA strongly advises organizations to integrate these timeframes into their incident response playbooks and automate their triaging processes to ensure seamless compliance and minimize the window of exposure for European consumers.