The reporting obligation under Article 14 of the Cyber Resilience Act is deliberately narrow. Only two categories of event have to be reported to authorities: vulnerabilities that are being actively exploited in the field, and severe security incidents that affect the security of a product. The large remainder of vulnerability work is handled internally under Article 13.
The distinction that catches manufacturers out is between exploitable and exploited. A critical-severity flaw with a published proof of concept is not, on its own, reportable. It becomes reportable when there is evidence of real exploitation. Conversely, a modest-severity bug that attackers are actively chaining against customers is reportable, because active exploitation, rather than severity score, is the trigger.
Severe incidents are broader than code vulnerabilities. A compromise of a build pipeline or update-distribution system that affects users qualifies even where the product itself contains no flaw. The practical approach is a decision framework applied to every event, with the determination documented either way, so that handling the many and reporting the few is consistent and defensible.
This is the second article in our six-part CRA reporting series.
Read the full guide on our blog.
Read More