Does Article 14 apply to all manufacturers?

Article 14 applies to all manufacturers of products with digital elements that are placed on the EU market, regardless of where the manufacturer is established. It covers actively exploited vulnerabilities and severe security incidents.

What counts as 'actively exploited'?

A vulnerability is actively exploited when there is evidence of it being used in real attacks against end users or systems — for example: threat intelligence reports, customer incident reports, honeypot detections, or exploit code observed in the wild. Proof-of-concept code alone does not typically constitute active exploitation.

Where do I submit the notification?

Notifications are submitted to ENISA via the Single Reporting Platform (SRP), or to your national CSIRT. CVD Portal's Enterprise plan includes automated Article 14 submission to ENISA.

What is the difference between the early warning and the full notification?

The 24-hour early warning provides initial awareness — product name, brief description, evidence of exploitation. The 72-hour full notification adds severity scoring, preliminary root cause, remediation plan, and user notification status. The 14-day final report provides confirmed root cause and completed mitigation details.

What happens if I miss the 24-hour deadline?

The CRA does not specify penalties for individual notification delays, but persistent non-compliance can lead to market surveillance authority action and product recalls. If you discover exploitation and cannot file within 24 hours, notify ENISA as soon as possible and document why the delay occurred.

← All templates

Free Template

Article 14 Early Warning Notification Template

A structured notification template for the CRA Article 14 24-hour early warning obligation. Designed to be submitted to ENISA (or the relevant national CSIRT) when a manufacturer discovers an actively exploited vulnerability or severe security incident.

Article 14

ForEU manufacturers who need to submit Article 14 early warning notifications to ENISA or national CSIRTs

CRA Articles

Article 14

When to Use This Template

Article 14(1), Article 14(2)

Use this notification template when you become aware of:

A vulnerability in your product that is being actively exploited in the wild
A severe security incident affecting your product with potential significant impact

Article 14 Deadlines:

24 hours: Early warning to ENISA/national CSIRT
72 hours: Full notification with severity assessment and initial remediation actions
14 days: Final report with root cause analysis and mitigation measures

The clock starts when your organisation becomes aware of the actively exploited vulnerability or severe incident — not when a reporter submitted the initial report.

Note

This section is informational — it helps your team understand when to use this template. Include it in internal documentation but you may remove it from the submission itself.

Early Warning — Part 1: Manufacturer Information

Article 14(2)

Manufacturer name: [COMPANY NAME] Legal entity type: [e.g. GmbH / Ltd / SAS / BV] Country of establishment: [EU MEMBER STATE] Contact for this notification: Name: [CONTACT NAME] Role: [e.g. CISO / Security Manager] Email: [CONTACT EMAIL] Phone: [CONTACT PHONE] Date and time of submission: [YYYY-MM-DD HH:MM UTC] Reference number (your internal ID): [INTERNAL-REF-001]

Note

ENISA and national CSIRTs use this to route notifications correctly and follow up. Use a consistent internal reference numbering system so you can track notification status.

Early Warning — Part 2: Product Information

Article 14(2)

Product name: [PRODUCT NAME] Product category: [e.g. Industrial Controller / Smart Home Device / Medical Wearable] Model / SKU: [MODEL NUMBER] Affected firmware/software version(s): [VERSION RANGE] CRA classification: [Default / Important Class I / Important Class II / Critical] Approximate number of affected units in EU market: [NUMBER or ESTIMATE] Countries where affected products are deployed: [LIST EU MEMBER STATES]

Note

Be as precise as possible about affected versions. ENISA uses this to assess market-wide impact and coordinate with other national authorities. An estimate is acceptable at the early warning stage.

Early Warning — Part 3: Vulnerability Description

Article 14(2)

Vulnerability type: [e.g. Remote Code Execution / Authentication Bypass / Command Injection] CWE identifier: [CWE-XXX if known] CVE identifier: [CVE-XXXX-XXXXX if assigned, or 'Not yet assigned'] Brief description: [2-3 sentences describing the vulnerability without disclosing exploitation details] Attack vector: [Network / Adjacent / Local / Physical] Authentication required: [None / Single / Multiple] Evidence of active exploitation: [Brief description of how exploitation was detected — e.g. honeypot observation, customer report, threat intelligence feed]

Note

At the 24-hour early warning stage, you are not expected to have a full analysis. Provide what you know. A brief, accurate description is more useful than a detailed but uncertain one.

Early Warning — Part 4: Initial Impact Assessment

Article 14(2)

CVSS Base Score (3.1 or 4.0): [SCORE — e.g. 9.8 Critical] CVSS Vector String: [AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H] Potential impact on users: [e.g. Allows remote unauthenticated attacker to execute arbitrary code] Potential impact on critical infrastructure: [Yes / No / Unknown — if Yes, describe] Data categories potentially affected: [e.g. Personal data / Credentials / Configuration] Is the vulnerability publicly known?: [Yes / No / Partially (describe)]

Note

CVSS scoring may be preliminary at this stage — that is acceptable. Note if your score is a preliminary estimate. ENISA uses severity to prioritise follow-up and national coordination.

Early Warning — Part 5: Immediate Actions Taken

Article 14(2)

Actions taken as of [DATE/TIME]:

[ ] Internal incident response team activated
[ ] Affected systems / services isolated (if applicable)
[ ] Investigation underway to determine scope and root cause
[ ] Patch development initiated
[ ] Temporary mitigation available: [Describe or 'None available']
[ ] Users / customers notified: [Yes / No — if Yes, describe how]
[ ] Law enforcement notified: [Yes / No / Not applicable]

Estimated patch availability: [Date or 'Under investigation']

Note

ENISA expects to see that you are actively responding, not just reporting. Even if a patch is not yet ready, list the actions underway. This demonstrates your incident response capability.

Early Warning — Part 6: Follow-up Commitment

Article 14(3)

[COMPANY NAME] commits to submitting a full Article 14 notification to ENISA / [NATIONAL CSIRT NAME] within 72 hours of the initial early warning, including:

Confirmed severity assessment (CVSS score)
Root cause analysis (preliminary)
Affected product inventory update
Remediation timeline
User notification plan

Full notification will be submitted by: [DATE — within 72 hours of this submission]

Point of contact for follow-up: [NAME, EMAIL, PHONE]

Note

Explicitly committing to the 72-hour follow-up in your early warning shows ENISA you have a structured process. Keep a copy of this notification with your internal incident record.

Use this template automatically in CVD Portal

CVD Portal generates your CVD policy, tracks acknowledgments, and creates an audit trail — free, forever.

Set up your free portal

Frequently asked questions

Ready to go beyond the template?

CVD Portal automates acknowledgments, tracks deadlines, and generates CSAF advisories — free.

Set up your free portal

Related templates

CRA-Compliant CVD Policy Template

A comprehensive CVD policy structured specifically for the EU Cyber Resilience Act. Addresses Articles 13 and 14 obligations including 24-hour early warning, 72-hour full notification, and coordinated disclosure timelines.

Security Incident Notification Policy Template

An internal security incident notification policy for manufacturers, covering escalation procedures, Article 14 regulatory notification, and user communication. Designed to sit alongside your CVD policy as an internal-facing document.

EU CVD Policy Template

A CVD policy template specifically written for EU manufacturers placing products on the European market. References EU-specific obligations (CRA, NIS2 intersection, ENISA), using terminology aligned with EU regulatory guidance.