Article 14 Early Warning Notification Template
A structured notification template for the CRA Article 14 24-hour early warning obligation. Designed to be submitted to ENISA (or the relevant national CSIRT) when a manufacturer discovers an actively exploited vulnerability or severe security incident.
When to Use This Template
Article 14(1), Article 14(2)Use this notification template when you become aware of:
- A vulnerability in your product that is being actively exploited in the wild
- A severe security incident affecting your product with potential significant impact
Article 14 Deadlines:
- 24 hours: Early warning to ENISA/national CSIRT
- 72 hours: Full notification with severity assessment and initial remediation actions
- 14 days: Final report with root cause analysis and mitigation measures
The clock starts when your organisation becomes aware of the actively exploited vulnerability or severe incident - not when a reporter submitted the initial report.
This section is informational - it helps your team understand when to use this template. Include it in internal documentation but you may remove it from the submission itself.
Early Warning - Part 1: Manufacturer Information
Article 14(2)Manufacturer name: [COMPANY NAME] Legal entity type: [e.g. GmbH / Ltd / SAS / BV] Country of establishment: [EU MEMBER STATE] Contact for this notification: Name: [CONTACT NAME] Role: [e.g. CISO / Security Manager] Email: [CONTACT EMAIL] Phone: [CONTACT PHONE] Date and time of submission: [YYYY-MM-DD HH:MM UTC] Reference number (your internal ID): [INTERNAL-REF-001]
ENISA and national CSIRTs use this to route notifications correctly and follow up. Use a consistent internal reference numbering system so you can track notification status.
Early Warning - Part 2: Product Information
Article 14(2)Product name: [PRODUCT NAME] Product category: [e.g. Industrial Controller / Smart Home Device / Medical Wearable] Model / SKU: [MODEL NUMBER] Affected firmware/software version(s): [VERSION RANGE] CRA classification: [Default / Important Class I / Important Class II / Critical] Approximate number of affected units in EU market: [NUMBER or ESTIMATE] Countries where affected products are deployed: [LIST EU MEMBER STATES]
Be as precise as possible about affected versions. ENISA uses this to assess market-wide impact and coordinate with other national authorities. An estimate is acceptable at the early warning stage.
Early Warning - Part 3: Vulnerability Description
Article 14(2)Vulnerability type: [e.g. Remote Code Execution / Authentication Bypass / Command Injection] CWE identifier: [CWE-XXX if known] CVE identifier: [CVE-XXXX-XXXXX if assigned, or 'Not yet assigned'] Brief description: [2-3 sentences describing the vulnerability without disclosing exploitation details] Attack vector: [Network / Adjacent / Local / Physical] Authentication required: [None / Single / Multiple] Evidence of active exploitation: [Brief description of how exploitation was detected - e.g. honeypot observation, customer report, threat intelligence feed]
At the 24-hour early warning stage, you are not expected to have a full analysis. Provide what you know. A brief, accurate description is more useful than a detailed but uncertain one.
Early Warning - Part 4: Initial Impact Assessment
Article 14(2)CVSS Base Score (3.1 or 4.0): [SCORE - e.g. 9.8 Critical] CVSS Vector String: [AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H] Potential impact on users: [e.g. Allows remote unauthenticated attacker to execute arbitrary code] Potential impact on critical infrastructure: [Yes / No / Unknown - if Yes, describe] Data categories potentially affected: [e.g. Personal data / Credentials / Configuration] Is the vulnerability publicly known?: [Yes / No / Partially (describe)]
CVSS scoring may be preliminary at this stage - that is acceptable. Note if your score is a preliminary estimate. ENISA uses severity to prioritise follow-up and national coordination.
Early Warning - Part 5: Immediate Actions Taken
Article 14(2)Actions taken as of [DATE/TIME]:
- [ ] Internal incident response team activated
- [ ] Affected systems / services isolated (if applicable)
- [ ] Investigation underway to determine scope and root cause
- [ ] Patch development initiated
- [ ] Temporary mitigation available: [Describe or 'None available']
- [ ] Users / customers notified: [Yes / No - if Yes, describe how]
- [ ] Law enforcement notified: [Yes / No / Not applicable]
Estimated patch availability: [Date or 'Under investigation']
ENISA expects to see that you are actively responding, not just reporting. Even if a patch is not yet ready, list the actions underway. This demonstrates your incident response capability.
Early Warning - Part 6: Follow-up Commitment
Article 14(3)[COMPANY NAME] commits to submitting a full Article 14 notification to ENISA / [NATIONAL CSIRT NAME] within 72 hours of the initial early warning, including:
- Confirmed severity assessment (CVSS score)
- Root cause analysis (preliminary)
- Affected product inventory update
- Remediation timeline
- User notification plan
Full notification will be submitted by: [DATE - within 72 hours of this submission]
Point of contact for follow-up: [NAME, EMAIL, PHONE]
Explicitly committing to the 72-hour follow-up in your early warning shows ENISA you have a structured process. Keep a copy of this notification with your internal incident record.
Use this template automatically in CVD Portal
CVD Portal generates your CVD policy, tracks acknowledgments, and creates an audit trail. Receiving and tracking reports is free, and Article 14 filing is on Pro.
Set up your free portal