Is this the same as a GDPR incident notification procedure?

Not exactly. GDPR incident notifications (Articles 33–34) apply specifically to personal data breaches and are reported to the relevant data protection authority and, in severe cases, to affected individuals. Article 14 CRA notifications apply to actively exploited product vulnerabilities and are reported to ENISA/CSIRTs. If a security incident involves both a product vulnerability and a personal data breach, both notification procedures apply simultaneously.

Do I need to notify ENISA for every vulnerability I discover?

No. Article 14 notification is only required for (1) vulnerabilities that are actively exploited and (2) severe security incidents. Standard vulnerability reports that are not actively exploited go through your normal CVD process without regulatory notification.

What is the ENISA Single Reporting Platform?

The ENISA Single Reporting Platform (SRP) is the online system for submitting Article 14 notifications. It is designed to route notifications to the correct national CSIRT based on the manufacturer's location and affected markets. CVD Portal's Enterprise plan can submit Article 14 notifications to the SRP automatically.

How long must we retain notification records?

The CRA does not specify a retention period for notification records, but 5 years is a conservative, widely-adopted standard aligned with NIS2 requirements and general GDPR practices. Your legal team may advise a different period based on national implementing legislation.

← All templates

Free Template

Security Incident Notification Policy Template

An internal security incident notification policy for manufacturers, covering escalation procedures, Article 14 regulatory notification, and user communication. Designed to sit alongside your CVD policy as an internal-facing document.

Article 14

ForEU manufacturers who need both a public CVD policy and an internal security incident notification procedure for their security team

CRA Articles

Article 14

Purpose and Trigger Conditions

Article 14(1)

This policy governs how [COMPANY NAME] responds to and notifies relevant parties of security incidents affecting our products.

This policy is triggered when [COMPANY NAME] becomes aware of:

A vulnerability in our product that is being actively exploited (Article 14 trigger)
A severe security incident affecting product integrity, confidentiality, or availability
A data breach involving personal data of EU residents (also triggers GDPR Article 33/34)

This policy does not replace the CVD Policy (for inbound researcher reports) but governs our internal incident response and outbound notification obligations.

Note

Clearly separating your inbound CVD policy (for researchers) from your outbound incident notification policy (for regulators and users) prevents confusion. Both documents are required under CRA.

Incident Classification

Article 14(1)

Severity Level 1 — Critical (Article 14 Mandatory) Triggered by: Actively exploited vulnerability OR severe incident with potential significant impact Notification required: ENISA within 24 hours, Full notification within 72 hours

Severity Level 2 — High Triggered by: Confirmed vulnerability with high CVSS score (≥7.0), no known exploitation Notification: Internal tracking, accelerated remediation, prepare advisory

Severity Level 3 — Medium Triggered by: Confirmed vulnerability, CVSS 4.0–6.9, limited scope Notification: Internal tracking, standard remediation timeline

Severity Level 4 — Low Triggered by: Minor vulnerability, CVSS <4.0, negligible impact Notification: Internal tracking, normal development cycle

Note

Tying severity levels to Article 14 obligations makes the classification decision clear for first responders. Your team should not need to re-read the CRA to know when to notify ENISA.

Internal Escalation Process

Article 14(2)

Step 1 — Detection and Triage (0–2 hours)

Incident detected via: [CVD portal / monitoring system / customer report / internal discovery]
Assign initial severity classification
Notify: [SECURITY LEAD NAME / ROLE]
Open incident ticket: [INCIDENT TRACKING SYSTEM]
Reference: [INTERNAL-INC-YYYY-XXXX]

Step 2 — Escalation for Level 1 (2–4 hours)

Notify: [CISO / CTO NAME]
Notify: [LEGAL COUNSEL NAME] (for regulatory notification assessment)
Assess Article 14 notification trigger
Begin drafting early warning notification

Step 3 — 24-hour Early Warning (if Level 1)

Submit early warning to ENISA / [NATIONAL CSIRT]
Log submission with timestamp and reference number
Initiate 72-hour full notification countdown

Note

Name specific roles rather than generic titles where possible. Escalation procedures fail when people are unsure who to call. The 24-hour window is tight — pre-assigned responsibility is essential.

Regulatory Notification Procedure

Article 14(2), Article 14(3)

Article 14 Notification (Level 1 incidents only)

24-hour Early Warning (submitted to: [ENISA SRP URL / NATIONAL CSIRT])

Product affected, brief description, evidence of exploitation
Template: See Article 14 Notification Template
Submitted by: [DESIGNATED ROLE]

72-hour Full Notification

Confirmed CVSS score and vector
Root cause (preliminary)
Remediation timeline
User notification plan
Submitted by: [DESIGNATED ROLE]

14-day Final Report

Confirmed root cause analysis
Completed remediation actions
User notification actions taken
Lessons learned
Submitted by: [DESIGNATED ROLE]

All submissions must be retained for [5] years as part of our CRA compliance records.

Note

Assign specific named roles (or job titles if roles rotate) to each submission. Regulators will ask who submitted each notification — vague ownership leads to missed deadlines.

User and Customer Notification

Article 14, GDPR Article 34

When to notify users:

Immediately when a patch or workaround is available
For Level 1 incidents, consider proactive notification even before a patch if risk to users is significant

Notification channels (use all applicable):

[ ] Product firmware update mechanism (OTA notification)
[ ] Email to registered users: [EMAIL TEMPLATE — see [TEMPLATE URL]]
[ ] Website security advisory: [ADVISORY URL]
[ ] Support portal announcement
[ ] Direct contact for enterprise customers: [ACCOUNT MANAGER PROCESS]

Content of user notification:

What happened (non-technical summary)
Which products and versions are affected
What users should do (update, apply workaround, change credentials)
How to get help
Contact: [SUPPORT URL / EMAIL]

Note

User notification is separate from regulatory notification. Under GDPR, if personal data is involved, notification to data subjects may also be required (Article 34). Coordinate with your DPO.

Post-Incident Review

Article 13(1), Annex I

Within [30] days of incident closure, [COMPANY NAME] will conduct a post-incident review to:

Confirm root cause analysis
Assess whether vulnerability also exists in other products
Review whether detection could have occurred earlier
Update threat model and security testing procedures
Document lessons learned
Verify all regulatory notifications are complete and filed

Post-incident review to be completed by: [SECURITY LEAD / CISO] Review documented in: [INCIDENT MANAGEMENT SYSTEM] Retained for: [5] years

Note

Post-incident reviews are evidence of your Article 13(1) obligation to have an ongoing security lifecycle. Regulators look for this documentation in audits to show your CVD programme improves over time.

Use this template automatically in CVD Portal

CVD Portal generates your CVD policy, tracks acknowledgments, and creates an audit trail — free, forever.

Set up your free portal

Frequently asked questions

Ready to go beyond the template?

CVD Portal automates acknowledgments, tracks deadlines, and generates CSAF advisories — free.

Set up your free portal

Related templates

Article 14 Early Warning Notification Template

A structured notification template for the CRA Article 14 24-hour early warning obligation. Designed to be submitted to ENISA (or the relevant national CSIRT) when a manufacturer discovers an actively exploited vulnerability or severe security incident.

CRA-Compliant CVD Policy Template

A comprehensive CVD policy structured specifically for the EU Cyber Resilience Act. Addresses Articles 13 and 14 obligations including 24-hour early warning, 72-hour full notification, and coordinated disclosure timelines.

EU CVD Policy Template

A CVD policy template specifically written for EU manufacturers placing products on the European market. References EU-specific obligations (CRA, NIS2 intersection, ENISA), using terminology aligned with EU regulatory guidance.