← All tools
Free Tool

Disclosure Deadline Tracker

Enter a vulnerability report date and instantly see every critical deadline: Article 14 early warning, full notification, final report to ENISA, researcher 90-day embargo, and your internal acknowledgment SLA. Colour-coded status keeps you on track.

Vulnerability report details

Article 14 deadlines run from when your organisation becomes aware, not when the report was submitted.

Article 14 (active exploitation only)

+1dArticle 14 Early WarningArt. 14(2)
Wed, 8 Apr 2026, 19:50 UTC
23h remaining — DUE SOON

Submit early warning to ENISA via the Single Reporting Platform. Triggered only if vulnerability is actively exploited.

+3dArticle 14 Full NotificationArt. 14(3)
Fri, 10 Apr 2026, 19:50 UTC
2d 23h remaining

Full notification to ENISA with CVSS score, root cause analysis, and remediation timeline.

+14dArticle 14 Final ReportArt. 14(4)
Tue, 21 Apr 2026, 19:50 UTC
13d 23h remaining

Final report to ENISA with confirmed root cause and completed remediation.

Internal SLAs

+2dAcknowledgment to reporterArt. 13
Thu, 9 Apr 2026, 19:50 UTC
1d 23h remaining

Confirm receipt of the vulnerability report. CRA Article 13 minimum.

+5dInitial triage complete
Sun, 12 Apr 2026, 19:50 UTC
4d 23h remaining

Internal severity assessment and CVSS score assigned. Engineering engaged.

Researcher embargo

+90dResearcher 90-day embargo ends
Mon, 6 Jul 2026, 19:50 UTC
89d 23h remaining

After 90 days from report, researcher may disclose publicly regardless of patch status. Contact researcher proactively if patch is not ready.

+120dResearcher 120-day extended embargo
Wed, 5 Aug 2026, 19:50 UTC
119d 23h remaining

If an extension was agreed with the researcher, this is the standard extended window for complex vulnerabilities.

Note: All deadlines are calculated from the report date entered above. Business day SLAs are shown as calendar hours for simplicity. CVD Portal tracks these deadlines automatically and sends alerts before breach.

Frequently asked

What are the Article 14 notification deadlines?
When a manufacturer becomes aware of a vulnerability that is being actively exploited, Article 14 of the CRA requires: an early warning to ENISA within 24 hours, a full notification within 72 hours, and a final report within 14 days. These deadlines run from the moment the manufacturer becomes aware of active exploitation.
Does Article 14 apply to every vulnerability?
No. Article 14 notification obligations are triggered only when the vulnerability is actively exploited in the wild. Vulnerabilities that are reported but not exploited follow standard CVD handling — acknowledgment, triage, remediation, and coordinated disclosure — without mandatory ENISA notification.
What is the researcher 90-day embargo?
The 90-day embargo is the industry-standard window during which the vulnerability remains confidential while a fix is developed. After 90 days, the researcher may disclose publicly regardless of patch status. Some programmes use 120 or 180 days for complex issues.
What happens if I miss an Article 14 deadline?
Missing an Article 14 deadline is a violation of the CRA and can result in enforcement action by national market surveillance authorities. Fines under the CRA can reach up to EUR 15 million or 2.5% of global annual turnover for the most serious violations.

Ready to automate your CVD programme?

CVD Portal integrates all these tools and handles your Article 13 and 14 obligations automatically.

Start your free portal →