Free Tool

Article 14 Notification Template Builder

Build a complete Article 14 early-warning notification based on the fields required by CRA Article 14(2). Fill in your product details, exploitation status, and mitigation actions, then copy the finished notification text ready for submission to ENISA or your national CSIRT.

Notification type

Select the notification stage. Each stage has different content requirements under Article 14.

Manufacturer details

Company name

Contact name

Contact email

Product & vulnerability

Product name

Affected version(s)

CVE ID

CVSS score

Severity

Exploitation status

Actively exploited?

Nature of exploitation (if known)

Impact

Estimated affected users/devices

Geographic scope

Mitigation

Mitigation measures taken

Notification draft

CRA EARLY WARNING — Article 14(2)
Submitted: 2026-04-07 19:50:14 UTC

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. NOTIFYING MANUFACTURER
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Company: [COMPANY NAME]
Contact: [CONTACT NAME]
Email: [CONTACT EMAIL]

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
2. AFFECTED PRODUCT
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Product name: [PRODUCT NAME]
Affected version(s): [VERSION]
CVE identifier: Pending assignment

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
3. EXPLOITATION STATUS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Actively exploited: YES

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
4. IMPACT ASSESSMENT
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Estimated affected users: [NUMBER OR ESTIMATE]
Geographic scope: EU

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
5. INITIAL MITIGATION
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Immediate actions taken: [DESCRIBE ANY IMMEDIATE ACTIONS]
Full notification to follow within 72 hours of this early warning.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DECLARATION
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[COMPANY NAME] confirms that this notification is submitted in compliance with Article 14(2) of Regulation (EU) 2024/2847 (Cyber Resilience Act).

Submit via the ENISA Single Reporting Platform (SRP) or your national CSIRT. CVD Portal automates submission tracking and deadline alerts.

Frequently asked

What information must an Article 14 early warning include?

Article 14(2) of the CRA requires the early warning to include: the identity of the product, the nature of the vulnerability, any known exploitation in the wild, the severity assessment, affected user estimates, and initial mitigation measures taken. This tool generates a structured notification covering all mandatory fields.

Where do I submit the Article 14 notification?

Notifications should be submitted via the ENISA Single Reporting Platform or, where applicable, through your national CSIRT. ENISA is establishing a unified portal for CRA notifications. Until it is live, check with your national market surveillance authority for interim reporting channels.

Do I need a CVE ID before submitting?

No. A CVE ID is not required for the early warning. The 24-hour early warning deadline means you will often not have a CVE assigned yet. You can submit with 'CVE pending' and update the full notification at 72 hours if a CVE is assigned by then.

Is the early warning confidential?

Yes. Article 14 notifications to ENISA are treated as confidential and are not published by ENISA without the manufacturer's consent, except in limited circumstances where public safety requires disclosure.

Ready to automate your CVD programme?

CVD Portal integrates all these tools and handles your Article 13 and 14 obligations automatically.

Start your free portal →