From 11 September 2026, all in-scope manufacturers must report actively exploited vulnerabilities and severe incidents to ENISA — before the rest of the CRA applies in December 2027.
Article 14 of Regulation (EU) 2024/2847 creates a mandatory three-step reporting chain to ENISA whenever a manufacturer discovers that a vulnerability in their product is being actively exploited by attackers in the wild, or that a severe incident has occurred.
This is separate from — and in addition to — notifying affected users (Art. 14(4)), which must happen concurrently. Reporting to ENISA does not substitute for notifying users, and notifying users does not substitute for reporting to ENISA.
Reports are submitted via the ENISA single reporting platform, which routes information to the relevant national CSIRT(s). The platform must be operational by 11 September 2026.
The clock starts from when the manufacturer becomes aware of active exploitation — not from when the vulnerability is confirmed or fully analysed.
24 hours
Early warning
Signal to ENISA that a severe event is in progress. Minimal detail required — speed is the priority. The clock starts from when you become aware, not when you confirm all details.
72 hours
Full notification
Detailed notification to ENISA: product identification, vulnerability description, severity, impact, and corrective or mitigating measures taken or planned.
14 days
Final report
Complete analysis: CVE identifier, CVSS score, root cause, remediation deployed, whether the vulnerability was publicly disclosed, and confirmation that users have been notified.
In parallel with the ENISA reporting chain, manufacturers must notify affected users without undue delay. Do not wait for the full fix — users need to know:
All manufacturers of in-scope products with digital elements — regardless of product class (Default, Important Class I/II, or Critical). Art. 14 applies to every manufacturer from 11 September 2026.
Not directly required to report to ENISA under Art. 14. However, they must pass vulnerability information to manufacturers without undue delay (Art. 20 / Art. 24) so that manufacturers can meet their Art. 14 deadlines.
Four atomic obligations — each traceable to the regulation article, with evidence guidance and plain-language explanations.
Manufacturers must report any actively exploited vulnerability in their product to ENISA via the single reporting platform within 24 hours (early warning) and 72 hours (notification). A final report is due within 14 days. This obligation applies from 11 September 2026.
Within 72 hours of becoming aware of an actively exploited vulnerability in a product, manufacturers must submit a detailed vulnerability notification to ENISA via the single reporting platform. This follows the 24-hour early warning (OBL-ART14-01) and must include technical details about the vulnerability and the product affected.
Within 14 days of becoming aware of an actively exploited vulnerability, manufacturers must submit a final report to ENISA containing a complete description of the vulnerability, the corrective measures taken, and whether the vulnerability has been publicly disclosed or a CVE has been assigned.
When a vulnerability is actively exploited, manufacturers must notify affected users without undue delay. The notification must include information sufficient for users to take protective action, including mitigating measures available before a patch is released.
Meet the three-step ENISA reporting chain for actively exploited vulnerabilities in your products.
Enter when you became aware of an actively exploited vulnerability to calculate your three ENISA reporting deadlines in your local timezone.
Open toolInteractive checklists for each step of the Art. 14 three-step reporting chain.
Open toolGenerate a Coordinated Vulnerability Disclosure policy, security.txt file, and ENISA reporting workflow template for your organisation.
Open toolReview all manufacturer obligations, understand your product classification, and check the full regulatory timeline with all CRA dates.
