Actively exploited vulnerability

Regulation text

Article 14(1) of Regulation (EU) 2024/2847 requires manufacturers to notify any actively exploited vulnerability:

"A manufacturer shall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator... and to ENISA."

Recital 68 clarifies the concept:

"Actively exploited vulnerabilities concern instances where a manufacturer establishes that a security breach affecting its users or any other natural or legal persons has resulted from a malicious actor making use of a flaw in one of the products with digital elements made available on the market by the manufacturer."

What does NOT qualify

Vulnerabilities discovered through:

Good-faith security testing or research
Internal audit or assessment
Responsible disclosure by a researcher (without evidence of malicious exploitation)

...are not considered actively exploited under the CRA and do not trigger the Art. 14 mandatory notification obligation.

Notification timeline

Stage	Deadline	Content
Early warning	Within 24 hours of awareness	Notification that exploitation is occurring; Member States where product is available
Vulnerability notification	Within 72 hours of awareness	General nature of exploit and vulnerability; corrective/mitigating measures
Final report	≤14 days after a fix is available	Detailed vulnerability information, description, affected products, severity

Notifications must be submitted via the single reporting platform (Art. 16).

Applies from 11 September 2026

The reporting obligations under Art. 14 apply from 11 September 2026, earlier than the main CRA application date of 11 December 2027 (Art. 71(2)).

Actively exploited vulnerability

Source citations

See also

Regulation text

What does NOT qualify

Notification timeline

Applies from 11 September 2026