Complete each checklist before submitting to ENISA. The clock runs from the moment you become aware of active exploitation — not from confirmation or analysis.
Step 1 — 24-hour early warning 0/8 Due within 24 hours of awareness
Confirmed the vulnerability is actively exploited in the wild (not just disclosed) Identified the affected product(s) and version(s) Recorded the exact date and time of awareness (Art. 14(2) clock starts now) Prepared the mandatory data fields: product name, version, vulnerability type, CVSS score (preliminary) Prepared a brief description of the exploitation observed Identified the ENISA single reporting platform endpoint for your Member State Submitted the 24-hour early warning to the ENISA single reporting platform Retained a copy of the submission confirmation and timestamp
Step 2 — 72-hour detailed notification 0/9 Due within 72 hours of awareness
Completed technical analysis of the vulnerability (root cause, affected code path) Assigned a CVE identifier or initiated CVE request (CNA process) Documented all affected products, versions, and configurations Determined severity using CVSS v3.1 or v4.0 (base score + environmental adjustments) Assessed potential impact: confidentiality, integrity, availability Identified whether a patch, workaround, or mitigation is available Confirmed whether any supply chain partners are affected Submitted the 72-hour detailed notification to the ENISA single reporting platform Retained a copy of the submission and all supporting documentation
Step 3 — 14-day final report 0/9 Due within 14 days of awareness
Final patch or mitigation is developed and tested Security advisory drafted (CVE ID, CVSS score, affected versions, fix version) Remediation timeline confirmed: patch available or ETA stated Coordinated disclosure timeline agreed with researcher / CSIRT (if applicable) Confirmed whether further exploitation or incidents have occurred Documented measures taken to prevent recurrence Submitted the 14-day final report to the ENISA single reporting platform Retained complete audit trail: submission confirmations, analysis records, timeline Notified distributors and authorised representatives of the final report (if applicable)
User notification (Art. 14(4)) — concurrent obligation 0/5 Without undue delay — run concurrently with ENISA reporting
Identified all users and downstream operators affected by the vulnerability Prepared a clear, non-technical user notification describing the risk and recommended action Confirmed whether the notification channel is appropriate (update mechanism, email, security advisory page) Published or delivered the user notification without undue delay (Art. 14(4)) Documented the notification date, channel, and audience for audit purposes
