Severe incident having an impact on the security of a product

Regulation text

Article 14(3) of Regulation (EU) 2024/2847:

"A manufacturer shall notify any severe incident having an impact on the security of a product with digital elements to the CSIRT designated as coordinator... and to ENISA."

Recital 68 explains:

"Severe incidents having an impact on the security of the product with digital elements concern instances where a manufacturer's network and information systems used in the development, production, or maintenance of that product are adversely affected in such a way that the security of the product could be compromised."

Distinction from actively exploited vulnerability

Actively exploited vulnerability	Severe incident
Flaw in the product itself being exploited	Attack on the manufacturer's development/production/maintenance infrastructure
Risk to users of deployed products	Risk that products shipped may be compromised
Art. 14(1) notification	Art. 14(3) notification

Examples

A ransomware attack on the manufacturer's build servers that could have resulted in malicious code being injected into product binaries
Compromise of the manufacturer's signing infrastructure
Supply chain attack on a third-party build tool used in the manufacturer's CI/CD pipeline
Unauthorised access to the manufacturer's source code repository

Notification timeline

The same three-stage notification process applies as for actively exploited vulnerabilities: 24-hour early warning, 72-hour incident notification, and final report not later than one month after submission of the incident notification.

Applies from 11 September 2026

Like vulnerability reporting, severe incident notification under Art. 14(3) applies from 11 September 2026 (Art. 71(2)).