The CRA 24-Hour Reporting Deadline: What Manufacturers Must Do

The CRA 24-hour reporting deadline is the most time-pressured obligation in the Cyber Resilience Act, and from 11 September 2026 it applies to every manufacturer placing products with digital elements on the EU market. Under Regulation (EU) 2024/2847, the moment you become aware of an actively exploited vulnerability or a significant security incident, a clock starts — and you have one day to file an initial report with ENISA. This post explains when the clock starts, what the early warning must contain, and how to build a process that meets the deadline reliably.

When the 24-hour clock starts

Two triggers start the clock under Article 14:

1. Actively exploited vulnerability. You know, or have reason to believe, that a vulnerability in your product is being exploited. The clock starts at awareness — not at confirmation, and not at patch availability.
2. Significant security incident. A security incident with significant impact affecting your product occurs. An early warning is due within 24 hours of becoming aware.

“Reason to believe” is deliberately broad. Manufacturers cannot wait for forensic certainty; the obligation is to act on credible indicators and submit an initial report, then refine it as the 72-hour and final-report stages unfold.

What the early warning must contain

The first 24 hours are about speed, but the early warning still needs substance. A defensible submission covers:

• What happened — the vulnerability or incident and how it was detected.
• What is affected — product names, versions, and components.
• Severity and impact — an initial read, even if incomplete.
• Mitigations — workarounds, configuration guidance, or patches in progress.
• Identifiers — CVE or EUVD references where available.
• Contact — who owns the report for follow-up.

Incomplete information is acceptable at the early-warning stage; silence is not. The 72-hour incident notification and later final report exist precisely to add depth as the picture clears.

The full timeline in context

The 24-hour deadline is the first beat of a staged rhythm:

• 24 hours — early warning (incident) and notification of an actively exploited vulnerability.
• 72 hours — incident notification with updated severity, impact, and indicators.
• Final report — root-cause analysis and mitigations, within a reasonable time after handling.

Designing around the 24-hour beat forces the discipline that makes the later stages tractable. Where an event also triggers NIS2 reporting, Article 14 anticipates coordinated submission.

How to hit the deadline every time

Manufacturers that consistently meet the 24-hour clock treat it as an engineered process:

• Pre-authorise a reporting owner. Someone must be empowered to submit without waiting for committee approval.
• Hold skeleton templates. Pre-draft the structure so the first day goes to content, not formatting.
• Wire detection to the owner. Threat intelligence, PSIRT, and incident response should push an “actively exploited” signal directly to the person who files.
• Rehearse the clock. Tabletop exercises that start the timer at an arbitrary moment expose where the process stalls.
• Log awareness. Keep an auditable record of when you knew what — the trigger is awareness, and you may need to prove it.

The stakes are real: non-compliance can reach €15 million or 2.5% of total worldwide annual turnover, whichever is higher.

Tie the deadline to live risk visibility

Hitting 24 hours depends on knowing what is affected, fast. A maintained risk register maps detected vulnerabilities and incidents to the products, suppliers, and assets they touch — the exact linkage an early warning demands. Reviewing the pricing for the tooling that keeps that register current ensures the capability has a budget rather than becoming a blind spot discovered mid-incident.

The bottom line

The CRA 24-hour reporting deadline rewards manufacturers who treat awareness as the trigger and the early warning as a habit. Build the detection-to-submission pipeline before 11 September 2026, rehearse the clock, and the deadline becomes a routine operational beat instead of a regulatory emergency.

For the complete reporting framework, see our guide to CRA Article 14 reporting requirements.