CRA Article 14 Reporting Requirements for EU Manufacturers

If you place connected hardware or software on the EU market, the CRA Article 14 reporting requirements are the obligation you cannot defer. Under Regulation (EU) 2024/2847 — the Cyber Resilience Act — manufacturers must report actively exploited vulnerabilities and significant security incidents to the ENISA Single Reporting Platform on tiered timelines that begin applying on 11 September 2026. This post breaks down what triggers a report, what the clocks are, and how to operationalise compliance before the deadline hits.

What Article 14 actually requires

Article 14 attaches two distinct reporting duties to manufacturers of products with digital elements:

1. Vulnerability reporting. When a manufacturer knows, or has reason to believe, that a vulnerability in one of its products is being actively exploited, it must report to ENISA without undue delay and in any event within 24 hours of becoming aware. The report must identify the vulnerability, its impacts, and the mitigations available.
2. Incident reporting. When a security incident with significant impact affects a product, the manufacturer follows a staged notification process: an early warning within 24 hours, a fuller incident notification within 72 hours, and a final report within a reasonable time after handling.

Where the same event also triggers NIS2 reporting, Article 14 anticipates coordinated submission so manufacturers are not double-filing contradictory narratives.

The timelines at a glance

Treat these as hard clocks, not aspirations:

• 24 hours — early warning of a significant incident, and notification of an actively exploited vulnerability.
• 72 hours — incident notification updating severity, impact, and indicators of compromise.
• Final report — root-cause analysis and mitigations, submitted within a reasonable period after the incident is handled (commonly around one month).

Missing the 24-hour window is the failure mode regulators look for first. Build the process around hitting that initial deadline even when information is incomplete.

What a compliant report contains

A defensible Article 14 submission covers:

• The product(s) and versions affected.
• A description of the vulnerability or incident and how it was discovered.
• The impact on users, other products, and dependent systems.
• The mitigations already available or in progress (patches, workarounds, configuration guidance).
• Cross-references to CVE or EUVD identifiers where they exist.
• A contact route for follow-up.

How to operationalise reporting readiness

Reporting readiness is a process, not a document. Manufacturers that hit the 24-hour clock reliably do five things:

1. Name a reporting owner. Assign clear accountability for the decision to report and the submission itself.
2. Pre-draft templates. Hold skeleton reports for both vulnerability and incident scenarios so the first 24 hours go to content, not structure.
3. Wire detection to reporting. Connect vulnerability intelligence, PSIRT, and incident response so an “actively exploited” signal reaches the reporting owner automatically.
4. Rehearse. Run a tabletop that starts the clock at an arbitrary moment and ends at a submitted ENISA report.
5. Track evidence. Keep an auditable record of what you knew and when, so the 24-hour trigger is defensible.

The penalty calculus sharpens the incentive: non-compliance can reach €15 million or 2.5% of total worldwide annual turnover, whichever is higher.

Where the reporting process meets product risk

A reporting process only works if you can see the risk it describes. A live risk register lets you correlate detected vulnerabilities and incidents against the products, suppliers, and assets they affect — exactly the linkage Article 14 demands. Pair that with a clear view of pricing for the tooling that keeps the register current, so readiness has a budget line rather than becoming a gap you discover during an incident.

The bottom line

The CRA Article 14 reporting requirements turn vulnerability and incident disclosure from a disclosure-policy choice into a regulated, clock-driven obligation. The manufacturers who avoid penalties are the ones who treat the 24-hour early warning as the design constraint and build the detection-to-submission pipeline before 11 September 2026 — not after.

For the end-to-end checklist covering scope, Annex I, SBOMs, and conformity alongside reporting, see our companion guide on the Cyber Resilience Act compliance checklist for manufacturers.