Article 14 of Regulation (EU) 2024/2847 creates a three-stage mandatory reporting pipeline. Stage one: early warning within 24 hours of becoming aware of an actively exploited vulnerability — Art. 14(2)(a). Stage two: vulnerability notification within 72 hours with product information, exploit nature, and corrective measures — Art. 14(2)(b). Stage three: final report no later than 14 days after a corrective or mitigating measure is available — Art. 14(2)(c). All submissions go through the single reporting platform under Art. 16, simultaneously to the CSIRT coordinator and ENISA. This obligation applies from 11 September 2026 — before the rest of the CRA. CRACheck generates the notification template as part of the 8-document package. 15–25 minutes. €149.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
Art. 14 of Regulation (EU) 2024/2847 has its own three-stage timeline (24h/72h/14 days after fix) separate from NIS2. The 14-day final report under Art. 14(2)(c) is triggered by availability of a corrective measure, not by a fixed calendar window. Applying NIS2 timelines to CRA reporting creates a compliance gap.
Art. 14(7) requires submission through the single reporting platform established under Art. 16, via the electronic notification end-point of the CSIRT designated as coordinator for your main EU establishment. Sending an email to a generic cert@country address does not constitute valid notification.
Art. 14(2)(a) counts from the moment the manufacturer becomes aware. Deliberately routing vulnerability reports through bureaucratic layers to delay "official" awareness exposes the manufacturer to Art. 64(2) penalties and reputational damage if discovered by a market surveillance authority.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Category per Annex III/IV. Art. 14 applies regardless of product category, but Important Class II and Critical products face closer market surveillance scrutiny.
Full Annex VII. The notification process description is part of the vulnerability handling documentation under point 2(b).
Per Art. 13(2)–(3). An actively exploited vulnerability triggers mandatory risk assessment updates per Art. 13(7).
Annex II, point 5: users must be informed of "any known or foreseeable circumstance" that may lead to cybersecurity risks. Art. 14(8) requires you to inform impacted users of the vulnerability.
Per Art. 28 and Annex V.
Per Annex I, Part II, point (5). Your CVD policy defines how external reports come in; Art. 14 defines how they go out to authorities.
The core deliverable for Art. 14. Pre-structured for the three stages: early warning fields (2a), vulnerability notification fields (2b), final report fields (2c). Aligned with the single reporting platform format under Art. 16.
Critical dates: Art. 14 reporting applies from 11 September 2026. Full CRA enforcement from 11 December 2027.
See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.
Generated from your data, in your browser. No data leaves your device.
Building an Art. 14-compliant incident response framework with external consultants: CSIRT mapping, notification template development, tabletop exercises, process documentation.
CRACheck generates the Notification Template structured per Art. 14(2)(a)–(c), with fields for early warning, vulnerability notification, and final report. It integrates the template into the Annex VII documentation and produces the Obligations Calendar mapping the 11 September 2026 early enforcement date. The 8-document package ensures your Art. 14 obligations are documented alongside your technical file.
CRACheck does not submit notifications to ENISA on your behalf. It does not connect to the single reporting platform under Art. 16. It does not monitor your product for actively exploited vulnerabilities. It does not perform forensic analysis of exploits. You must operate the notification process. CRACheck produces the template that structures it per Art. 14.
When the vulnerability hits, you need a pre-filled template, not a blank page. CRACheck builds the template before the clock starts.
Art. 64(2). Note: micro and small enterprises are exempt from penalties for late Art. 14(2)(a) early warning only — Art. 64(10)(a).
Art. 64(3).
Art. 64(4).
| Criterion | No template | Consultant framework | NIS2-adapted template | CRACheck |
|---|---|---|---|---|
| Art. 14(2)(a)–(c) structure | Missing | Yes (if CRA-specific) | Wrong legal basis | Yes — 3-stage |
| Annex VII integration | None | Depends | No | Automatic |
| Time to deliverable | — | 8–12 weeks | 2–3 weeks | 15–25 minutes |
| Cost | €0 (+ fine risk) | €12K–€25K | €3K–€8K | €149 one-time |
Each product requires its own notification template referencing its specific technical documentation per Art. 31. Volume pricing: €99/product (10-pack) or €79/product (30-pack). The Obligations Calendar is generated per product.
Request volume pricingCRACheck generates a structured Notification Template according to Article 14(2)(a)–(c) of Regulation (EU) 2024/2847, integrated into the technical documentation per Article 31 and Annex VII, based on the information you provide. The accuracy of your vulnerability data is your responsibility as manufacturer.
We guarantee that the template structure follows Article 14 of Regulation (EU) 2024/2847 and that all legal references cited are correct. We do not guarantee that a specific notification will be accepted by a CSIRT or ENISA in a specific case.
CRACheck is not legal advice. For specific situations involving CSIRT coordination, cross-border notification, or ongoing vulnerability exploitation, consult with a qualified cybersecurity incident response professional.