When exactly does the 24-hour clock start?

Article 14(2)(a) of Regulation (EU) 2024/2847 states 'within 24 hours of the manufacturer becoming aware of' the actively exploited vulnerability. 'Becoming aware' is the trigger — the moment your organisation has actual knowledge. The regulation does not define a specific internal role that constitutes awareness.

What is the difference between Art. 14 paragraphs 1–2 and paragraphs 3–4?

Paragraphs 1–2 cover actively exploited vulnerabilities (24h early warning / 72h notification / 14 days after fix for final report). Paragraphs 3–4 cover severe incidents having an impact on product security (24h / 72h / 1 month for final report). Different triggers, different final report timelines.

To whom exactly do I submit the notification?

Article 14(7) of Regulation (EU) 2024/2847 requires submission via the single reporting platform under Article 16, through the CSIRT designated as coordinator for the Member State of your main EU establishment. The notification is simultaneously accessible to ENISA. If you have no EU establishment, Art. 14(7) provides fallback criteria based on authorised representative, importer, distributor, or user location.

Does Art. 14 apply before the rest of the CRA?

Yes. Article 14 reporting obligations apply from 11 September 2026 — 15 months before the full enforcement date of 11 December 2027. This makes Art. 14 the earliest operational obligation under the CRA.

Are micro and small enterprises exempt from Art. 14?

Not exempt from reporting, but Art. 64(10)(a) exempts micro and small enterprises from penalties specifically for late submission of the early warning under Art. 14(2)(a). The reporting obligation itself remains.

Is this a subscription?

No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Article 16(m) of Directive (EU) 2011/83 applies. Upon licence activation, you give express consent for immediate generation of the digital content, waiving the 14-day withdrawal right. Refunds are accepted only for a reproducible technical defect.

What if the regulation changes?

If the regulation is amended during your licence validity period, you can regenerate the documentation using the updated version of the generator at no additional cost.

You discover an actively exploited vulnerability in your product on a Friday evening. Article 14(2)(a) of Regulation (EU) 2024/2847 gives you 24 hours to submit an early warning to ENISA and your national CSIRT. Then 72 hours for the full vulnerability notification. Then 14 days after the corrective measure is available for the final report. CRACheck generates the notification template.

Article 14 of Regulation (EU) 2024/2847 creates a three-stage mandatory reporting pipeline. Stage one: early warning within 24 hours of becoming aware of an actively exploited vulnerability — Art. 14(2)(a). Stage two: vulnerability notification within 72 hours with product information, exploit nature, and corrective measures — Art. 14(2)(b). Stage three: final report no later than 14 days after a corrective or mitigating measure is available — Art. 14(2)(c). All submissions go through the single reporting platform under Art. 16, simultaneously to the CSIRT coordinator and ENISA. This obligation applies from 11 September 2026 — before the rest of the CRA. CRACheck generates the notification template as part of the 8-document package. 15–25 minutes. €149.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

The three-stage reporting pipeline

24h

Early warning deadline — Art. 14(2)(a)

72h

Vulnerability notification — Art. 14(2)(b)

14 days

Final report after fix — Art. 14(2)(c)

How to prepare for Art. 14 reporting

Map your notification trigger

Art. 14(1) activates when you become aware of an "actively exploited vulnerability." Define who in your organisation counts as "the manufacturer becoming aware" and how that awareness is escalated.

Identify your CSIRT coordinator

Art. 14(7) requires submission through the electronic notification end-point of the CSIRT in your main EU establishment. If you have no EU establishment, Art. 14(7) provides fallback criteria.

Prepare the early warning fields

Art. 14(2)(a): indicate Member States where the product is available. No detailed technical analysis required at this stage.

Prepare the vulnerability notification fields

Art. 14(2)(b): general product information, exploit nature, corrective measures taken and available to users, sensitivity assessment.

Prepare the final report fields

Art. 14(2)(c): vulnerability description with severity and impact, information on malicious actors (if available), details about the security update or corrective measure.

Run CRACheck

CRACheck generates the Notification Template pre-structured for all three stages, aligned with Art. 14(2)(a)–(c). Part of the 8-document package.

Test the process

Before 11 September 2026, run a tabletop exercise using the template to verify that your team can meet the 24h window under real conditions.

Three mistakes manufacturers make with Art. 14

❌

WRONG TIMELINE

Confusing Art. 14 vulnerability reporting with NIS2 incident reporting timelines

Art. 14 of Regulation (EU) 2024/2847 has its own three-stage timeline (24h/72h/14 days after fix) separate from NIS2. The 14-day final report under Art. 14(2)(c) is triggered by availability of a corrective measure, not by a fixed calendar window. Applying NIS2 timelines to CRA reporting creates a compliance gap.

❌

WRONG RECIPIENT

Reporting to a generic national CERT instead of the designated CSIRT coordinator via the single reporting platform

Art. 14(7) requires submission through the single reporting platform established under Art. 16, via the electronic notification end-point of the CSIRT designated as coordinator for your main EU establishment. Sending an email to a generic cert@country address does not constitute valid notification.

❌

DELAYED AWARENESS

Structuring teams so that vulnerability awareness is delayed to extend the 24h window

Art. 14(2)(a) counts from the moment the manufacturer becomes aware. Deliberately routing vulnerability reports through bureaucratic layers to delay "official" awareness exposes the manufacturer to Art. 64(2) penalties and reputational damage if discovered by a market surveillance authority.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Category per Annex III/IV. Art. 14 applies regardless of product category, but Important Class II and Critical products face closer market surveillance scrutiny.

Technical Documentation

Full Annex VII. The notification process description is part of the vulnerability handling documentation under point 2(b).

Risk Assessment

Per Art. 13(2)–(3). An actively exploited vulnerability triggers mandatory risk assessment updates per Art. 13(7).

User Information

Annex II, point 5: users must be informed of "any known or foreseeable circumstance" that may lead to cybersecurity risks. Art. 14(8) requires you to inform impacted users of the vulnerability.

Declaration of Conformity

Per Art. 28 and Annex V.

CVD Policy

Per Annex I, Part II, point (5). Your CVD policy defines how external reports come in; Art. 14 defines how they go out to authorities.

Notification Template

The core deliverable for Art. 14. Pre-structured for the three stages: early warning fields (2a), vulnerability notification fields (2b), final report fields (2c). Aligned with the single reporting platform format under Art. 16.

Obligations Calendar

Critical dates: Art. 14 reporting applies from 11 September 2026. Full CRA enforcement from 11 December 2027.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 THE ALTERNATIVE

Building an Art. 14-compliant incident response framework with external consultants: CSIRT mapping, notification template development, tabletop exercises, process documentation.

€12,000–€25,000

8–12 weeks. Result: a playbook that does not auto-update when the Commission adopts implementing acts under Art. 14(10).

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history