Reg (EU) 2024/2847Generate dossier — €149
LIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

Article 14 of Regulation (EU) 2024/2847 applies from 11 September 2026 — fifteen months before the full CRA enforcement date. If an actively exploited vulnerability is discovered in your product, you must notify ENISA and the designated CSIRT within 24 hours. Then a full notification within 72 hours. Then a final report within 14 days of the corrective measure. CRACheck generates the pre-structured notification template as part of the 8-document Annex VII dossier.

The vulnerability reporting obligation is the first CRA requirement to take effect. From 11 September 2026, every manufacturer of a product with digital elements on the EU market must report actively exploited vulnerabilities through the single reporting platform established under Article 16. The reporting timeline is explicit: 24-hour early warning, 72-hour vulnerability notification, 14-day final report. If you manufacture in China and a vulnerability in your firmware is exploited in Europe, the obligation applies to you. CRACheck generates 8 PDF documents including the ENISA Notification Template pre-structured for the three-step reporting timeline. 15-25 minutes. €149. Browser-side.

Generate CRA dossier — €149Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Regulation (EU) 2024/2847 · Art. 14 + Art. 31 + Annex VII · 8 documents · 100% browser-side

Key numbers

24h
Early warning to ENISA after becoming aware of an actively exploited vulnerability. Art. 14.2(a).
72h
Vulnerability notification with general information and corrective measures. Art. 14.2(b).
14 days
Final report after corrective measure is available. Art. 14.2(c).

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

1
Understand the obligation
Art. 14.1: notify actively exploited vulnerabilities. Art. 14.3: notify severe incidents impacting product security. Both go to the CSIRT designated as coordinator and to ENISA via the single reporting platform (Art. 16).
2
Designate your reporting contact
Who in your organisation monitors vulnerability databases, receives external reports and has authority to file the ENISA notification? This person needs 24/7 availability for the 24h timeline.
3
Generate CRACheck dossier
Doc 7 (ENISA Notification Template) pre-structures the three-step reporting timeline. Doc 6 (CVD Policy) establishes the inbound channel for vulnerability reports.
4
Test the process
Simulate a vulnerability disclosure. Can your team file the 24h early warning within the timeline? If not, adjust.
5
Integrate with your vulnerability handling
The Annex I Part II requirements for vulnerability handling feed directly into the Art. 14 reporting obligation.
6
Go live on 11 September 2026
Your reporting process and documentation must be operational by this date. Full CRA enforcement follows on 11 December 2027.

Common mistakes

ART. 14.1

"Vulnerability reporting starts in December 2027 with everything else"

Article 71 explicitly states that Article 14 shall apply from 11 September 2026. This is 15 months before full CRA enforcement. If a vulnerability in your product is actively exploited after September 2026 and you fail to report, you are in breach before most other obligations even apply.

ART. 14.2(a)

"24 hours is for the full report — we have time to investigate before notifying"

Article 14.2(a) requires an early warning within 24 hours. This is not the full report — it is an initial notification. Art. 14.2(b) gives you 72 hours for the detailed notification. Art. 14.2(c) gives you 14 days for the final report. The 24h timeline is for the early warning only.

ART. 14.1

"We only need to report to ENISA if the vulnerability affects EU users"

Article 14.1 requires notification of any actively exploited vulnerability in the product — not only those affecting EU users. The notification is simultaneous to the CSIRT designated as coordinator and to ENISA. If the vulnerability exists in a product placed on the EU market, the obligation applies regardless of where the exploit occurs.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

1

Product Classifier

Annex III classification. Reporting obligations apply to all products regardless of classification.

2

Technical Documentation

Art. 31 + Annex VII. Includes vulnerability handling processes (Annex VII point 2(b)) that underpin the Art. 14 reporting obligation.

3

Risk Assessment

Art. 13.2-13.3. Identifies vulnerability categories and impact severity that inform reporting thresholds.

4

User Information

Annex II. Includes the vulnerability reporting contact address for external reporters.

5

Declaration of Conformity

Art. 28 + Annex V.

6

CVD Policy

The inbound channel — how researchers and users report vulnerabilities to you. Feeds into your Art. 14 outbound reporting to ENISA.

7

Notification Template

Art. 14. Pre-structured for the three-step timeline: 24h early warning (Art. 14.2(a)), 72h vulnerability notification (Art. 14.2(b)), 14-day final report (Art. 14.2(c)). Also covers severe incident reporting under Art. 14.3-14.4.

8

Obligations Calendar

Art. 14 from 11 September 2026 highlighted. Full enforcement 11 December 2027.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 INCIDENT RESPONSE RETAINER WITH EUROPEAN FIRM
€20,000–€50,000/year
Annual retainer. Monitoring + reporting. Ongoing cost.
✓ CRACHECK
€149
8 documents including pre-structured ENISA notification template. One-time payment. Your internal team handles the actual reporting. Pack 10: €99/product.

Two layers

● LAYER 1

What CRACheck does

Generates the documentation framework for your vulnerability reporting obligation: CVD Policy (inbound), ENISA Notification Template (outbound), vulnerability handling processes (Annex VII point 2(b)). Pre-structured for the 24h/72h/14-day timeline.

∅ LAYER 2

What CRACheck does NOT do

CRACheck does not monitor your products for vulnerabilities, file ENISA notifications on your behalf or provide incident response services. The documentation structures your process. Your security team executes it.

We structure the documentation. You run the reporting process.

Enforcement regime

Article 64 of Regulation (EU) 2024/2847.

🔴
Non-compliance with Art. 14 (Art. 64(2))
€15,000,000 / 2.5%

Art. 64.2. This is the highest penalty tier. Art. 14 applies from September 2026.

🟠
Non-compliance with Art. 31, Art. 28, Art. 32 (Art. 64(3))
€10,000,000 / 2%

Art. 64.3.

🟡
Incorrect or misleading information (Art. 64(4))
€5,000,000 / 1%

Art. 64.4.

Alternatives

CriterionEuropean incident response retainerBuild internal reporting from scratchIgnore Art. 14 until December 2027CRACheck
Cost€20,000–€50,000/yearFree + months of work€0 now€149
ResultFull monitoring + reporting. Ongoing annual cost.High risk of gaps in the 24h/72h/14d timeline.Art. 14 applies from September 2026. 15 months of unprotected exposure.8 docs including ENISA template. Pre-structured for the three-step timeline. One-time payment.

You manufacture multiple product lines with shared firmware?

The ENISA notification template references a specific product. If a vulnerability affects multiple products, each notification references the specific product documentation. Generate dossiers for all product lines. Volume pricing: €99/product (10-pack), €79/product (30-pack).

Request Volume Pricing
Response within one business day.

What CRACheck guarantees and what it does not

CRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness and truthfulness of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case or by a commercial buyer in a procurement process.

CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions

When exactly does Art. 14 apply?
Article 71 of Regulation (EU) 2024/2847 states: "Article 14 shall apply from 11 September 2026." This is not contingent on full CRA enforcement. If your product is on the EU market after 11 September 2026, the vulnerability reporting obligation is active.
What is the single reporting platform under Art. 16?
Article 16 mandates ENISA to establish a single reporting platform for vulnerability and incident notifications. CRACheck's ENISA Notification Template is structured to map to the information fields the platform will require.
Do we report to ENISA or to the national CSIRT?
Both. Article 14.1 requires simultaneous notification to the CSIRT designated as coordinator and to ENISA. The single reporting platform under Art. 16 handles the distribution.
What qualifies as an actively exploited vulnerability?
Article 14.1 covers vulnerabilities that a manufacturer becomes aware of as being actively exploited — meaning a malicious actor is using the vulnerability to compromise the product or its users. A vulnerability discovered by a researcher but not yet exploited triggers the CVD process but not mandatory Art. 14 reporting.
What about severe incidents?
Article 14.3 separately covers severe incidents impacting product security. The timeline mirrors vulnerability reporting: 24h early warning, 72h notification, 1 month final report. Note the final report timeline is 1 month for incidents, vs. 14 days for vulnerabilities.
Is this a subscription?
No. One-time payment. 30 days editing, 10 regenerations. PDF yours permanently.
Can I request a refund?
Pursuant to Art. 16(m) of Directive (EU) 2011/83, licence activation constitutes express consent. Refunds only for reproducible technical failures.
What if the regulation changes?
Regenerate at no additional cost during licence validity.

Official legal sources

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.

Article 14 applies from September 2026. Your vulnerability reporting process needs documentation now. Generate the 8-document dossier — 15 minutes, €149.

Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.

€149 one-time
8-document professional dossier · 15–25 minutes · No subscription · Browser-side
Generate CRA dossier — €149

Related landings

CHINA IoT

CRA compliance China manufacturer IoT device EU market 2027
PENALTIES

CRA penalty fine 15 million China company EU
FIRMWARE

CRA firmware update OTA obligation manufacturer China
✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history