When exactly does Art. 14 apply?

Article 71 of Regulation (EU) 2024/2847 states: "Article 14 shall apply from 11 September 2026." This is not contingent on full CRA enforcement. If your product is on the EU market after 11 September 2026, the vulnerability reporting obligation is active.

What is the single reporting platform under Art. 16?

Article 16 mandates ENISA to establish a single reporting platform for vulnerability and incident notifications. CRACheck's ENISA Notification Template is structured to map to the information fields the platform will require.

Do we report to ENISA or to the national CSIRT?

Both. Article 14.1 requires simultaneous notification to the CSIRT designated as coordinator and to ENISA. The single reporting platform under Art. 16 handles the distribution.

What qualifies as an actively exploited vulnerability?

Article 14.1 covers vulnerabilities that a manufacturer becomes aware of as being actively exploited — meaning a malicious actor is using the vulnerability to compromise the product or its users. A vulnerability discovered by a researcher but not yet exploited triggers the CVD process but not mandatory Art. 14 reporting.

What about severe incidents?

Article 14.3 separately covers severe incidents impacting product security. The timeline mirrors vulnerability reporting: 24h early warning, 72h notification, 1 month final report. Note the final report timeline is 1 month for incidents, vs. 14 days for vulnerabilities.

Is this a subscription?

No. One-time payment. 30 days editing, 10 regenerations. PDF yours permanently.

Can I request a refund?

Pursuant to Art. 16(m) of Directive (EU) 2011/83, licence activation constitutes express consent. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during licence validity.

Article 14 of Regulation (EU) 2024/2847 applies from 11 September 2026 — fifteen months before the full CRA enforcement date. If an actively exploited vulnerability is discovered in your product, you must notify ENISA and the designated CSIRT within 24 hours. Then a full notification within 72 hours. Then a final report within 14 days of the corrective measure. CRACheck generates the pre-structured notification template as part of the 8-document Annex VII dossier.

The vulnerability reporting obligation is the first CRA requirement to take effect. From 11 September 2026, every manufacturer of a product with digital elements on the EU market must report actively exploited vulnerabilities through the single reporting platform established under Article 16. The reporting timeline is explicit: 24-hour early warning, 72-hour vulnerability notification, 14-day final report. If you manufacture in China and a vulnerability in your firmware is exploited in Europe, the obligation applies to you. CRACheck generates 8 PDF documents including the ENISA Notification Template pre-structured for the three-step reporting timeline. 15-25 minutes. €149. Browser-side.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

24h

Early warning to ENISA after becoming aware of an actively exploited vulnerability. Art. 14.2(a).

72h

Vulnerability notification with general information and corrective measures. Art. 14.2(b).

14 days

Final report after corrective measure is available. Art. 14.2(c).

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Understand the obligation

Art. 14.1: notify actively exploited vulnerabilities. Art. 14.3: notify severe incidents impacting product security. Both go to the CSIRT designated as coordinator and to ENISA via the single reporting platform (Art. 16).

Designate your reporting contact

Who in your organisation monitors vulnerability databases, receives external reports and has authority to file the ENISA notification? This person needs 24/7 availability for the 24h timeline.

Generate CRACheck dossier

Doc 7 (ENISA Notification Template) pre-structures the three-step reporting timeline. Doc 6 (CVD Policy) establishes the inbound channel for vulnerability reports.

Test the process

Simulate a vulnerability disclosure. Can your team file the 24h early warning within the timeline? If not, adjust.

Integrate with your vulnerability handling

The Annex I Part II requirements for vulnerability handling feed directly into the Art. 14 reporting obligation.

Go live on 11 September 2026

Your reporting process and documentation must be operational by this date. Full CRA enforcement follows on 11 December 2027.

Common mistakes

❌

ART. 14.1

"Vulnerability reporting starts in December 2027 with everything else"

Article 71 explicitly states that Article 14 shall apply from 11 September 2026. This is 15 months before full CRA enforcement. If a vulnerability in your product is actively exploited after September 2026 and you fail to report, you are in breach before most other obligations even apply.

❌

ART. 14.2(a)

"24 hours is for the full report — we have time to investigate before notifying"

Article 14.2(a) requires an early warning within 24 hours. This is not the full report — it is an initial notification. Art. 14.2(b) gives you 72 hours for the detailed notification. Art. 14.2(c) gives you 14 days for the final report. The 24h timeline is for the early warning only.

❌

ART. 14.1

"We only need to report to ENISA if the vulnerability affects EU users"

Article 14.1 requires notification of any actively exploited vulnerability in the product — not only those affecting EU users. The notification is simultaneous to the CSIRT designated as coordinator and to ENISA. If the vulnerability exists in a product placed on the EU market, the obligation applies regardless of where the exploit occurs.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Annex III classification. Reporting obligations apply to all products regardless of classification.

Technical Documentation

Art. 31 + Annex VII. Includes vulnerability handling processes (Annex VII point 2(b)) that underpin the Art. 14 reporting obligation.

Risk Assessment

Art. 13.2-13.3. Identifies vulnerability categories and impact severity that inform reporting thresholds.

User Information

Annex II. Includes the vulnerability reporting contact address for external reporters.

Declaration of Conformity

Art. 28 + Annex V.

CVD Policy

The inbound channel — how researchers and users report vulnerabilities to you. Feeds into your Art. 14 outbound reporting to ENISA.

Notification Template

Art. 14. Pre-structured for the three-step timeline: 24h early warning (Art. 14.2(a)), 72h vulnerability notification (Art. 14.2(b)), 14-day final report (Art. 14.2(c)). Also covers severe incident reporting under Art. 14.3-14.4.

Obligations Calendar

Art. 14 from 11 September 2026 highlighted. Full enforcement 11 December 2027.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 INCIDENT RESPONSE RETAINER WITH EUROPEAN FIRM

€20,000–€50,000/year

Annual retainer. Monitoring + reporting. Ongoing cost.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history