What triggers the Art. 14 notification obligation?

Article 14(1) is triggered when a manufacturer becomes aware of any actively exploited vulnerability contained in the product. "Actively exploited" means there is evidence that a malicious actor has used the vulnerability against real targets — not merely that a proof of concept exists.

What is the single reporting platform?

Article 16 requires ENISA to establish a single reporting platform. The platform details are expected before the Art. 14 activation date of 11 September 2026.

Do I also report to my national CSIRT?

Article 14 requires notification to ENISA through the single reporting platform. ENISA forwards to the relevant CSIRTs. You may additionally notify your national CSIRT, but the Art. 14 obligation is satisfied by notifying ENISA.

What happens if I miss the 24-hour deadline?

Failure to meet Art. 14 reporting deadlines constitutes non-compliance. Sanctions under Art. 64 apply. Document the moment of awareness — the burden of proof is on the manufacturer.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

Article 14 of Regulation (EU) 2024/2847 requires manufacturers to notify ENISA of any actively exploited vulnerability within 24 hours of becoming aware of it. This obligation applies from 11 September 2026 — fifteen months before full CRA enforcement. You need a 24-hour early warning, a 72-hour vulnerability notification, and a 14-day final report. CRACheck generates a pre-structured notification template as part of the 8-document package.

The Art. 14 reporting obligation is the first CRA requirement to become active — 11 September 2026. From that date, manufacturers must notify ENISA through the single reporting platform whenever they become aware of an actively exploited vulnerability in their product or of a severe security incident. The notification follows a three-stage structure: 24-hour early warning, 72-hour vulnerability notification with technical details, and a 14-day final report with root cause analysis and remediation status. CRACheck generates a notification template pre-structured for all three stages. €149 per product. Part of the 8-document compliance package.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

11 Sept 2026

Art. 14 reporting obligation becomes active — 15 months before full CRA enforcement

24 hours

Early warning to ENISA after becoming aware of an actively exploited vulnerability

3 stages

Early warning (24h), vulnerability notification (72h), final report (14 days)

The Art. 14 notification process

Become aware of an actively exploited vulnerability

Art. 14 triggers when you become aware, not when you discover. If a researcher reports to you, the clock starts at reception.

Submit early warning (24h)

Notify ENISA through the single reporting platform within 24 hours. Include: manufacturer identification, product affected, preliminary severity.

Submit vulnerability notification (72h)

Within 72 hours: technical details, affected component, exploitation vector, severity assessment, and mitigation measures already taken.

Submit final report (14 days)

Within 14 days: root cause analysis, complete affected product list, remediation actions, and vulnerability status.

Notify affected users

Art. 13(11) requires manufacturers to inform users of actively exploited vulnerabilities and corrective measures.

Document in technical file

Update your technical documentation to reflect the vulnerability, the notification, and the remediation.

Common mistakes

❌

ART. 14 + ART. 71(2)

"Art. 14 only applies from December 2027."

Article 71(2) explicitly states that Article 14 shall apply from 11 September 2026. Manufacturers who wait until December 2027 will miss the reporting deadline by over a year.

❌

ART. 14(1)

"We only report if the vulnerability is in our code."

Article 14(1) requires notification of actively exploited vulnerabilities contained in the product — including third-party components, libraries, and dependencies.

❌

ART. 14(1) + ART. 16

"We report to our national CSIRT, not ENISA."

Article 14(1) requires notification to ENISA through the single reporting platform. ENISA handles distribution to CSIRTs. Notifying your national CSIRT alone does not satisfy Art. 14.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Classification under Annex III / IV.

Technical Documentation

Art. 31 + Annex VII. References vulnerability handling and notification procedures.

Risk Assessment

Annex I, Part II. Vulnerability handling requirements operationalised through Art. 14.

User Information

Annex II. Includes user notification framework for exploited vulnerabilities per Art. 13(11).

Declaration of Conformity

Art. 28 + Annex V.

CVD Policy

Art. 13(6). Governs how vulnerabilities are reported to you; Art. 14 governs how you report to ENISA.

Notification Template

Primary deliverable. Pre-structured for the three Art. 14 stages: early warning (24h), vulnerability notification (72h), final report (14 days).

Obligations Calendar

Art. 14 activation date (11 Sept 2026), reporting deadlines, review milestones.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 AD-HOC INCIDENT RESPONSE

Cost per incident: €5,000–€25,000

Hours of scrambling to determine what to report

No pre-structured template

Each incident starts from scratch

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history