Article 14 of Regulation (EU) 2024/2847 requires manufacturers to notify ENISA of any actively exploited vulnerability within 24 hours of becoming aware of it. This obligation applies from 11 September 2026 — fifteen months before full CRA enforcement. You need a 24-hour early warning, a 72-hour vulnerability notification, and a 14-day final report. CRACheck generates a pre-structured notification template as part of the 8-document package.

The Art. 14 reporting obligation is the first CRA requirement to become active — 11 September 2026. From that date, manufacturers must notify ENISA through the single reporting platform whenever they become aware of an actively exploited vulnerability in their product or of a severe security incident. The notification follows a three-stage structure: 24-hour early warning, 72-hour vulnerability notification with technical details, and a 14-day final report with root cause analysis and remediation status. CRACheck generates a notification template pre-structured for all three stages. €149 per product. Part of the 8-document compliance package.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

11 Sept 2026

Art. 14 reporting obligation becomes active — 15 months before full CRA enforcement

24 hours

Early warning to ENISA after becoming aware of an actively exploited vulnerability

3 stages

Early warning (24h), vulnerability notification (72h), final report (14 days)

The Art. 14 notification process

Become aware of an actively exploited vulnerability

Art. 14 triggers when you become aware, not when you discover. If a researcher reports to you, the clock starts at reception.

Submit early warning (24h)

Notify ENISA through the single reporting platform within 24 hours. Include: manufacturer identification, product affected, preliminary severity.

Submit vulnerability notification (72h)

Within 72 hours: technical details, affected component, exploitation vector, severity assessment, and mitigation measures already taken.

Submit final report (14 days)

Within 14 days: root cause analysis, complete affected product list, remediation actions, and vulnerability status.

Notify affected users

Art. 13(11) requires manufacturers to inform users of actively exploited vulnerabilities and corrective measures.

Document in technical file

Update your technical documentation to reflect the vulnerability, the notification, and the remediation.

Common mistakes

❌

ART. 14 + ART. 71(2)

"Art. 14 only applies from December 2027."

Article 71(2) explicitly states that Article 14 shall apply from 11 September 2026. Manufacturers who wait until December 2027 will miss the reporting deadline by over a year.

❌

ART. 14(1)

"We only report if the vulnerability is in our code."

Article 14(1) requires notification of actively exploited vulnerabilities contained in the product — including third-party components, libraries, and dependencies.

❌

ART. 14(1) + ART. 16

"We report to our national CSIRT, not ENISA."

Article 14(1) requires notification to ENISA through the single reporting platform. ENISA handles distribution to CSIRTs. Notifying your national CSIRT alone does not satisfy Art. 14.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Classification under Annex III / IV.

Technical Documentation

Art. 31 + Annex VII. References vulnerability handling and notification procedures.

Risk Assessment

Annex I, Part II. Vulnerability handling requirements operationalised through Art. 14.

User Information

Annex II. Includes user notification framework for exploited vulnerabilities per Art. 13(11).

Declaration of Conformity

Art. 28 + Annex V.

CVD Policy

Art. 13(6). Governs how vulnerabilities are reported to you; Art. 14 governs how you report to ENISA.

Notification Template

Primary deliverable. Pre-structured for the three Art. 14 stages: early warning (24h), vulnerability notification (72h), final report (14 days).

Obligations Calendar

Art. 14 activation date (11 Sept 2026), reporting deadlines, review milestones.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 AD-HOC INCIDENT RESPONSE

Cost per incident: €5,000–€25,000

Hours of scrambling to determine what to report

No pre-structured template

Each incident starts from scratch

✓ CRACHECK

€149 — Pre-structured notification template

Ready before the first incident

Part of an 8-document CRA package

Pack: €99/product (10), €79/product (30)

Two layers

● LAYER 1 — DOCUMENTATION · CRACHECK

Documentation layer

CRACheck generates a pre-structured ENISA notification template with fields for all three Art. 14 reporting stages. Integrated with the CVD Policy, Risk Assessment, and Technical Documentation.

∅ LAYER 2 — NOT INCLUDED

What CRACheck does not do

CRACheck does not monitor your products for vulnerabilities. It does not detect exploitation. It does not submit notifications to ENISA on your behalf. The template is a preparation tool — execution requires your PSIRT or security team.

When a vulnerability hits, you will not have time to design a notification format. CRACheck ensures the template exists before the incident.

Enforcement regime

🔴

Art. 64(1) — Up to €15,000,000 or 2.5%

For failure to comply with Art. 14 notification obligations, including missing the 24-hour deadline.

🟠

Art. 64(2) — Up to €10,000,000 or 2%

For incomplete or delayed notification.

🟡

Art. 64(3) — Up to €5,000,000 or 1%

For providing inaccurate or misleading information in notifications to ENISA.

Alternatives

Criterion	Wait for ENISA template	DIY notification format	Incident response retainer	CRACheck
Available now	No (pending)	Uncertain quality	Reactive, per-incident	Yes, pre-structured
Cost	Free (when available)	Staff time	€5K–€25K per incident	€149 (proactive)
Art. 14 structure	TBD	Uncertain	Consultant-dependent	24h + 72h + 14d mapped
Integration with CRA file	TBD	None	None	8 documents integrated
CRACheck	Yes	€149	24h+72h+14d	Integrated

Notification templates for a product portfolio?

Each product needs its own notification template — Art. 14 reports are product-specific. Pack pricing: €99/product (10), €79/product (30). Be ready before 11 September 2026.

Request volume pricing

Commercial enquiries via hello@solidwaretools.com

What CRACheck guarantees and what it does not

CRACheck generates a structured notification template according to Article 14 of Regulation (EU) 2024/2847 based on the information you enter. The accuracy of your product identification, vulnerability descriptions, and remediation declarations during an actual incident is your responsibility as the manufacturer.

We guarantee that the template structure follows Art. 14's three-stage reporting requirements (24h, 72h, 14 days) and that the legal references cited are correct. We do not guarantee that a notification based on this template will be accepted by ENISA in a specific case.

CRACheck is not legal advice. For incident-specific legal questions about disclosure obligations, consult a qualified legal professional.

Frequently asked questions

What triggers the Art. 14 notification obligation?

Article 14(1) is triggered when a manufacturer becomes aware of any actively exploited vulnerability contained in the product. "Actively exploited" means there is evidence that a malicious actor has used the vulnerability against real targets — not merely that a proof of concept exists.

What is the single reporting platform?

Article 16 requires ENISA to establish a single reporting platform. The platform details are expected before the Art. 14 activation date of 11 September 2026.

Do I also report to my national CSIRT?

Article 14 requires notification to ENISA through the single reporting platform. ENISA forwards to the relevant CSIRTs. You may additionally notify your national CSIRT, but the Art. 14 obligation is satisfied by notifying ENISA.

What happens if I miss the 24-hour deadline?

Failure to meet Art. 14 reporting deadlines constitutes non-compliance. Sanctions under Art. 64 apply. Document the moment of awareness — the burden of proof is on the manufacturer.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

Official legal sources

Regulation (EU) 2024/2847 — Cyber Resilience Act — full text

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.