Fendora
← All CRA articles

Legal review pending. CRA classification and obligations on this page require verification against the official regulation before relying on them for compliance decisions.

CRA Article 14: Active Vulnerability Reporting

Manufacturers must notify ENISA within 24 hours (early warning) and submit a detailed notification within 72 hours of becoming aware of active exploitation.

Last updated 2026-03-01

What Article 14 requires

Article 14 of the Cyber Resilience Act obliges manufacturers of products with digital elements to:

  1. Notify ENISA (via the national CSIRT) within 24 hours of becoming aware that a vulnerability is being actively exploited.
  2. Submit a detailed vulnerability notification within 72 hours.
  3. Provide a final report within 14 days, including remediation status.

Who it applies to

Any organisation that places a product with digital elements on the EU market, including software distributed commercially or as part of a service. Pure open-source projects maintained on a non-commercial basis are exempt, but commercial integrators are not.

Common triggers

  • A CVE with CVSS ≥ 9.0 affecting a component in your SBOM is added to CISA KEV (Fendora interpretation; the CRA does not define a CVSS threshold)
  • A security researcher discloses an exploit targeting your product
  • Your SIEM detects active exploitation against your deployed product

What a compliant response looks like

  1. Identify affected versions using your SBOM
  2. Notify ENISA via your national CSIRT portal
  3. Issue a customer advisory
  4. Ship a patched release within the 14-day window
  5. Record the incident in your vulnerability disclosure log