Search every question across CRA sub-FAQs

Yes.

After becoming aware of an actively exploited vulnerability or severe incident, the manufacturer must inform impacted users and, where appropriate, all users, including any risk-mitigation and corrective measures they can deploy. The CRA adds that this should, where appropriate, be provided in a structured, machine-readable format that is easily automatically processable.

Not automatically.

The March 2026 draft guidance says the Article 14(8) duty should be applied in a risk-based and proportionate way. It does not necessarily require indiscriminate public disclosure in every case, especially for sensitive products or contexts where wider disclosure could itself increase cybersecurity risk. Once the vulnerability has been adequately addressed or mitigated, broader disclosure may become appropriate, but the timing and level of detail should still remain proportionate.

Then the notified CSIRTs may provide that information to users where that is proportionate and necessary to prevent or mitigate the impact.

For severe incidents, Article 17(2) also allows the relevant CSIRT, after consulting the manufacturer and where appropriate in cooperation with ENISA, to inform the public or require the manufacturer to do so where public awareness is necessary or otherwise in the public interest.

Yes, in exceptional circumstances and only for the period strictly necessary.

Article 16 allows the CSIRT initially receiving the notification to delay dissemination on justified cybersecurity-related grounds, including coordinated vulnerability disclosure cases. The CRA also provides an additional regime for particularly exceptional vulnerability cases involving exploitation limited to one Member State, essential national interests, or imminent high cybersecurity risk from further dissemination.

The reporting obligation still applies.

The 24-hour and 72-hour deadlines are triggered by awareness, not by the availability of a corrective measure. The final vulnerability report is due after a corrective or mitigating measure becomes available. Article 16(5) also recognises the case where no corrective or mitigating measure is yet available and requires secure, need-to-know handling on the reporting platform.

Yes.

Article 69(3) says Article 14 applies to all products with digital elements in scope, including products placed on the market before 11 December 2027. The Commission FAQ adds that these reporting obligations start applying on 11 September 2026.

No.

The Commission FAQ says manufacturers may still have to report actively exploited vulnerabilities and severe incidents for those older products, but the broader CRA obligations do not apply to them on that basis alone unless the product is substantially modified.

The reporting obligation can still apply.

The Commission FAQ expressly notes that, for older products, tooling, build environments, dependencies, or staff knowledge may no longer be available. That practical difficulty does not remove the Article 14 reporting duty for in-scope pre-11 December 2027 products.

Yes.

Article 15 allows manufacturers and other natural or legal persons to notify vulnerabilities, cyber threats affecting a product's risk profile, incidents, and near misses on a voluntary basis. The CSIRT may prioritise mandatory notifications over voluntary ones.

If another natural or legal person reports an actively exploited vulnerability or severe incident under Article 15, the CSIRT designated as coordinator must inform the manufacturer without undue delay.

No.

The CRA expressly says the mere act of notification under Article 14 or Article 15 does not subject the notifying natural or legal person to increased liability.

After a security update or another corrective or mitigating measure is available, ENISA must, in agreement with the manufacturer, add the publicly known vulnerability notified under Article 14(1) or Article 15(1) to the European vulnerability database.

Not in full.

Article 24(3) applies Article 14(1) to stewards only to the extent they are involved in development of the products. It applies Article 14(3) and Article 14(8) only to the extent that severe incidents affect network and information systems the stewards provide for the development of those products.

There is only a narrow one.

The CRA does not remove the reporting obligation itself, but Article 64 and Recital 120 provide that microenterprises and small enterprises are exempt from the administrative fines tied to failure to meet the 24-hour early-warning deadline in Article 14(2)(a) or Article 14(4)(a). Article 17(6) also says CSIRTs shall provide helpdesk support, in particular for microenterprises and SMEs.

No, not just because that date arrived.

The Commission FAQ says the obligation to notify applies upon becoming aware following the entry into application of the reporting requirements. So Article 14 starts applying on 11 September 2026, but the trigger is still awareness under that reporting regime rather than a retroactive duty caused by earlier awareness alone.

No.

Mandatory notifications must be submitted via the single reporting platform using the electronic notification end-point of the relevant CSIRT designated as coordinator. ENISA gets simultaneous access through that mechanism, but Article 14 does not make direct ENISA-only filing the mandatory route.

No.

The CRA's delay mechanism applies after the CSIRT designated as coordinator has received the notification and concerns onward dissemination through the single reporting platform. On that basis, it does not change the manufacturer's own Article 14 deadlines, which still run from becoming aware.

No.

Article 14 places the mandatory CRA reporting duty on the manufacturer. Importers and distributors have their own related duties: if they become aware of a vulnerability, they must inform the manufacturer without undue delay, and if the product presents a significant cybersecurity risk, they must immediately inform the relevant market surveillance authorities.

Not in itself.

Article 15(5) says CSIRTs designated as coordinators and ENISA must ensure confidentiality and appropriate protection of the information provided by a voluntary notifier. It also says voluntary reporting does not create additional obligations that the notifying person would not otherwise have had.

Yes.

Article 16(3) says CSIRTs designated as coordinators must provide their national market surveillance authorities with the notified information necessary for those authorities to fulfil their CRA tasks. Recital 69 states the same reporting flow as part of the single-platform design.