Cyber Resilience Act FAQ Reporting obligations

Manufacturers must report two categories once Article 14 applies: any actively exploited vulnerability contained in the product with digital elements, and any severe incident having an impact on the security of that product.

The duty applies from 11 September 2026. It is not limited to newly launched products: Article 69(3) extends Article 14 to in-scope products placed on the market before 11 December 2027.

The CRA definition requires reliable evidence that a malicious actor exploited the vulnerability in a system without the system owner's permission.

A vulnerability is therefore not reportable under Article 14 just because it exists, is serious, or has no patch yet. The Commission FAQ says zero-days discovered by ethical hackers, bug-bounty participants, or assessment laboratories are not mandatory Article 14 reports unless there is evidence of previous malicious exploitation. They may still be reported voluntarily under Article 15.

A severe incident is an incident affecting the security of the product with digital elements where either condition in Article 14(5) is met.

The first condition is a negative effect, or a capability to negatively affect, the product's ability to protect the availability, authenticity, integrity, or confidentiality of sensitive or important data or functions. The second is that the incident has led, or is capable of leading, to malicious code being introduced or executed in the product or in the user's network and information systems.

Recital 68 also links severe incidents to compromises of the manufacturer's processes when those compromises affect the product's security, so investigation should not be limited to deployed product telemetry.

The legal clock runs from when the manufacturer becomes aware of the actively exploited vulnerability or severe incident.

The draft Commission guidance says awareness follows an initial assessment: the manufacturer is regarded as aware when it has a reasonable degree of certainty that a vulnerability in its product is being actively exploited, or that a severe incident occurred and compromised the product's security. Teams should therefore record when the suspicious signal arrived, what initial assessment was performed, and when the assessment reached that threshold.

No. The Commission FAQ says Article 14 does not prescribe how a manufacturer becomes aware of an actively exploited vulnerability or severe incident.

The FAQ gives examples: customer or partner reports, threat intelligence, security researchers, government cybersecurity agencies, ethical hackers, telemetry, honeypots, internal scanning, and dark-web monitoring. Those examples do not create a duty to monitor every channel, but they are useful for designing intake and triage routes.

Article 14(2) creates three stages.

- Early warning: without undue delay and in any event within 24 hours of becoming aware.

- Vulnerability notification: without undue delay and in any event within 72 hours of becoming aware, unless the information was already provided.

- Final report: no later than 14 days after a corrective or mitigating measure is available.

The 24-hour and 72-hour deadlines do not wait for a patch. The final-report clock is tied to availability of a corrective or mitigating measure.

Article 14(4) also creates three stages.

- Early warning: without undue delay and in any event within 24 hours of becoming aware.

- Incident notification: without undue delay and in any event within 72 hours of becoming aware, unless the information was already provided.

- Final report: within one month after submission of the incident notification.

The severe-incident final report is therefore keyed to the 72-hour incident notification, not to patch availability.

For an actively exploited vulnerability, the early warning indicates, where applicable, the Member States where the manufacturer knows the product has been made available. The 72-hour vulnerability notification adds available information about the product, the general nature of the exploit and vulnerability, corrective or mitigating measures already taken, measures users can take, and the sensitivity of the notified information where applicable.

For a severe incident, the early warning must at least say whether the incident is suspected of being caused by unlawful or malicious acts, and where applicable identify Member States where the product has been made available. The 72-hour incident notification adds available information about the incident's nature, an initial assessment, corrective or mitigating measures already taken, user measures, and sensitivity.

For an actively exploited vulnerability, the final report must include a description of the vulnerability, its severity and impact, information about the malicious actor where available, and details of the security update or other corrective measures made available.

For a severe incident, the final report must include a detailed incident description, severity and impact, the likely threat type or root cause, and applied and ongoing mitigation measures.

The manufacturer files via the single reporting platform established by ENISA, using the electronic notification endpoint of the relevant CSIRT designated as coordinator. ENISA receives simultaneous access through that mechanism.

A direct ENISA-only notification is not the Article 14 route for mandatory reports. The route is CSIRT coordinator endpoint plus simultaneous ENISA access through the single reporting platform.

If the manufacturer has a main establishment in the Union, the relevant CSIRT is in the Member State where decisions related to product cybersecurity are predominantly taken. If that cannot be determined, it is the Member State where the manufacturer has the establishment with the highest number of employees in the Union.

If the manufacturer has no main establishment in the Union, Article 14(7) uses a fallback order based on the authorised representative, importer, distributor, and finally the Member State with the highest number of users. If the user-location fallback is used, later related reports may be sent to the same CSIRT coordinator.

The CSIRT coordinator that initially receives the notification disseminates it through the single reporting platform to the CSIRTs for Member States where the manufacturer indicated the product has been made available. CSIRTs designated as coordinators also provide national market surveillance authorities with notified information needed for CRA tasks.

The initially receiving CSIRT may request intermediate status updates. ENISA manages and maintains the platform, can receive relevant information for EU-level crisis coordination, prepares trend reports from notifications, and adds publicly known notified vulnerabilities to the European vulnerability database after a security update or other corrective or mitigating measure is available and in agreement with the manufacturer.

Yes, but the CRA frames this as an exceptional dissemination control after notification, not as extra time for the manufacturer to file.

Article 16 allows the initially receiving CSIRT to delay dissemination on justified cybersecurity-related grounds for only the period strictly necessary, including coordinated vulnerability disclosure cases. Article 16 also has a narrower exceptional process for actively exploited vulnerabilities where immediate wider dissemination would conflict with specified essential interests or create imminent high cybersecurity risk.

If no corrective or mitigating measure is available, ENISA and the CSIRTs network must provide procedures so information is shared under strict security protocols and on a need-to-know basis.

Yes. After becoming aware of an actively exploited vulnerability or severe incident, the manufacturer must inform impacted users and, where appropriate, all users. The notice must include any risk-mitigation and corrective measures users can deploy where necessary, and where appropriate must be structured, machine-readable, and easily automatically processable.

The Commission FAQ confirms this Article 14(8) user-notice duty also matters for older in-scope products placed on the market before 11 December 2027.

No. The draft Commission guidance says Article 14(8) should be applied in a risk-based and proportionate way. It does not require public or indiscriminate disclosure in every case.

Detailed information may be limited to affected users or customers where appropriate, especially for products used in sensitive or essential environments where public technical detail could increase cybersecurity risk or facilitate further exploitation. If the manufacturer does not inform users in time, the notified CSIRTs may inform users when proportionate and necessary to prevent or mitigate impact. For severe incidents, Article 17(2) also allows public information or a requirement that the manufacturer inform the public where public awareness is necessary or in the public interest.

If an actively exploited vulnerability in an integrated component is contained in the finished product, the finished-product manufacturer must notify it under Article 14 when aware of it. If the component manufacturer placed that component on the market separately, it may have its own Article 14 duty as well.

If the manufacturer knows the integrated component has a vulnerability but that vulnerability cannot be exploited in the finished product, the Commission FAQ says it is not an actively exploited vulnerability in that finished product for mandatory Article 14 reporting. Voluntary Article 15 reporting may still be used, and Article 13(6) can require upstream reporting to the person or entity manufacturing or maintaining the component.

Article 14 places the mandatory reporting duty on the manufacturer. Importers and distributors have related escalation duties rather than becoming the ordinary Article 14 reporter.

If an importer or distributor becomes aware of a vulnerability in the product, it must inform the manufacturer without undue delay. If it considers or has reason to believe the product presents a significant cybersecurity risk, it must also immediately inform the market surveillance authorities of the Member States where the product has been made available.

Yes. Article 15 allows manufacturers and other natural or legal persons to notify vulnerabilities, cyber threats that could affect a product's risk profile, incidents, and near misses on a voluntary basis to a CSIRT coordinator or ENISA.

The CSIRT may prioritise mandatory notifications over voluntary ones. If someone other than the manufacturer reports an actively exploited vulnerability or severe incident, the CSIRT coordinator must inform the manufacturer without undue delay. CSIRTs and ENISA must protect voluntary-notifier information, and voluntary reporting does not by itself impose extra obligations on the notifier.

Keep the evidence needed to support the classification and every report stage: original intake signal, source and timestamp, affected product and version, whether the issue is a product vulnerability or an incident, evidence of malicious exploitation or severe product-security impact, initial assessment notes, awareness-time decision, affected Member States where known, user-impact assessment, sensitivity marking, and any corrective or mitigating measures already taken or available to users.

For the final record, preserve severity and impact analysis, root-cause or threat-type assessment where available, malicious-actor information where available for exploited vulnerabilities, security update or mitigation details, user communications, CSIRT submissions, intermediate reports requested by a CSIRT, and the rationale for any delayed public or wider disclosure.

For older products, preserve practical investigation limits such as unavailable build environments, unsupported dependencies, missing tooling, or departed product knowledge. The Commission FAQ says those limits do not remove the Article 14 reporting duty, but they explain what could and could not be verified.

No. Article 17(4) says the mere act of notification under the mandatory or voluntary reporting provisions does not subject the notifier to increased liability.

That protection does not remove the underlying CRA obligations, but it is important for escalation playbooks because teams should not delay a required report simply because the act of notifying is visible to authorities.

There is narrow penalty relief, not a removal of the reporting duty. Article 64 exempts microenterprises and small enterprises from administrative fines for failure to meet the 24-hour early-warning deadline in Article 14(2)(a) or Article 14(4)(a).

The CRA also requires CSIRTs designated as coordinators to provide helpdesk support for Article 14 reporting, in particular for microenterprises and small or medium-sized enterprises.