A library interior with bookshelves flanking an arched doorway

CRA Vulnerability Handling and Reporting (Article 14)

Set up Annex I Part II vulnerability handling and the Article 14 ENISA reporting flow that runs alongside it.

Build your vulnerability handling expertise

Five focused guides covering the eight handling requirements, ENISA reporting deadlines, CVD policy, severity scoring, and SRP onboarding.

Set up vulnerability handling (Annex I Part II)

The eight ongoing handling requirements every manufacturer must implement during the support period, and how they link to the SBOM produced under Annex I Part II point 1.

Read guide →

Report incidents to ENISA under Article 14

The 24-hour early warning, 72-hour notification, and final-report deadlines (14 days for vulnerabilities, 1 month for severe incidents) plus the ENISA SRP submission flow.

Read guide →

Run a coordinated vulnerability disclosure policy

Annex I Part II point 5 plus Article 13(17): how to publish a CVD policy, run a single point of contact, and coordinate with external researchers and ENISA.

Read guide →

Score severity with CVSS, EPSS, and KEV

CVSS, EPSS, and CISA KEV as operational signals for the CRA's open-ended duties: prioritisation under Annex I Part II and triggering the Article 14 reporting clock.

Read guide →

Onboard to the ENISA Single Reporting Platform

Registration on the ENISA Single Reporting Platform, CSIRT routing, internal escalation flow, and how to hit the 24-hour Article 14(1) clock from detection.

Read guide →

← Back to CRA compliance hub