A library interior with bookshelves flanking an arched doorway

CRA Vulnerability Handling and Reporting (Article 14)

Find vulnerabilities in your product, fix them in time, and report actively exploited vulnerabilities and severe incidents to the coordinating CSIRT and ENISA.

Build your vulnerability handling expertise

Five guides that walk you through what to do day to day, who to call when something goes wrong, and how to stay inside the reporting deadlines.

Handle vulnerabilities in your product

The eight things every manufacturer needs to do throughout the support period to find, fix, and ship security updates to users.

Read guide →

Report incidents and exploited vulnerabilities to ENISA

What to send, when to send it, and how the 24 hour, 72 hour, and final report clocks work once you spot an active exploit or a severe incident.

Read guide →

Publish a vulnerability disclosure policy

How to set up a single contact point for security researchers, write the policy they expect to see, and handle the reports that come in.

Read guide →

Score vulnerability severity with CVSS, EPSS, and KEV

Use the three standard signals together to decide what to patch first, and recognise when a vulnerability becomes an exploited one you must report.

Read guide →

Get set up on the ENISA reporting platform

Register your company, route reports to the right national CSIRT, and put an internal escalation flow in place so the 24 hour clock never catches you cold.

Read guide →

← Back to CRA compliance hub