CRA Vulnerability Reporting: ENISA SRP, 24h/72h/14d clock

The EU Cyber Resilience Act (Regulation (EU) 2024/2847) makes vulnerability reporting a hard, time-bound legal duty for every manufacturer of a product with digital elements. From 11 September 2026, Article 14 requires actively exploited vulnerabilities and severe incidents to be reported through the ENISA Single Reporting Platform (SRP). Both streams share a 24-hour early warning and a 72-hour notification, but the final-report clock differs: 14 days after a corrective measure is available for vulnerabilities (Article 14(2)(c)), and 1 month after the 72-hour notification for severe incidents (Article 14(4)(c)). The reporting regime is backed by a mandatory coordinated vulnerability disclosure (CVD) policy under Annex I Part II. This page is the canonical reference: what the law requires, when each clock starts, what a compliant CVD policy must contain, how VEX supports the "no known exploitable vulnerabilities" obligation, and which Article 64 fines apply when reporting fails.

Summary

  • Article 14 reporting starts 11 September 2026: shared 24h early warning + 72h notification across both streams; 14d final report for vulnerabilities (Art. 14(2)(c), from corrective measure available); 1 month final report for severe incidents (Art. 14(4)(c), from 72h notification).
  • Submit once via the ENISA SRP: the platform routes simultaneously to your coordinator CSIRT and to ENISA (Art. 14(1), Art. 16(1)).
  • "Actively exploited" means a malicious actor has used the flaw, not disclosure, not a public PoC, not researcher demonstration.
  • A CVD policy is mandatory under Annex I Part II: written, published, enforced. No size threshold removes it.
  • VEX answers "does this CVE actually affect my product?" and is the operational mechanism behind the CRA's "no known exploitable vulnerabilities" requirement.
  • Maximum fines: €15M or 2.5% of global turnover under Article 64 (top tier, applies to Article 14 failures).
24h
Early warning
actively exploited vulns, Art. 14(2)(a)
72h
Notification
technical detail, Art. 14(2)(b)
14d / 1mo
Final report
vuln from corrective measure, Art. 14(2)(c); severe incident from 72h notification, Art. 14(4)(c)
€15M / 2.5%
Top-tier fine
Article 64, whichever is higher

The four numbers that define CRA vulnerability reporting: warning, notification, final report, and the penalty ceiling.

The 24-hour clock starts at awareness, not confirmation

Article 14 uses a "reasonable belief" standard. The clock starts the moment evidence makes active exploitation a credible conclusion (customer reports, threat intelligence, suspicious access patterns). Forensic certainty is not required and waiting for it will miss the deadline.

What Does the CRA Require for Vulnerability Reporting?

Article 14 of the Cyber Resilience Act is the operational core of the regulation's incident-handling regime. It places three duties on every manufacturer of a product with digital elements placed on the EU market:

  1. Notify any actively exploited vulnerability in the product simultaneously to the coordinator CSIRT and to ENISA, on the 24h / 72h / 14d cadence (Art. 14(1), 14(2)).
  2. Notify any severe incident affecting the security of the product on a 24h / 72h / 1-month cadence (Art. 14(3), 14(4)).
  3. Inform users of the affected product about the vulnerability or incident and any corrective measures, without undue delay (Art. 14(8)).

Article 14 sits alongside two other obligations that this page also covers: the mandatory CVD policy under Annex I Part II, and the "no known exploitable vulnerabilities" requirement under Annex I Part I, which is why VEX matters for a CRA-compliant product. None of these obligations carry a size threshold. SMEs benefit from a narrow penalty relief on the 24-hour clock (see below) but are not exempt from reporting.

The ENISA Single Reporting Platform (SRP)

The SRP is the single channel through which every Article 14 notification flows. It exists because Article 14(1) requires the manufacturer to notify the coordinator CSIRT and ENISA simultaneously, and 27 separate filings would be unworkable. Article 16(1) places the platform under ENISA's operational responsibility: "the day-to-day operations of that single reporting platform shall be managed and maintained by ENISA."

How it works in practice:

  • You submit once, using the electronic end-point of the CSIRT designated as your coordinator under Article 14(7).
  • The submission lands simultaneously at the coordinator CSIRT and at ENISA.
  • The coordinator CSIRT then disseminates the notification to CSIRTs in other Member States where your product is placed on the market (Art. 16). That secondary dissemination is the CSIRT's responsibility, not the manufacturer's.
  • Article 16(2) allows a CSIRT to delay onward dissemination in particularly exceptional circumstances. Article 16(6) allows a delay during coordinated disclosure with the manufacturer's consent.

Status as of May 2026: the SRP is scheduled to be operational by 11 September 2026, per the ENISA SRP page. The implementation was tendered under ENISA/2025/OP/0001 (4-year contract) with the tender closing in March 2025. The vendor has not been publicly disclosed. No registration URL has been published. A pre-launch testing period is expected; specific dates have not been announced. Implementing acts under Article 14 setting the formats and structure of notifications were still pending at the time of writing.

What manufacturers should do now: identify your coordinator CSIRT under Article 14(7), draft and pre-approve report templates for the 24h, 72h, and final-report submissions in both streams (14 days for vulnerabilities under Article 14(2)(c) and 1 month for severe incidents under Article 14(4)(c)), and define an out-of-hours escalation rota. Templates and processes cannot be drafted while the 24-hour clock is running.

Reporting Timelines in Detail

Both vulnerabilities and severe incidents follow a staged reporting model. The clocks differ on the final-report leg.

Article 14 Reporting Timetable

Stage Vulnerability (Art. 14(2)) Severe incident (Art. 14(4)) Clock anchor
Early warning 24 hours 24 hours Manufacturer becomes aware
Detailed notification 72 hours 72 hours Manufacturer becomes aware
Final report 14 days after a corrective or mitigating measure is available 1 month after the 72-hour incident notification Different anchor for each track
User information Without undue delay Without undue delay Per Art. 14(8)

What Each Submission Contains

Early warning (24 hours). Minimum information to alert authorities: manufacturer identity, affected product and version, brief description, initial severity, whether exploitation is confirmed or suspected, and an indication of impact scope. The early warning is an alert, not an analysis.

Detailed notification (72 hours). Two distinct duties live at this stage. The 72-hour vulnerability notification under Article 14(2)(b) applies to actively exploited vulnerabilities. The 72-hour incident notification under Article 14(4)(b) applies to severe incidents. In both cases the submission expands on the early warning with technical details, affected versions and configurations, exploitation method (if known), current mitigation status, remediation timeline, known affected user scope, and any ongoing coordination with other parties.

Final report. For vulnerabilities, the 14-day clock starts "no later than 14 days after a corrective or mitigating measure is available" (Art. 14(2)(c)), not from discovery and not from the 72-hour notification. For severe incidents, the 1-month clock anchors to the 72-hour incident notification under Article 14(4)(c). The final report covers root cause, full technical description, remediation actions taken, prevention measures implemented, and confirmed impact assessment.

  1. Manufacturer awareness. The 24-hour clock starts the moment reasonable belief of active exploitation is formed.
  2. + 24 hours. Early warning submitted via the ENISA SRP (Art. 14(2)(a)).
  3. + 72 hours. Detailed notification submitted with technical details, affected versions, and mitigation status (Art. 14(2)(b)).
  4. Corrective or mitigating measure available. The 14-day final-report clock starts here, not at discovery.
  5. + 14 days. Final report submitted: root cause, full technical description, remediation, confirmed impact (Art. 14(2)(c)).

What Triggers a Reporting Obligation?

Article 14 covers two trigger categories.

1. Actively Exploited Vulnerabilities

A vulnerability in your product that:

  • is known to you (discovered internally or reported externally),
  • has been used by a malicious actor, and
  • affects, or could affect, users of the product.

The CRA defines an actively exploited vulnerability as one where "a malicious actor makes use of a flaw." This is not the same as public disclosure, a published proof-of-concept, or a researcher demonstrating exploitability. The trigger is actual malicious use.

2. Severe Incidents

Security incidents that impact the product's security, compromise the development environment in a way that affects product security, cause widespread service disruption to users, or result in widespread compromise.

Reportable vs Non-Reportable Scenarios

Scenario Reportable? Why
Researcher reports a vulnerability privately No No exploitation evidence; handle through CVD
PoC published on GitHub No Publication is not exploitation
Customer reports activity consistent with the vulnerability Yes Reasonable belief threshold met
Vulnerability detected being exploited in the wild Yes Active malicious use
Component in your SBOM has a known exploited CVE Assess Reportable only if exploitation affects your product (VEX matters here)
Your product is targeted by named threat actors Yes Direct exploitation evidence
Generic malware uses a vulnerability class your product has Assess Only if your specific implementation is affected

The "Reasonable Belief" Standard

Forensic proof of exploitation is not required. The Article 14 standard is reasonable belief based on available evidence: unusual access patterns consistent with known exploit techniques, customer reports of compromise, threat intelligence indicating your product is targeted, or detection of exploit code designed for your product. When uncertain, report. A premature early warning that turns out to be unfounded is far better than a missed deadline for actual exploitation, and the 72-hour notification can update the assessment.

Coordinated Vulnerability Disclosure (CVD) Policy: the link to Article 14

Annex I Part II point 5 of the CRA requires manufacturers to "put in place and enforce a policy on coordinated vulnerability disclosure." The CVD policy is the operational mechanism that turns external researcher reports into a structured triage flow and, when active exploitation is detected during triage, fires the Article 14 reporting clock in parallel. The policy is mandatory for every product with digital elements; there is no SME or size threshold. The minimum delivery is a public URL plus a security.txt file under /.well-known/security.txt (RFC 9116) so reports are discoverable by the researchers the regulation is designed to channel.

For the CVD policy itself, including required contents, disclosure-window conventions, safe-harbour language and researcher-communication templates, see the dedicated CRA Coordinated Vulnerability Disclosure guide. For how CVD sits among the other Annex I Part II duties (SBOM, remediation, secure updates, free-of-charge delivery), see CRA vulnerability handling. This page focuses on the Article 14 reporting cadence that triggers when triage confirms active exploitation.

VEX: Communicating Vulnerability Applicability

Annex I Part I requires CRA products to ship with no known exploitable vulnerabilities and to be delivered with a secure-by-default configuration. SBOM scanning produces long lists of CVEs against components, most of which are not actually exploitable in your specific product. VEX (Vulnerability Exploitability eXchange) is the mechanism that turns those raw scan results into a defensible "not affected / affected / fixed / under investigation" position per CVE, which is what the regulation, harmonised standards in development, and German procurement under BSI TR-03183 Part 3 all expect.

What VEX Is

VEX is a structured, machine-readable statement about whether a vulnerability in a component actually affects a specific product. It answers: "CVE-XXXX exists in our SBOM. Does it affect our product, why or why not, and what should the user do?" The four core states are:

State Meaning
not_affected Vulnerability exists in the component but does not affect this product (vulnerable code path unreachable, function not called, configuration mitigates, etc.). A justification is expected.
affected Vulnerability affects this product. Action and recommendation expected.
fixed Vulnerability was present and has been remediated in this version.
under_investigation Status not yet determined; assessment ongoing.

CRA Connection

VEX is not named in the CRA text, but it is the operational tool behind three of the regulation's clauses:

  • Annex I Part I, no known exploitable vulnerabilities. A not_affected VEX statement with a documented justification is the evidence that you have evaluated a CVE and concluded it does not apply. Without it, every CVE in your SBOM is a presumed liability.
  • Annex I Part II, vulnerability handling. VEX is the audit trail of how each CVE moved from under_investigation to not_affected, affected, or fixed over time.
  • Article 14, reporting triggers. A vulnerability marked affected and known to be actively exploited is exactly the trigger that starts the 24-hour clock. A vulnerability marked not_affected with sound justification is not.

VEX Formats

Two formats matter in practice. CycloneDX VEX is embedded directly in a CycloneDX SBOM under vulnerabilities[].analysis. CSAF VEX is a separate document in CSAF 2.0 (the format BSI TR-03183 Part 3 requires for security advisories, and the format German CERTs publish and consume by default). Both are machine-readable and both satisfy the same operational role.

A minimal CycloneDX VEX assertion:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "version": 1,
  "vulnerabilities": [
    {
      "id": "CVE-2027-XXXXX",
      "source": { "name": "NVD" },
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "detail": "The vulnerable function is not called in our implementation."
      },
      "affects": [{ "ref": "pkg:generic/openssl@3.0.12" }]
    }
  ]
}

The CycloneDX 1.5 specification defines six analysis states (in_triage, exploitable, not_affected, false_positive, resolved, resolved_with_pedigree), a finer-grained vocabulary than OpenVEX's four (not_affected, affected, fixed, under_investigation), which it maps onto. BSI TR-03183 Part 3 expects VEX statements alongside SBOMs for CRA-aligned products. For the full SBOM and BSI TR-03183 picture, see the SBOM cluster guide.

SME Exemptions and Reduced Obligations

Article 64(10) provides a narrow penalty relief for the smallest manufacturers. It does not exempt anyone from reporting.

Microenterprises and small enterprises (defined as fewer than 50 employees and an annual turnover or balance sheet of up to EUR 10 million; microenterprises: fewer than 10 employees, EUR 2 million) are exempt from fines specifically for missing the 24-hour early-warning deadlines under Article 14(2)(a) and Article 14(4)(a). The relief covers timing fines on the 24-hour leg only.

Still required, with no SME relief:

  • The 72-hour detailed notification (Art. 14(2)(b) and 14(4)(b)).
  • The 14-day final report for vulnerabilities and the 1-month final report for severe incidents.
  • The CVD policy under Annex I Part II.
  • All other CRA obligations, including the "no known exploitable vulnerabilities" requirement under Annex I Part I.

Medium enterprises (up to 250 employees) are not covered by the SME relief at all. The exemption is a narrow penalty carve-out, not a reduced reporting regime.

Common Mistakes

  • Waiting for forensic certainty before starting the clock. Article 14 uses a reasonable-belief standard. Waiting for proof misses the deadline.
  • Confusing CVD with Article 14 reporting. A researcher report is a CVD input; Article 14 reporting is triggered when there is evidence of active exploitation. The CVD policy must contain an explicit gate for this.
  • Single-point-of-failure escalation. One person authorised to report, unreachable on a Friday night. The 24-hour clock does not pause.
  • First contact with the coordinator CSIRT during an incident. Establish the relationship and the routing now, while there is no clock running.
  • No published CVD policy. The Annex I Part II obligation is not satisfied by an internal document.
  • No VEX assertions. Every CVE in your SBOM is presumed exploitable until you say otherwise. Annex I Part I is much harder to defend without VEX.
  • Treating the SRP launch as a future problem. Templates, escalation rotas, and CSIRT relationships have to be in place before September 2026, not built afterwards.

Frequently Asked Questions

When does CRA Article 14 vulnerability reporting apply?

Article 14 reporting obligations apply from 11 September 2026 (Art. 71 transitional regime). From that date, every manufacturer of a product with digital elements placed on the EU market must submit early warnings, detailed notifications, and final reports through the ENISA Single Reporting Platform on the 24h / 72h / 14d cadence (or 24h / 72h / 1 month for severe incidents). Full CRA enforcement, including the "no known exploitable vulnerabilities" obligation, follows on 11 December 2027.

What is the ENISA Single Reporting Platform (SRP)?

The SRP is the single channel through which Article 14 notifications are submitted. ENISA establishes and operates it under Article 16(1). A manufacturer submits once, the submission lands simultaneously at the coordinator CSIRT and at ENISA, and the CSIRT disseminates the notification to other Member States where the product is placed on the market. The platform is scheduled to be operational by 11 September 2026; the implementation was tendered under ENISA/2025/OP/0001 and the vendor has not been publicly disclosed. No registration URL has been published as of May 2026.

Is a coordinated vulnerability disclosure (CVD) policy required by the CRA?

Yes. Annex I Part II requires manufacturers to "put in place and enforce a policy on coordinated vulnerability disclosure." The policy must exist in writing, must be implemented when reports arrive, and must be enforced consistently. The CRA does not prescribe the contents, but the practical expectation (backed by ENISA guidance and ISO/IEC 29147) is a public document covering scope, contact methods (including security.txt), response commitments, disclosure timeline, legal safe harbour, recognition, out-of-scope items, and an explicit gate that triggers Article 14 reporting when active exploitation is detected.

What is VEX and do I need it for CRA compliance?

VEX (Vulnerability Exploitability eXchange) is a machine-readable statement about whether a vulnerability in an SBOM component actually affects a specific product. The CRA does not name VEX, but Annex I Part I requires products to ship with "no known exploitable vulnerabilities", and without VEX every CVE in your SBOM is presumed to apply. VEX assertions (CycloneDX-embedded or standalone CSAF documents) are the operational mechanism that lets you defend a "not affected" position with a documented justification. BSI TR-03183 Part 3 expects VEX alongside SBOMs for CRA-aligned products, which makes it the de facto requirement for German procurement and the harmonised-standards work in progress.

What are the fines for late or missing CRA Article 14 reporting?

Failures to meet Article 14 obligations fall in the top penalty tier under Article 64: up to €15,000,000 or, if the offender is an undertaking, up to 2.5% of total worldwide annual turnover, whichever is higher. Mid-tier violations of other obligations carry up to €10,000,000 or 2%. Providing misleading information to authorities carries up to €5,000,000 or 1%. Microenterprises and small enterprises are exempt from fines specifically for missing the 24-hour early-warning deadline under Article 64(10), but not for missing the 72-hour notification or 14-day final report. Medium enterprises receive no SME relief.

Where do I submit if my product is sold in multiple Member States?

One submission to the SRP, addressed to the coordinator CSIRT for the Member State where your organisation has its main establishment (Article 14(7)). For non-EU manufacturers, the cascade goes: Member State of your authorised representative, then your importer, then your distributor, then the country with the greatest user concentration. You do not file separately in every Member State where the product is sold. Under Article 16, the coordinator CSIRT disseminates the notification onward to other Member States.

Does the 24-hour clock pause for weekends and holidays?

No. Article 14 deadlines run on calendar time, not business time. The 24-hour early warning, the 72-hour notification, and the 14-day or 1-month final report all run continuously from the moment of reasonable belief, the early warning, or the corrective measure becoming available. An out-of-hours escalation rota and pre-authorised reporters covering weekends and public holidays are an operational requirement, not optional.

How does Article 14 reporting interact with NIS 2?

Article 14 covers product-level vulnerabilities and incidents. NIS 2 covers organisation- or service-level incidents at essential and important entities. A single event may trigger both regimes (for example, a vulnerability exploited in your SaaS product that is also a NIS 2 essential entity service). Each regime has its own competent authorities and channels: the SRP for CRA Article 14, and the NIS 2 single point of contact in each Member State. The interaction between the two channels has not been confirmed in final guidance. Any claim that the SRP routes for both regimes should be treated as unconfirmed until ENISA or the Commission publishes definitive implementing acts.

What to do before 11 September 2026

  1. Publish a security.txt file at /.well-known/security.txt (RFC 9116) with a monitored contact address and an expiry past 11 September 2026. This is the fastest way to open a verifiable intake channel.
  2. Publish a CVD policy that meets Annex I Part II: scope, contacts, response commitments, 90-day disclosure window, legal safe harbour, ENISA Article 14 gate, and out-of-scope items. Use the skeleton above as a starting point.
  3. Identify your coordinator CSIRT under Article 14(7) and document the routing decision with a date (main establishment for EU manufacturers, authorised-representative cascade for non-EU).
  4. Define a pre-authorised escalation rota covering weekends and public holidays. At least two named individuals must be able to file an early warning without senior sign-off. Run a tabletop drill before September 2026.
  5. Pre-draft early-warning and 72-hour notification templates so the data you owe is structured before the clock is running, not while it is.
  6. Wire VEX into the SBOM lifecycle: every CVE that hits your SBOM scanner gets an analysis state and a justification. Without VEX, defending Annex I Part I is much harder. The SBOM cluster guide covers the SBOM side; this page covers the reporting side.
  7. Monitor the ENISA SRP page for the registration URL and the testing-period window. Register as soon as testing opens so your submission workflow is validated before the deadline. If you would rather not wire ENISA reporting from scratch, CRA Evidence tracks Article 14 awareness timestamps, SBOM-linked product versions, and the CSIRT routing inputs needed for SRP submissions.