EU CRA Article 14: Vulnerability & Incident Reporting from 11 Sept 2026

What is required, and from when?

From 11 September 2026, Article 14 of the EU Cyber Resilience Act (Regulation (EU) 2024/2847) makes vulnerability and incident reporting a binding obligation for manufacturers of products with digital elements. This is an in-force requirement with fixed deadlines, not an open comment period.

What must be reported?

• Any actively exploited vulnerability contained in a product with digital elements.
• Any severe incident having an impact on the security of a product with digital elements.

The duty reaches products already on the Union market, including those placed on the market before the CRA's general application date of 11 December 2027.

What are the reporting deadlines?

1. Early warning — within 24 hours of the manufacturer becoming aware of the vulnerability or incident.
2. Notification — within 72 hours, carrying more detailed information.
3. Final report — for an actively exploited vulnerability, no later than 14 days after a corrective or mitigating measure is available; for a severe incident, within one month of the 72-hour notification.

Where do the reports go?

Manufacturers file through a single reporting platform established and maintained by ENISA, due to be operational by 11 September 2026. A notification reaches the CSIRT designated as coordinator in the relevant Member State and, in parallel, ENISA.

What does Delegated Regulation (EU) 2026/881 add?

It does not set the reporting timelines or build the platform — those sit in Article 14 of the CRA itself. The delegated act, adopted 11 December 2025, defines the narrow, justified cybersecurity grounds on which a CSIRT that first receives a notification may delay passing it to other CSIRTs, so sensitive vulnerability details are not spread more widely than necessary before mitigation. Its Official Journal publication date could not be independently confirmed against the primary text at the time of writing.

How does this fit the wider CRA timeline?

• 10 December 2024 — the CRA entered into force (published in OJ L, 2024/2847, on 20 November 2024).
• 11 June 2026 — provisions on notification of conformity assessment bodies (Chapter IV) start to apply.
• 11 September 2026 — Article 14 reporting obligations start to apply.
• 11 December 2027 — the CRA becomes fully applicable for most manufacturer obligations.

What should manufacturers do before September 2026?

• Identify which products are 'products with digital elements' in scope and confirm the responsible legal manufacturer for each.
• Stand up an internal process that can meet a 24-hour early-warning clock — who decides, who files, out of hours.
• Register for and test access to the ENISA single reporting platform once it is available.
• Map each product to the coordinating CSIRT / Member State that would receive its notifications.