EU CRA Clause Article 14
Reporting obligations for actively exploited vulnerabilities and severe incidents
Regulation (EU) 2024/2847 (Cyber Resilience Act)
Article 14 of the EU Cyber Resilience Act sets the vulnerability and incident reporting duty that applies from 11 September 2026. Manufacturers of products with digital elements must notify ENISA (routed to the relevant national CSIRT via the Single Reporting Platform) on a three-step timeline: an early warning within 24 hours of becoming aware of an actively exploited vulnerability or severe incident, a substantive notification within 72 hours, and a final report within 14 days. The 'becoming aware' trigger is wide, so the clock starts at first credible internal awareness.
Where Forge applies this
Verified against the primary source. Standards are periodically revised — always confirm the current text.