Assess readiness for EU CRA Article 14 vulnerability reporting obligations: capability to detect actively exploited vulnerabilities, the 24-hour early warning process, 72-hour notification to CSIRT/ENISA, endpoint configuration, and a coordinated disclosure policy. Vulnerability reporting obligations apply from 11 Sep 2026 — earlier than the main CRA applicability date.
🔒 All inputs are processed locally in your browser. No data is transmitted. Do not enter real personal data — use synthetic or anonymised inputs only.
⏱ CRA Article 14 vulnerability reporting timeline: 24 hours — early warning to national CSIRT (or ENISA) for actively exploited vulnerabilities. 72 hours — full notification with severity assessment and corrective measures. Full applicability 11 Dec 2027; Art. 14 reporting applies from 11 Sep 2026.
Scope
Terminal node of the cra-product-conformance chain (art-138→139→140). Assesses operational readiness for CRA Article 14 vulnerability disclosure obligations. All five capabilities must be in place: a detection process for actively exploited vulnerabilities, 24-hour early-warning workflow, 72-hour full notification workflow, CSIRT/ENISA reporting endpoint configured, and a published coordinated disclosure policy. Non-compliance from Sep 2026.