What are the Cyber Resilience Act reporting deadlines?
Direct answer
Under Article 14, from 11 September 2026 manufacturers must report actively exploited vulnerabilities and severe incidents through the ENISA single reporting platform in three stages: an early warning within 24 hours of becoming aware, a fuller notification within 72 hours, and a final report within 14 days after a vulnerability is fixed, or within one month for a severe incident.
Key Facts
- Legal basis: CRA Article 14, using the single reporting platform under Article 16.
- Applies from 11 September 2026, the earliest CRA obligation to take effect (Art. 71).
- 24 hours: early warning · 72 hours: notification with corrective or mitigating measures.
- Final report: 14 days after a vulnerability is fixed; one month for a severe incident.
- Reports go to ENISA and the relevant national CSIRT via the single reporting platform.
- Triggers: actively exploited vulnerabilities (Art. 3(42)) and severe incidents affecting product security.
- The 24-hour clock does not pause for weekends or bank holidays — unlike DORA (RTS (EU) 2025/301, Art. 5).
The Cyber Resilience Act sets a three-stage reporting clock for manufacturers of products with digital elements. The obligation starts on 11 September 2026 and is the first of the CRA's major duties to take effect (Art. 71). From the moment a manufacturer becomes aware of an actively exploited vulnerability or a severe incident affecting the security of a product, it has **24 hours** to submit an early warning and **72 hours** to submit a fuller notification including any corrective or mitigating measures taken (Art. 14). The final report is due within **14 days** of a corrective measure becoming available for a vulnerability, or within **one month** of the 72-hour notification for a severe incident. Reports are made to ENISA and the relevant national CSIRT through the single reporting platform established under Article 16. The 24-hour early-warning clock starts when the manufacturer becomes aware and does not pause for weekends or bank holidays. Teams used to DORA should note the difference: Commission Delegated Regulation (EU) 2025/301 permits certain financial entities to defer weekend initial notifications to the next working day; no equivalent deferral exists under the CRA. The duty is absolute from the moment of awareness. Meeting these windows in practice means knowing your components and monitoring them continuously, so that the 24-hour clock does not start against a product whose composition you cannot see. Teams already meeting NIS2 and DORA reporting duties have the operational reflexes, but the deadlines and recipients are not identical across the three regimes, which is why one documented incident process mapped to all three is more robust than three separate playbooks.
Regulatory References