Chapter 5: Incident Response & Disclosure
5.1 Overview
The Incident Response Framework covers the complete CRA reporting obligations. From 11 September 2026, manufacturers are required to report actively exploited vulnerabilities and severe security incidents to ENISA or the competent national authority.
REPORTING OBLIGATION FROM 11.09.2026
The reporting obligations pursuant to Art. 14 CRA enter into force on 11 September 2026. From that date, actively exploited vulnerabilities must be reported within 24 hours.
5.2 Reporting Obligations Overview
| Event | Deadline | Recipient | Template |
|---|---|---|---|
| Actively exploited vulnerability | 24h early warning | ENISA / CSIRT | Early Warning |
| Vulnerability update | 72h notification | ENISA / CSIRT | Notification |
| Final report | 14 days | ENISA / CSIRT | Final Report |
| Severe security incident | 24h early warning | ENISA / CSIRT | Incident Report |
| User notification | Without delay | Affected users | Vulnerability Report |
Chapter Structure
| Section | Topic | CRA Reference |
|---|---|---|
| 5.1 | Incident Response Playbook – Escalation levels, phases, checklists | Art. 14, Annex I Part II |
| 5.2 | Vulnerability Disclosure Policy – CVD per ISO 29147 | Art. 13(6) |
| 5.3 | ENISA Reporting Process – Deadlines, procedure, documentation | Art. 14(1)-(3) |
| 5.4 | Communication Plan – Internal/external communication channels | Art. 14(8) |