thumbnail image
  • Home
  • CRA Readiness
  • Services 
    • Educate and Alert
    • Test and Certify
    • Secure By Design
    • Automate
  • Standards & Regulations 
    • CRA
    • RED-DA
    • ETSI EN 303 645
    • CC | EUCC
    • IEC 62443
    • More...
  • Articles 
    • Compliance & Regulations
    • Tech & Security
    • Industry Use Cases
    • Insights & Trends
    • Standards & Regulations
    • Company News & PR
    • EU & Research Projects
    • MDR
  • About Us 
    • Who we are
    • Careers
    • EU Projects
  • …  
    • Home
    • CRA Readiness
    • Services 
      • Educate and Alert
      • Test and Certify
      • Secure By Design
      • Automate
    • Standards & Regulations 
      • CRA
      • RED-DA
      • ETSI EN 303 645
      • CC | EUCC
      • IEC 62443
      • More...
    • Articles 
      • Compliance & Regulations
      • Tech & Security
      • Industry Use Cases
      • Insights & Trends
      • Standards & Regulations
      • Company News & PR
      • EU & Research Projects
      • MDR
    • About Us 
      • Who we are
      • Careers
      • EU Projects
Get in Touch
  • Home
  • CRA Readiness
  • Services 
    • Educate and Alert
    • Test and Certify
    • Secure By Design
    • Automate
  • Standards & Regulations 
    • CRA
    • RED-DA
    • ETSI EN 303 645
    • CC | EUCC
    • IEC 62443
    • More...
  • Articles 
    • Compliance & Regulations
    • Tech & Security
    • Industry Use Cases
    • Insights & Trends
    • Standards & Regulations
    • Company News & PR
    • EU & Research Projects
    • MDR
  • About Us 
    • Who we are
    • Careers
    • EU Projects
  • …  
    • Home
    • CRA Readiness
    • Services 
      • Educate and Alert
      • Test and Certify
      • Secure By Design
      • Automate
    • Standards & Regulations 
      • CRA
      • RED-DA
      • ETSI EN 303 645
      • CC | EUCC
      • IEC 62443
      • More...
    • Articles 
      • Compliance & Regulations
      • Tech & Security
      • Industry Use Cases
      • Insights & Trends
      • Standards & Regulations
      • Company News & PR
      • EU & Research Projects
      • MDR
    • About Us 
      • Who we are
      • Careers
      • EU Projects
Get in Touch
  • September 11, 2026 · Article 14 enters application

    CRA Article 14
    Readiness
    Program

    Be ready before 11 September 2026. From that date, manufacturers must be able to report actively exploited vulnerabilities and severe product-security incidents under the CRA. Red Alert Labs helps you design, document, test, and operate the vulnerability handling and reporting chain required to meet this new obligation.

    Get the Readiness Pack Book a 30-minute CRA Article 14 readiness call
    11 September 2026
    First direct CRA reporting obligation for manufacturers
    CRA readiness program visual
    Time remaining until Article 14 applies
    --
    Days
    --
    Hours
    --
    Minutes
    --
    Seconds
    11 September 2026, the first direct CRA reporting obligation for manufacturers.
    Key dates

    CRA timeline at a glance

    The CRA timeline spans several legal and operational milestones. For this page, the key date is 11 September 2026, when Article 14 reporting obligations start applying.

    10 December 2024
    CRA entered into force.
    11 June 2026
    Provisions on notification of conformity assessment bodies start applying.
    11 September 2026
    Reporting goes live
    Article 14 reporting obligations apply, and the ENISA Single Reporting Platform is used for submissions.
    11 December 2027
    Main CRA obligations apply, including essential requirements, conformity assessment, CE marking, and technical documentation.
    2028 onward
    Enforcement and market surveillance mature, and manufacturers operate CRA as business as usual across lifecycle and updates.

    Official sources

    Reference links for CRA legal text, implementation status, product classification, guidance, and the Single Reporting Platform.

    • Cyber Resilience Act legal text
    • European Commission CRA policy page
    • CRA implementation progress
    • Implementing Act on product classification
    • Commission guidance on the CRA
    • ENISA Single Reporting Platform
    • ENISA SBOM Adoption: State of Play 2026
    • ENISA SME CRA Survey Report
    How we help

    Five ways to get ready for Article 14

    From initial gap assessment to ongoing post-market monitoring. Each track can be engaged independently or as part of a structured programme.

    CRA Readiness Assessment

    A structured four-step engagement that gives you a clear pathway to CRA conformity. This is where most manufacturers start.

    1. 1 Foundation Assessment: product scoping, classification, and a defined pathway to conformity based on the outcome.
    2. 2 Readiness Assessment: risk assessment and gap analysis against CRA Article 14 reporting obligations, Annex I vulnerability handling requirements, SBOM expectations, and third-party supplier management.
    3. 3 Documentation Support: delivered as templates, co-authoring, or turnkey, depending on your team's capacity.
    4. 4 Technical Verification: conceptual and functional testing, plus documentation verification.
    Where to start

    VDP and Vulnerability Handling Process Implementation

    Design and roll-out of a Vulnerability Disclosure Policy and the internal handling process that supports it. Includes intake, triage, severity classification, coordinated disclosure, and the evidence trail Article 14 reporting will require.

    Core deliverable

    CRA Training

    Targeted training for product, security, legal, and communications stakeholders. Covers Article 14 scope, notification content, the 24-hour and 72-hour milestones, final-report deadlines by trigger, and the operational decisions teams need to make under each. Delivered as workshops or as a structured curriculum.

    Team readiness

    Post-Market Vulnerability Management

    Ongoing operational support across three components: Process Design and Setup, Ecosystem Monitoring and Triage, and Impact Analysis and Remediation. Built to keep your reporting chain working after the policy documents are signed and the deadline has passed.

    Retainer available

    CyberPass

    Our AI-assisted compliance automation platform. CyberPass supports evidence management, control mapping, and recurring assessment tasks across CRA, EUCC, and related schemes. Available to clients across the four service tracks above.

    Automation platform
    The regulation

    Article 14 in plain language

    Article 14 applies to manufacturers of products with digital elements placed on the EU market. From 11 September 2026, manufacturers must be ready to notify actively exploited vulnerabilities contained in their products and severe incidents having an impact on the security of those products.

    Notifications must be submitted via the single reporting platform established by ENISA and made simultaneously accessible to the relevant CSIRT designated as coordinator and to ENISA.

    The process follows a staged approach: an early warning within 24 hours, a more complete notification within 72 hours, and a final report. The final-report deadline depends on the trigger: for actively exploited vulnerabilities, it is due no later than 14 days after a corrective or mitigating measure is available; for severe incidents, it is due within one month after the 72-hour incident notification.

    Importantly, Article 14 also applies to in-scope products already placed on the EU market before the CRA becomes fully applicable, so manufacturers should not wait until 2027 to prepare their reporting chain.

    Manufacturers must also inform impacted users, and where appropriate all users, of the vulnerability or incident and of any corrective or risk-mitigation measures they can deploy.
    24h

    Early warning

    Initial notification after becoming aware of an actively exploited vulnerability or severe product-security incident.

    72h

    Vulnerability or incident notification

    More complete information on the product, exploit or incident, impact, sensitivity, and corrective or mitigating measures.

    Final

    Final report

    Deadline depends on the trigger. For actively exploited vulnerabilities: no later than 14 days after a corrective or mitigating measure is available. For severe incidents: within one month after the 72-hour incident notification.

    Where teams commonly stall

    Three gaps we observe most often

    Drawn from our work with manufacturers over the last several years. These are observations, not judgements.

    1

    No Vulnerability Disclosure Policy

    Researchers and customers have no defined channel to report findings, and the organisation has no documented intake process to receive them.

    2

    No tested escalation and reporting chain

    A policy may exist on paper, but no one has walked a real or simulated incident through it end to end, against the Article 14 clocks, with legal and communications involved.

    3

    Not prepared to use the ENISA platform

    The platform requires named submitters, structured information, and supporting evidence. Most teams are not set up to produce these on a 24-hour timeline.

    Why Red Alert Labs

    Our credentials on CRA Article 14

    • EUCC-accredited ITSEF (conformity assessment body)
    • Preparing for Notified Body status under the CRA
    • Co-author of the Campus Cyber Vulnerability Management White Paper (Ayman Khalil, COO)
    • We contribute to the EU bodies shaping the CRA
    550+
    Connected products secured
    EUCC
    Accredited ITSEF
    2023
    Campus Cyber white paper
    CRA
    Notified Body (in preparation)
    Expert briefing

    Watch the expert briefing

    A 16-minute walkthrough of Article 14: what it requires, where manufacturers most commonly stall, and what to do in the weeks remaining. Hosted by Isaac Dangana, Technical Lead at Red Alert Labs.

    This briefing features an AI-generated digital twin of Isaac Dangana, produced by Red Alert Labs to deliver it with consistent quality.

    Isaac Dangana
    Technical Lead, Red Alert Labs
    Get the Readiness Pack
    Free resource

    CRA Article 14 Vulnerability Disclosure and Reporting Readiness Pack

    Available now

    A 56-page operational reference for product and compliance teams, delivered as an interactive web edition with the full PDF inside. Designed to be used as a working document by teams building or testing their reporting chain.

    • Article 14 trigger decision tree and scope checklist
    • 24h / 72h / final-report workflow with deadline logic by trigger
    • RACI matrix: product, security, legal, compliance, support, executive
    • Editable VDP body, ISO 29147 aligned, with RFC 9116 security.txt sample
    • Evidence log template for ENISA submission readiness
    • User communication and supplier notification templates
    • ENISA SRP registration steps and worked example
    CRA Article 14 readiness pack preview

    Get the Readiness Pack

    Available now. Register and we email you the access link right away. The full PDF is inside. No login required.

Services:

Secure by Design

Test and Certify

Educate and Alert

Automate

CRA Readiness

About Us:

Who We Are

EU Projects

Careers

Address:

3 Rue Parmentier, 94140 Alfortville, Île-de-France, France

EU Transparency Register: REG 450926493482-66

© RED ALERT LABS. All rights reserved.

Terms & Conditions
Privacy Policy
    Email
    Posts
    Address
Cookie Use
We use cookies to ensure a smooth browsing experience. By continuing we assume you accept the use of cookies.
Learn More