
- Services
- Educate and Alert
- Test and Certify
- Secure By Design
- Automate
- Standards & Regulations
- About Us
- …
- Services
- Educate and Alert
- Test and Certify
- Secure By Design
- Automate
- Standards & Regulations
- About Us
- Services
- Educate and Alert
- Test and Certify
- Secure By Design
- Automate
- Standards & Regulations
- About Us
- …
- Services
- Educate and Alert
- Test and Certify
- Secure By Design
- Automate
- Standards & Regulations
- About Us
- September 11, 2026 · Article 14 enters application
CRA Article 14
Readiness
ProgramBe ready before 11 September 2026. From that date, manufacturers must be able to report actively exploited vulnerabilities and severe product-security incidents under the CRA. Red Alert Labs helps you design, document, test, and operate the vulnerability handling and reporting chain required to meet this new obligation.
11 September 2026First direct CRA reporting obligation for manufacturers
Time remaining until Article 14 applies--Days--Hours--Minutes--Seconds11 September 2026, the first direct CRA reporting obligation for manufacturers.Key datesCRA timeline at a glance
The CRA timeline spans several legal and operational milestones. For this page, the key date is 11 September 2026, when Article 14 reporting obligations start applying.
10 December 2024CRA entered into force.11 June 2026Provisions on notification of conformity assessment bodies start applying.11 September 2026Reporting goes live
Article 14 reporting obligations apply, and the ENISA Single Reporting Platform is used for submissions.11 December 2027Main CRA obligations apply, including essential requirements, conformity assessment, CE marking, and technical documentation.2028 onwardEnforcement and market surveillance mature, and manufacturers operate CRA as business as usual across lifecycle and updates.How we helpFive ways to get ready for Article 14
From initial gap assessment to ongoing post-market monitoring. Each track can be engaged independently or as part of a structured programme.
CRA Readiness Assessment
A structured four-step engagement that gives you a clear pathway to CRA conformity. This is where most manufacturers start.
- 1 Foundation Assessment: product scoping, classification, and a defined pathway to conformity based on the outcome.
- 2 Readiness Assessment: risk assessment and gap analysis against CRA Article 14 reporting obligations, Annex I vulnerability handling requirements, SBOM expectations, and third-party supplier management.
- 3 Documentation Support: delivered as templates, co-authoring, or turnkey, depending on your team's capacity.
- 4 Technical Verification: conceptual and functional testing, plus documentation verification.
VDP and Vulnerability Handling Process Implementation
Design and roll-out of a Vulnerability Disclosure Policy and the internal handling process that supports it. Includes intake, triage, severity classification, coordinated disclosure, and the evidence trail Article 14 reporting will require.
Core deliverableCRA Training
Targeted training for product, security, legal, and communications stakeholders. Covers Article 14 scope, notification content, the 24-hour and 72-hour milestones, final-report deadlines by trigger, and the operational decisions teams need to make under each. Delivered as workshops or as a structured curriculum.
Team readinessPost-Market Vulnerability Management
Ongoing operational support across three components: Process Design and Setup, Ecosystem Monitoring and Triage, and Impact Analysis and Remediation. Built to keep your reporting chain working after the policy documents are signed and the deadline has passed.
Retainer availableCyberPass
Our AI-assisted compliance automation platform. CyberPass supports evidence management, control mapping, and recurring assessment tasks across CRA, EUCC, and related schemes. Available to clients across the four service tracks above.
Automation platformThe regulationArticle 14 in plain language
Article 14 applies to manufacturers of products with digital elements placed on the EU market. From 11 September 2026, manufacturers must be ready to notify actively exploited vulnerabilities contained in their products and severe incidents having an impact on the security of those products.
Notifications must be submitted via the single reporting platform established by ENISA and made simultaneously accessible to the relevant CSIRT designated as coordinator and to ENISA.
The process follows a staged approach: an early warning within 24 hours, a more complete notification within 72 hours, and a final report. The final-report deadline depends on the trigger: for actively exploited vulnerabilities, it is due no later than 14 days after a corrective or mitigating measure is available; for severe incidents, it is due within one month after the 72-hour incident notification.
Importantly, Article 14 also applies to in-scope products already placed on the EU market before the CRA becomes fully applicable, so manufacturers should not wait until 2027 to prepare their reporting chain.
Manufacturers must also inform impacted users, and where appropriate all users, of the vulnerability or incident and of any corrective or risk-mitigation measures they can deploy.24hEarly warning
Initial notification after becoming aware of an actively exploited vulnerability or severe product-security incident.
72hVulnerability or incident notification
More complete information on the product, exploit or incident, impact, sensitivity, and corrective or mitigating measures.
FinalFinal report
Deadline depends on the trigger. For actively exploited vulnerabilities: no later than 14 days after a corrective or mitigating measure is available. For severe incidents: within one month after the 72-hour incident notification.
Where teams commonly stallThree gaps we observe most often
Drawn from our work with manufacturers over the last several years. These are observations, not judgements.
1No Vulnerability Disclosure Policy
Researchers and customers have no defined channel to report findings, and the organisation has no documented intake process to receive them.
2No tested escalation and reporting chain
A policy may exist on paper, but no one has walked a real or simulated incident through it end to end, against the Article 14 clocks, with legal and communications involved.
3Not prepared to use the ENISA platform
The platform requires named submitters, structured information, and supporting evidence. Most teams are not set up to produce these on a 24-hour timeline.
Why Red Alert LabsOur credentials on CRA Article 14
- EUCC-accredited ITSEF (conformity assessment body)
- Preparing for Notified Body status under the CRA
- Co-author of the Campus Cyber Vulnerability Management White Paper (Ayman Khalil, COO)
- We contribute to the EU bodies shaping the CRA
550+Connected products securedEUCCAccredited ITSEF2023Campus Cyber white paperCRANotified Body (in preparation)Expert briefingWatch the expert briefing
A 16-minute walkthrough of Article 14: what it requires, where manufacturers most commonly stall, and what to do in the weeks remaining. Hosted by Isaac Dangana, Technical Lead at Red Alert Labs.
This briefing features an AI-generated digital twin of Isaac Dangana, produced by Red Alert Labs to deliver it with consistent quality.
Get the Readiness PackIsaac DanganaTechnical Lead, Red Alert LabsFree resourceCRA Article 14 Vulnerability Disclosure and Reporting Readiness Pack
Available now
A 56-page operational reference for product and compliance teams, delivered as an interactive web edition with the full PDF inside. Designed to be used as a working document by teams building or testing their reporting chain.
- Article 14 trigger decision tree and scope checklist
- 24h / 72h / final-report workflow with deadline logic by trigger
- RACI matrix: product, security, legal, compliance, support, executive
- Editable VDP body, ISO 29147 aligned, with RFC 9116 security.txt sample
- Evidence log template for ENISA submission readiness
- User communication and supplier notification templates
- ENISA SRP registration steps and worked example
Get the Readiness Pack
Available now. Register and we email you the access link right away. The full PDF is inside. No login required.
Address:
3 Rue Parmentier, 94140 Alfortville, Île-de-France, France
EU Transparency Register: REG 450926493482-66
© RED ALERT LABS. All rights reserved.
