Article 14 Vulnerability Reporting: Practical Breakdown
From September 2026, manufacturers must report actively exploited vulnerabilities under strict timelines. This guide translates legal timing into operational PSIRT workflow.
Confidence: Settled law for reporting obligations and timing windows ยท Last reviewed: 2026-04-29
Reporting timeline at a glance
- T0: Manufacturer awareness of an actively exploited vulnerability.
- T+24h: Early warning to relevant CSIRT and ENISA via the single reporting platform.
- T+72h: Full notification unless already covered in early warning.
- Final report: Within 14 days of corrective/mitigating measure availability (or severe-incident route as applicable).
What starts the clock
The timing trigger is internal awareness, not public disclosure. Your runbook must define that trigger in writing and enforce timestamp capture for every decision event.
Minimum process stack
- - Product/version-level SBOM visibility.
- - Automated vulnerability monitoring against public feeds.
- - 24/7 escalation path from detection to reportability decision.
- - Pre-approved templates for early warning, full, and final notifications.
- - Audit trail for incident timeline and corrective actions.
Readiness checks before September 2026
Run monthly tabletop drills, track detection-to-decision latency, and verify who can submit to the reporting platform.
If your process cannot produce a complete first warning in under 24 hours during a drill, it is not production ready.
Primary sources: Regulation (EU) 2024/2847, ENISA SRP page, Commission reporting guidance. This guide is informational and not legal advice.