24h Escalation Decision Diagram

CRA Article 14 — Severity triage and reporting escalation flowchart
Cyber Resilience Act (EU) 2024/2847 · Effective September 2026

How to use: Starting from the "Incident Detected" node, follow the decision branches. Each YES/NO path leads to the correct reporting window and escalation level. Use the severity definitions below to classify incidents correctly.

Severity Classification

🔴 Critical

Active exploitation confirmed. Significant user impact. Cross-border scope. → 24h + 72h + 14d reporting cascade.

🟠 High

Active exploitation likely. Multiple users affected. Single member state. → 24h + 72h reporting.

🔵 Moderate

Vulnerability confirmed, no active exploitation yet. Limited user impact. → 24h notification only.

Escalation Flowchart

⚡ INCIDENT DETECTED
Security event, vulnerability disclosure, or threat intel alert received
Is this a product with digital elements
placed on the EU market?
YES ↓
NO →
Not CRA-applicable. Follow internal IR procedures.
Is the vulnerability being
actively exploited?
YES ↓
NO →
Monitor. No Article 14 reporting required yet. Document for internal records.
24h CLOCK STARTS
T+0h: Active Exploitation Confirmed
① Assign Incident Commander
② Draft initial CSIRT notification
③ Alert CRA Compliance Lead
Is this a substantial incident?
Multiple users affected · Significant disruption · Cross-border impact
YES ↓
NO →
Submit 24h notification to CSIRT. Monitor for escalation. Close with follow-up report.
72h CLOCK STARTS
T+24h: Substantial Incident Confirmed
① Technical root cause analysis
② Impact assessment (users, scope, geography)
③ Draft substantial incident report
④ Submit to CSIRT within 72h
Is this a significant incident?
Digital ecosystem impact · Essential services disrupted · Critical infrastructure involved
YES ↓
NO →
Close incident after 72h report. Internal post-mortem. Update playbook if needed.
14d CLOCK STARTS
T+72h: Significant Incident Confirmed
① Complete root cause analysis
② Develop and deploy permanent remediation
③ Draft comprehensive report (ENISA template)
④ Legal review and executive sign-off
⑤ Submit to CSIRT + ENISA within 14 days
INCIDENT CLOSED
Post-Incident Review (T+14d to T+21d)
Lessons learned · Process improvements · Playbook update · CSIRT debrief

Decision Quick Reference

Question YES Path NO Path
Product with digital elements on EU market? Continue to active exploitation check Not CRA-applicable. Internal IR only.
Actively exploited? Start 24h clock → notify CSIRT Monitor. No Article 14 reporting.
Substantial incident? Start 72h clock → detailed report 24h notification sufficient. Close with follow-up.
Significant incident? Start 14d clock → CSIRT + ENISA Close after 72h report. Post-mortem.

Reporting Windows Summary

Window Trigger Report To Content Level
24h Active exploitation confirmed National CSIRT Initial notification — nature, products, preliminary impact
72h Substantial incident classified National CSIRT Detailed — root cause, impact assessment, remediation status
14d Significant incident classified CSIRT + ENISA Comprehensive — full timeline, preventive measures, lessons learned

Escalation Contacts

LevelTriggerContactChannel
L1 — On-call Any security event [SOC / PagerDuty] [Auto-alert]
L2 — IR Lead Confirmed active exploitation [IR Team Lead] [Phone + Slack]
L3 — Compliance 24h reporting threshold [CRA Compliance Lead] [Phone + Email]
L4 — Executive Substantial / significant incident [VP Eng + Legal] [Phone + In-person]
L5 — CSIRT Article 14 reporting obligation [National CSIRT] [Portal + Email]
L6 — ENISA Significant incident ENISA incident@enisa.europa.eu