CRA Article 14 — Severity triage and reporting escalation flowchart
Cyber Resilience Act (EU) 2024/2847 · Effective September 2026
Active exploitation confirmed. Significant user impact. Cross-border scope. → 24h + 72h + 14d reporting cascade.
Active exploitation likely. Multiple users affected. Single member state. → 24h + 72h reporting.
Vulnerability confirmed, no active exploitation yet. Limited user impact. → 24h notification only.
| Question | YES Path | NO Path |
|---|---|---|
| Product with digital elements on EU market? | Continue to active exploitation check | Not CRA-applicable. Internal IR only. |
| Actively exploited? | Start 24h clock → notify CSIRT | Monitor. No Article 14 reporting. |
| Substantial incident? | Start 72h clock → detailed report | 24h notification sufficient. Close with follow-up. |
| Significant incident? | Start 14d clock → CSIRT + ENISA | Close after 72h report. Post-mortem. |
| Window | Trigger | Report To | Content Level |
|---|---|---|---|
| 24h | Active exploitation confirmed | National CSIRT | Initial notification — nature, products, preliminary impact |
| 72h | Substantial incident classified | National CSIRT | Detailed — root cause, impact assessment, remediation status |
| 14d | Significant incident classified | CSIRT + ENISA | Comprehensive — full timeline, preventive measures, lessons learned |
| Level | Trigger | Contact | Channel |
|---|---|---|---|
| L1 — On-call | Any security event | [SOC / PagerDuty] | [Auto-alert] |
| L2 — IR Lead | Confirmed active exploitation | [IR Team Lead] | [Phone + Slack] |
| L3 — Compliance | 24h reporting threshold | [CRA Compliance Lead] | [Phone + Email] |
| L4 — Executive | Substantial / significant incident | [VP Eng + Legal] | [Phone + In-person] |
| L5 — CSIRT | Article 14 reporting obligation | [National CSIRT] | [Portal + Email] |
| L6 — ENISA | Significant incident | ENISA | incident@enisa.europa.eu |