CRA Reporting Playbook Template

Cyber Resilience Act — Article 14 Incident Reporting Procedures
Customize for your organization's product portfolio and incident response team

Regulatory reference: Regulation (EU) 2024/2847 (Cyber Resilience Act), Article 14 — Obligations of manufacturers in relation to vulnerabilities and incidents.

Organization Information

Organization Name
CRA Compliance Lead (name, title, contact)
Products with Digital Elements (list all EU-market products)
National CSIRT Contact
Internal Incident Response Team Lead

24h Initial Notification Procedure

Article 14.1 — Report to national CSIRT within 24 hours of becoming aware of an actively exploited vulnerability or incident.

Trigger Criteria

24h Notification Workflow

StepOwnerActionTimeline
1[SOC / On-call engineer]Confirm active exploitation — validate against trigger criteriaT+0h to T+2h
2[IR Team Lead]Activate incident response — assign severity and incident commanderT+1h to T+3h
3[Compliance Lead]Draft initial notification using CSIRT template (Annex A)T+2h to T+8h
4[Legal / DPO]Review notification for accuracy and regulatory completenessT+8h to T+16h
5[Compliance Lead]Submit to national CSIRT via established channelT+16h to T+24h
6[IR Team Lead]Internal status broadcast to executive teamT+24h

24h Notification Content Requirements

72h Substantial Incident Report

Article 14.2 — Detailed report within 72 hours when incident is assessed as substantial.

Substantial Incident Criteria

72h Report Workflow

StepOwnerActionTimeline
1[IR Commander]Severity classification — determine if substantial per criteria aboveT+24h to T+30h
2[Engineering Lead]Technical analysis — root cause hypothesis, affected components, blast radiusT+24h to T+48h
3[Compliance Lead]Draft substantial incident report (Annex B)T+36h to T+60h
4[Legal / Executive]Review and approve reportT+60h to T+66h
5[Compliance Lead]Submit to CSIRT with updated impact assessmentT+66h to T+72h

72h Report Content Requirements

14d Significant Incident Final Report

Article 14.3 — Comprehensive report within 14 days for significant incidents. Submitted to CSIRT and ENISA.

Significant Incident Criteria

14-Day Report Workflow

StepOwnerActionTimeline
1[IR Commander]Confirm significant classification with CSIRTT+72h to T+96h
2[Engineering Team]Complete root cause analysis — full technical timelineT+72h to T+7d
3[Engineering Lead]Develop and test permanent remediationT+3d to T+10d
4[Compliance Lead]Draft significant incident report (Annex C) with ENISA templateT+7d to T+12d
5[Legal / Executive]Final review and executive sign-offT+12d to T+13d
6[Compliance Lead]Submit to CSIRT and ENISA via established channelsT+13d to T+14d
7[IR Commander]Post-incident review — capture lessons learnedT+14d to T+21d

14-Day Report Content Requirements

CSIRT Contact Matrix

Populate with your national CSIRT and relevant EU member state CSIRTs where your products are distributed.

CSIRTCountryContact EmailReporting PortalPhone (24/7)
[National CSIRT][Country][email][URL][phone]
[CSIRT 2][Country][email][URL][phone]
[CSIRT 3][Country][email][URL][phone]
ENISAEUincident@enisa.europa.euhttps://www.enisa.europa.eu

ENISA Submission Checklist

Internal Escalation Matrix

RoleNameContactEscalation Trigger
On-call Engineer[Name][Phone / PagerDuty]All incidents — first responder
IR Team Lead[Name][Phone]Any confirmed active exploitation
CRA Compliance Lead[Name][Phone]24h notification threshold reached
VP Engineering[Name][Phone]Substantial incident classification
General Counsel[Name][Phone]Significant incident / ENISA submission
CEO[Name][Phone]Cross-border impact / media exposure

Document Control

FieldValue
Version1.0 — Template
Last UpdatedJune 2026
Next ReviewSeptember 2026 (CRA enforcement date)
ClassificationInternal — Confidential
Owner[CRA Compliance Lead]