debored.ai
CRA Reporting Playbook Template
Cyber Resilience Act — Article 14 Incident Reporting Procedures
Customize for your organization's product portfolio and incident response team
Regulatory reference: Regulation (EU) 2024/2847 (Cyber Resilience Act), Article 14 — Obligations of manufacturers in relation to vulnerabilities and incidents.
Organization Information
CRA Compliance Lead (name, title, contact)
Products with Digital Elements (list all EU-market products)
Internal Incident Response Team Lead
24h Initial Notification Procedure
Article 14.1 — Report to national CSIRT within 24 hours of becoming aware of an actively exploited vulnerability or incident.
Trigger Criteria
- Actively exploited vulnerability identified in a product with digital elements
- Security incident affecting a product placed on the EU market
- Threat intelligence indicates active exploitation of a vulnerability in your product
- Customer report of a security incident with evidence of active exploitation
24h Notification Workflow
| Step | Owner | Action | Timeline |
| 1 | [SOC / On-call engineer] | Confirm active exploitation — validate against trigger criteria | T+0h to T+2h |
| 2 | [IR Team Lead] | Activate incident response — assign severity and incident commander | T+1h to T+3h |
| 3 | [Compliance Lead] | Draft initial notification using CSIRT template (Annex A) | T+2h to T+8h |
| 4 | [Legal / DPO] | Review notification for accuracy and regulatory completeness | T+8h to T+16h |
| 5 | [Compliance Lead] | Submit to national CSIRT via established channel | T+16h to T+24h |
| 6 | [IR Team Lead] | Internal status broadcast to executive team | T+24h |
24h Notification Content Requirements
- Organization name and contact details
- Product(s) affected (name, version, EU market placement date)
- Nature of the vulnerability or incident
- Known or likely impact on users
- Initial remediation measures taken or planned
- Point of contact for follow-up communication
72h Substantial Incident Report
Article 14.2 — Detailed report within 72 hours when incident is assessed as substantial.
Substantial Incident Criteria
- Incident affects or may affect multiple users or operators
- Significant disruption to availability, integrity, or confidentiality
- Cross-border impact (affects users in multiple EU member states)
- Requires coordinated response across organizational boundaries
72h Report Workflow
| Step | Owner | Action | Timeline |
| 1 | [IR Commander] | Severity classification — determine if substantial per criteria above | T+24h to T+30h |
| 2 | [Engineering Lead] | Technical analysis — root cause hypothesis, affected components, blast radius | T+24h to T+48h |
| 3 | [Compliance Lead] | Draft substantial incident report (Annex B) | T+36h to T+60h |
| 4 | [Legal / Executive] | Review and approve report | T+60h to T+66h |
| 5 | [Compliance Lead] | Submit to CSIRT with updated impact assessment | T+66h to T+72h |
72h Report Content Requirements
- Updated status of the vulnerability/incident since 24h notification
- Impact assessment — number of affected users, geographic scope
- Technical root cause analysis (preliminary)
- Remediation status — patches deployed, workarounds in place
- Risk assessment for remaining exposure
- Coordination with other CSIRTs or national authorities (if applicable)
14d Significant Incident Final Report
Article 14.3 — Comprehensive report within 14 days for significant incidents. Submitted to CSIRT and ENISA.
Significant Incident Criteria
- Incident has or may have a significant impact on the digital ecosystem
- Large-scale disruption of essential services
- Incident involving critical infrastructure or essential products
- CSIRT or ENISA has classified the incident as significant
14-Day Report Workflow
| Step | Owner | Action | Timeline |
| 1 | [IR Commander] | Confirm significant classification with CSIRT | T+72h to T+96h |
| 2 | [Engineering Team] | Complete root cause analysis — full technical timeline | T+72h to T+7d |
| 3 | [Engineering Lead] | Develop and test permanent remediation | T+3d to T+10d |
| 4 | [Compliance Lead] | Draft significant incident report (Annex C) with ENISA template | T+7d to T+12d |
| 5 | [Legal / Executive] | Final review and executive sign-off | T+12d to T+13d |
| 6 | [Compliance Lead] | Submit to CSIRT and ENISA via established channels | T+13d to T+14d |
| 7 | [IR Commander] | Post-incident review — capture lessons learned | T+14d to T+21d |
14-Day Report Content Requirements
- Complete incident timeline from detection to remediation
- Final root cause analysis with evidence
- Full impact assessment — users, products, geographic scope
- Permanent remediation measures implemented
- Preventive measures to avoid recurrence
- Coordination summary with CSIRTs, ENISA, and other authorities
- Lessons learned and process improvements identified
CSIRT Contact Matrix
Populate with your national CSIRT and relevant EU member state CSIRTs where your products are distributed.
| CSIRT | Country | Contact Email | Reporting Portal | Phone (24/7) |
| [National CSIRT] | [Country] | [email] | [URL] | [phone] |
| [CSIRT 2] | [Country] | [email] | [URL] | [phone] |
| [CSIRT 3] | [Country] | [email] | [URL] | [phone] |
| ENISA | EU | incident@enisa.europa.eu | https://www.enisa.europa.eu | — |
ENISA Submission Checklist
- Organization registered in ENISA incident reporting portal
- CRA Compliance Lead has portal access credentials
- Incident report template pre-configured with organization details
- Notification channels tested (email confirmation received from CSIRT)
- Incident report reviewed by legal counsel before submission
- Copy of all submissions retained in incident register for 5 years
- Follow-up communication timeline documented per CSIRT requirements
Internal Escalation Matrix
| Role | Name | Contact | Escalation Trigger |
| On-call Engineer | [Name] | [Phone / PagerDuty] | All incidents — first responder |
| IR Team Lead | [Name] | [Phone] | Any confirmed active exploitation |
| CRA Compliance Lead | [Name] | [Phone] | 24h notification threshold reached |
| VP Engineering | [Name] | [Phone] | Substantial incident classification |
| General Counsel | [Name] | [Phone] | Significant incident / ENISA submission |
| CEO | [Name] | [Phone] | Cross-border impact / media exposure |
Document Control
| Field | Value |
| Version | 1.0 — Template |
| Last Updated | June 2026 |
| Next Review | September 2026 (CRA enforcement date) |
| Classification | Internal — Confidential |
| Owner | [CRA Compliance Lead] |