Reporting Actively Exploited Vulnerabilities & Severe Incidents for Software (Article 14)

The Cyber Resilience Act (CRA) doesn't just want you to fix problems in your app, game, or software; it also mandates reporting certain serious issues to authorities. Article 14 is your go-to for these critical reporting obligations.

What Needs Mandatory Reporting?

Two main categories trigger mandatory reporting from you as the software manufacturer:

1. Actively Exploited Vulnerabilities: If you become aware that a vulnerability contained in your product with digital elements is being actively exploited by malicious actors, you must notify the CSIRT designated as coordinator and ENISA simultaneously (Article 14, Paragraph 1). An "actively exploited vulnerability" means there's reliable evidence a malicious actor has used it in a system without permission (Article 3,) point (42)).

2. Severe Incidents Impacting Product Security: You must also notify any "severe incident having an impact on the security of the product with digital elements" that you become aware of, again to the CSIRT coordinator and ENISA (Article 14, Paragraph 3). Article 14, Paragraph 5, defines a severe incident as one negatively affecting the product's ability to protect data/functions or leading to malicious code execution in the product or user systems. Recital 68 gives an example: an attacker successfully introducing malicious code into your software's update release channel.

Reporting Timelines and Content

Article 14, Paragraphs 2 and 4, outline a multi-stage reporting process with specific timelines for both types of events:

• Early Warning: Within 24 hours of becoming aware.
• Incident/Vulnerability Notification: Within 72 hours, with more details