Submit a detailed vulnerability notification to ENISA within 72 hours
- S'applique à
- Manufacturer
- Citations sources
- Art. 14(2)Art. 14(5)
- Classes de produits
- default, important-class-i, important-class-ii, critical
Langage clair
After your 24-hour early warning to ENISA, you have up to 72 hours from first becoming aware to send a more detailed follow-up notification. This must include the product details, vulnerability information, and the security measures you have taken or are planning to take. The clock starts when you first become aware of active exploitation — not when you confirm the full details.
Legal text
Article 14(2) of Regulation (EU) 2024/2847 requires that manufacturers, without undue delay and in any event no later than 72 hours after becoming aware of an actively exploited vulnerability, notify ENISA of:
- The vulnerability
- The product(s) affected
- The severity and impact of the vulnerability
- The corrective or mitigating measures taken or planned
- Whether the vulnerability has been publicly disclosed
Article 14(5) specifies that notifications are submitted via the ENISA single reporting platform, which routes the information to the relevant national CSIRT(s).
Effective date
This obligation applies from 11 September 2026.
Required notification content
The 72-hour notification must include:
- Product identification — name, version, manufacturer details
- Vulnerability description — technical details including CVE (if assigned)
- CVSS score — severity assessment
- Active exploitation evidence — how you know it is being actively exploited
- Affected user population — scope of impact
- Mitigating measures — steps already taken to contain the risk
- Remediation plan — planned patch timeline and delivery mechanism
- User notification status — whether users have been informed
Relationship to the 24-hour early warning
| Step | Deadline | Required content |
|---|---|---|
| Early warning (OBL-ART14-01) | 24 hours | Existence of actively exploited vulnerability |
| Detailed notification | 72 hours | Technical details, severity, corrective measures |
| Final report (OBL-ART14-03) | 14 days | Complete analysis and full remediation details |
Evidence you may need
- Timestamped submission records from ENISA reporting platform
- Internal timeline showing when awareness was established
- Copy of notification submitted (redacted where needed for security)
- Records showing notification sent within 72 hours of awareness