Report actively exploited vulnerabilities and incidents to ENISA
- Van toepassing op
- Manufacturer
- Bronvermeldingen
- Art. 14(1)Art. 14(2)Art. 14(3)
- Productklassen
- default, important-class-i, important-class-ii, critical
Eenvoudige taal
If you discover — or are told — that a vulnerability in your product is being actively exploited by attackers, you must report it to ENISA urgently. You have 24 hours to send an early warning, 72 hours to send a full notification, and 14 days to send a final report with your remediation plan. Missing these deadlines is a regulatory violation. This clock starts from 11 September 2026.
Legal text
Article 14(1) of Regulation (EU) 2024/2847 requires that manufacturers who become aware of an actively exploited vulnerability or a severe incident affecting their product shall notify ENISA without undue delay via the single reporting platform.
Reporting timelines (Art. 14(2)–(3)):
| Report | Deadline |
|---|---|
| Early warning | 24 hours from becoming aware |
| Vulnerability / incident notification | 72 hours from becoming aware |
| Final report | 14 days from becoming aware |
Applies from
11 September 2026 — the Art. 14 obligations apply before the full regulation (11 December 2027). Plan your incident-response process accordingly.
Key requirements
- 24-hour early warning — signal to ENISA that a severe event is in progress
- 72-hour notification — details of the vulnerability or incident
- 14-day final report — remediation steps, root cause, timeline
- ENISA single reporting platform — use the platform when it is operational
- Affected users notified — Art. 14(8) requires notification to affected users without undue delay
Evidence you may need
- Incident response / PSIRT process documentation
- Vulnerability disclosure policy
- Submission records from the ENISA reporting platform
- Internal timeline tracking (when you became aware, when you reported)