Submit a final vulnerability report to ENISA within 14 days

Article 14(3) of Regulation (EU) 2024/2847 requires that, no later than 14 days after becoming aware of an actively exploited vulnerability, manufacturers shall submit a final report to ENISA containing:

• A complete description of the vulnerability, including its severity and impact
• Where applicable: the threat actor(s) involved (if known and shareable)
• Information on the corrective or mitigating measures taken
• Whether the vulnerability has been publicly disclosed
• The CVE assigned (or justification for why no CVE was assigned)

Article 14(5) specifies that the report is submitted via the ENISA single reporting platform.

This obligation applies from 11 September 2026.

1. Complete vulnerability description — full technical analysis
2. Root cause analysis — where the vulnerability originated
3. CVSS score — final, re-assessed if needed after full analysis
4. Affected versions — all product versions and variants in scope
5. CVE identifier — CVE number assigned by a CNA, or reason none was assigned
6. Remediation deployed — update version number, release date, delivery mechanism
7. User notification — description of how users were informed and timeline
8. Public disclosure status — whether a security advisory was published and where
9. Threat actor information — if known, whether a specific actor is exploiting

• Timestamped final report submission from ENISA platform
• CVE assignment record
• Published security advisory
• User notification records
• Internal incident postmortem or root-cause analysis document