Notify users of actively exploited vulnerabilities without undue delay

Article 14(4) of Regulation (EU) 2024/2847 requires that manufacturers shall notify users of products with digital elements that are affected by an actively exploited vulnerability, without undue delay, with information sufficient to allow those users to take protective measures.

This notification obligation runs concurrently with the ENISA reporting obligations (OBL-ART14-01, OBL-ART14-02, OBL-ART14-03) — notifying ENISA does not substitute for notifying users.

This obligation applies from 11 September 2026.

The notification to users must include:

1. Affected product and versions — precisely which products and firmware/software versions are affected
2. Nature of the vulnerability — a plain-language description of the risk
3. Exploitation confirmation — statement that active exploitation has been observed
4. Available mitigating measures — steps users can take immediately (workarounds, configuration changes, network isolation) pending a full fix
5. Update availability — whether a patch is available and how to obtain it; if not yet available, an expected timeline
6. Urgency guidance — recommended priority for applying the update

Use channels reachable by users who may not proactively check for updates:

• In-product security alert (push notification or banner)
• Email to registered users
• Prominent notice on product/support website
• App store / platform update notes

The choice of channel must be proportionate to the severity and exploitability.

• User notification records — timestamp, content, channels used
• Delivery confirmation (email receipts, notification analytics)
• Published security advisory with user-facing remediation guidance
• Records showing notification predated or accompanied patch release