Blog | SEP 25, 2025
CRA Vulnerability Reporting Requirements: What You Must Do Before September 2026
The EU Cyber Resilience Act introduces strict vulnerability reporting obligations, with tight 24h/72h/14d deadlines, and penalties of up to €15 million. In this article, we break down what counts as a vulnerability, who must report, and how these rules impact both new and legacy products.
The EU Cyber Resilience Act (CRA) introduces some of the most far-reaching vulnerability reporting requirements manufacturers of digital products have ever faced. The regulation doesn’t just require companies to secure their products, it obliges them to detect, classify, and report vulnerabilities within strict timelines. This marks a shift from voluntary best practice to legally binding obligations, backed by substantial fines. In this post, we explore what the CRA defines as a vulnerability, when reporting obligations apply, what needs to be reported, and the consequences of non-compliance.
What is a Vulnerability under the CRA?
The CRA provides three distinct levels of vulnerability definitions:
Vulnerability
“A weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat.” This is the broad, baseline definition. It covers the thousands of findings that might show up in your vulnerability scanner, not all of them equally critical, but all within the CRA’s scope.
Exploitable vulnerability
“A vulnerability that has the potential to be effectively used by an adversary under practical operational conditions.” Here, context matters. Manufacturers must assess exploitability based on the product’s design and operating environment. Helpful resources include CISA’s Known Exploited Vulnerabilities (KEV) list or ENISA’s EU Vulnerability Database (EUVD).
Actively exploited vulnerability
“A vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner.” This category overlaps with real-world incidents. For example, a SOC alert showing an intrusion through your product, or a confirmed breach where your product’s vulnerability was used.
When Do the Reporting Obligations Apply?
The CRA officially came into force in November 2024. The majority of its requirements will only apply after a 36-month transition period, but the vulnerability reporting rules take effect much sooner, just 21 months after entry into force. In practice, this means that on September 11, 2026, manufacturers must already be prepared to report actively exploited vulnerabilities in line with the regulation’s deadlines.
)
What Must Be Reported and When?
The CRA sets strict deadlines for manufacturers once an actively exploited vulnerability is discovered:
Within 24 hours: Submit an early warning notification (Art. 14/2a).
Within 72 hours: Provide a vulnerability notification, including (Art. 14/2b):
General information about the affected product.
The nature of the exploit and vulnerability.
Corrective or mitigating measures taken.
Mitigations that users can apply.
Within 14 days: Deliver a final report with full details of the incident, its severity, and corrective actions (Art. 14/2c).
This means manufacturers must build processes capable of detecting incidents, gathering evidence, and drafting reports within hours, not weeks.
Who Must Report and Who is Exempt?
The obligation to report vulnerabilities applies to manufacturers of products with digital elements. However, the CRA provides an exemption for micro and small enterprises.
According to the EU definition (Recommendation 2003/361/EC), these are companies with:
Small enterprise: Fewer than 50 employees and annual turnover or balance sheet total ≤ €10 million.
Microenterprise: Fewer than 10 employees and turnover or balance sheet total ≤ €2 million.
Where Do Manufacturers Report Vulnerabilities?
Under the CRA, manufacturers must submit vulnerability notifications through the EU’s single reporting platform, which is still in development, using the electronic notification endpoint of the CSIRT (Computer Security Incident Response Team) designated as coordinator in their main Member State. This means the notification goes to the national CSIRT where the company is headquartered in the EU, and it will also be made accessible to ENISA.
If a manufacturer has no main establishment within the European Union, the CRA sets out a clear order for determining where vulnerability reports must be submitted. The priority is:
The Member State where the authorised representative responsible for the largest number of the manufacturer’s products is based.
If there is no representative, then the Member State where the importer is placing the highest number of the manufacturer’s products on the market is located.
If neither applies, then the Member State where the distributor making the largest number of the manufacturer’s products available is established.
Finally, if none of the above criteria can be used, the Member State where the largest number of users of the manufacturer’s products are located.
Legacy Products: What About Products Already on the Market?
The reporting requirements are not limited to new products. They also apply to products placed on the market before the CRA’s application date. In other words, if your product is still in use and supported, you will need to comply with the CRA vulnerability reporting rules, even if it was launched years before the regulation.
Penalties for Non-Compliance
The CRA introduces strict fines for failing to meet vulnerability reporting obligations, which are up to €15 million or up to 2.5% of the previous year’s global turnover, whichever is higher.
Additional consequences may include product recalls, suspension from the EU market, or loss of CE marking.
Strategic Takeaways for Manufacturers
Vulnerability reporting under the CRA is more than a compliance box-ticking exercise. It requires:
Clear vulnerability classification processes (basic, exploitable, actively exploited).
Incident response readiness to meet the 24h / 72h / 14d deadlines.
Integration with vulnerability databases like KEV and EUVD.
Prepared communication channels with CSIRTs, authorities, and users.
Manufacturers who prepare early can not only avoid fines but also strengthen customer trust and product resilience.
The CRA’s vulnerability reporting obligations raise the bar for accountability in product security. With clear definitions, strict timelines, and no grandfathering for legacy products, manufacturers must act now to prepare their processes. Manufacturers that embrace these obligations can differentiate themselves by showing they take product security seriously, turning compliance into a competitive advantage and mitigating severe penalties for non-compliance.
Don’t miss critical CRA news: sign up for our newsletter and get updates straight to your inbox.
Blog | SEP 25, 2025
)
)
)
)
)
)
)