CRA reporting obligations explained

In just over a year, the first batch of CRA requirements will take effect: manufacturers will have to report actively exploited vulnerabilities contained in their products and severe incidents having an impact on the security of their products to ENISA, their member state, and the product’s users. But what exactly is the difference between exploited vulnerabilities and severe incidents?

👉 Let’s start with the easier one: actively exploited vulnerabilities. The CRA defines an actively exploited vulnerability as “a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner.” Simply put: if a manufacturer becomes aware that one of their products is actively being exploited by an attacker, they must report it.

👉 But what about a severe incident? Here the CRA points to NIS2, which deals with organisational security. So, an incident having an impact on the security of a product means an organisational incident that could compromise the security of one or more of the manufacturer’s products. Since the CRA interprets “severe” quite broadly, it is reasonable to assume that any such incident will fall under severe.

🔎 To make this clearer, here are some examples:

Example 1: A smart lock manufacturer receives reports that people are exploiting a flaw in their Bluetooth implementation to break into homes. -> actively exploited vulnerability

Example 2: The same manufacturer discovers that someone broke into their office and accessed the private keys used to sign firmware updates. An attacker could use these keys to sign malicious firmware and compromise the product. -> severe incident

Example 3: The manufacturer notices that a list of customer names and revenues has been stolen. Since this has no impact on the product’s security, it does not qualify as a relevant incident under the CRA.

Now, let’s say you’re a manufacturer and become aware of an actively exploited vulnerability or a severe incident. What do you need to do concretely?

✅ Obligation 1: Within 24 hours -> send an early warning to ENISA and your member state (via a web portal currently being built). ✅ Obligation 2: Within 3 days -> follow up with a more detailed report. ✅ Obligation 3: After resolving the issue -> submit a final report. On request, you may also need to send an intermediate report. ✅ Obligation 4: Inform the product’s users.

⚠️ Interesting detail: until the CRA fully enters into force at the end of 2027, there is no obligation to patch the product. The article entering into effect next year only covers reporting, not remediation.¹