ProofwrightWalkthrough

The CRA incident-reporting clock

24 hours, 72 hours, 14 days — the early-warning and notification deadlines when an exploited flaw is found, and what each one needs.

When an actively exploited vulnerability or serious incident hits, the CRA starts a clock. Here's what each deadline needs — and how evidence you already keep makes it survivable.

1

T+0 — detection

An actively exploited vulnerability in your product, or an incident affecting its security, is confirmed. The clock starts now.

2

Within 24h — early warning

An early-warning notification to your CSIRT and ENISA: what happened, whether it's exploited, and which member states are affected.

3

Within 72h — notification

A fuller notification: severity, impact, and any corrective or mitigating measures taken so far.

4

Within 14 days — final report

Once it's handled: root cause, the full mitigation, and the fix rolled out to affected users.

this is Proofwright

It's live.

See the real thing at Proofwright.