The CRA incident-reporting clock
24 hours, 72 hours, 14 days — the early-warning and notification deadlines when an exploited flaw is found, and what each one needs.
When an actively exploited vulnerability or serious incident hits, the CRA starts a clock. Here's what each deadline needs — and how evidence you already keep makes it survivable.
T+0 — detection
An actively exploited vulnerability in your product, or an incident affecting its security, is confirmed. The clock starts now.
Within 24h — early warning
An early-warning notification to your CSIRT and ENISA: what happened, whether it's exploited, and which member states are affected.
Within 72h — notification
A fuller notification: severity, impact, and any corrective or mitigating measures taken so far.
Within 14 days — final report
Once it's handled: root cause, the full mitigation, and the fix rolled out to affected users.
It's live.
See the real thing at Proofwright.