For products with digital elements within the CRA’s scope, actively exploited vulnerabilities are reported to ENISA through a single reporting platform. The timeline is aggressive: a 24-hour early warning, a 72-hour vulnerability notification, and a 14-day final report. CRA reporting is triggered by actively exploited vulnerabilities, not by all incidents; the distinction matters for triage.

Pre-drafted templates for the ENISA early warning and the full vulnerability notification should be maintained by the Legal and Regulatory Advisor. Ongoing CRA vulnerability management obligations also affect the AISDP’s maintenance cycle: the vulnerability management register serves as evidence for both CRA compliance and Module 9.

If the system is not within the CRA’s scope (for example, a purely cloud-hosted SaaS system), this article is documented as not applicable, with the scope determination reasoning recorded.

Key outputs

• CRA reporting stream (24h/72h/14d) to ENISA
• Triggered by actively exploited vulnerabilities specifically
• Pre-drafted ENISA notification templates
• Module 9 AISDP documentation