TIOZ Howest

Howest Logo

Article 14 of the CRA Does Not Care About Your Holiday Planning

When we teach students, we know from experience that legal deadlines only become real for them when you walk them through a concrete scenario. This is why our cyber range and table top exercises are so successful.

So let us do exactly that for the Cyber Resilience Act (CRA).

The CRA sets a strict clock once a manufacturer becomes "aware" of an actively exploited vulnerability in a product with digital elements. There are three deadlines:

  • First, 24 hours for an Early Warning, submitted through the Single Reporting Platform to the coordinating CSIRT and ENISA.
  • Second, 72 hours for the follow-up Notification.
  • Third, 14 days from a corrective measure for the Final Report.

Nothing in Article 14 pauses that clock for a bank holiday, a long weekend, or a half-staffed office. Here is how that plays out for a manufacturer of connected smoke detectors, right before a national holiday weekend.

Get in touch with us!

Cover image

Quick facts

  • /

    The CRA reporting obligations apply from 11 September 2026

  • /

    24 hours: deadline for the Early Warning after becoming aware of an actively exploited vulnerability

  • /

    72 hours: deadline for the follow-up Notification

  • /

    14 days after a corrective measure: deadline for the Final Report

  • /

    Reports go through the ENISA Single Reporting Platform (SRP) to the coordinating CSIRT and ENISA

  • /

    The clock does not pause for weekends, public holidays, or absent staff

A timeline that will feel uncomfortably familiar

Wednesday, 15:50. A security researcher emails the company's general info address. The email contains a proof-of-concept and log files showing evidence of active exploitation. The staff member managing that inbox does not recognise it as a security disclosure. It gets filed under general customer queries.

Wednesday, 17:10. A second version of the same report arrives through a reseller. It is forwarded to the regional sales manager, who forwards it again to the CISO with the message "can you take a quick look before the weekend?" The CISO is already on the way to the airport for a long weekend.

Thursday (public holiday), 11:30. Working remotely from a holiday address, a developer confirms the vulnerability is present in two product lines already deployed with customers. The exploitation evidence holds up.

At this point, the question is no longer technical but a matter of business decisions you can prepare for:

  • Who decides whether this meets the Article 14 threshold?
  • Who holds access to the SRP account?
  • Who drafts the Early Warning, and who signs off on it, on a public holiday, with most of the team unreachable?

If awareness is later determined to have started Wednesday afternoon, the 24-hour window has already closed before anyone with the authority to act has even read the report.

Why this keeps happening

A technical lead who has lived through this kind of scenario put it simply: technical confirmation is rarely the bottleneck. Most engineering teams can validate a vulnerability within a few hours.

What separates organisations is whether they decided, in advance, three things:

  • Who owns the notification decision under Article 14?
  • How that person can be reached outside office hours?
  • What minimum information does an Early Warning need to contain?

Organisations that have rehearsed this once handle it calmly. Organisations encountering it for the first time lose the window to internal routing, not to technical uncertainty. We already have a few rehearsal scenarios, contact us if you are interested.

Three structural takeaways

1. Intake design matters. A report landing in a general support inbox needs a clearly signposted channel that routes it directly to people who recognise it as a CRA-relevant security disclosure, not a customer complaint.

2. Awareness is an organisational fact, not an individual one. A credible report sitting unread in a queue is itself a compliance risk. The process must be designed to minimise the time between first contact and a decision by someone with actual authority.

3. The notification decision needs a named owner and a designated deputy. Both must be able to act regardless of time zone, weekend, or public holiday. Exploited vulnerabilities do not check the corporate calendar before they surface.

Prepare before 11 September 2026, not after!

The reporting obligations of the Cyber Resilience Act apply from 11 September 2026. That gives manufacturers a clear window to design their intake channels, name their decision owners, and run at least one tabletop exercise before the clock becomes real.

Want to dig deeper? These are the best resources on CRA Article 14 and vulnerability reporting:

Our previous articles on CRA:

Authors

  • /

    Patrick Van Renterghem, AI, CyberSecurity, Web3, Immersive Tech, Quantum, ... Community Builder & LLL Coordinator

Want to know more about our team?

Visit the team page

Last updated on: 7/8/2026

/

Related articles