Automate ENISA Vulnerability Reporting
The CRA requires manufacturers to report actively exploited vulnerabilities to ENISA within 24 hours. Complaro generates pre-filled Article 14 reports instantly from your SBOM and vulnerability data.
What CRA Article 14 Requires
Article 14 of the CRA mandates a three-stage reporting process when manufacturers become aware of an actively exploited vulnerability in their product.
Early Warning
Within 24 hours of becoming aware that an actively exploited vulnerability exists in your product, submit an early warning to ENISA. This must include an indication that the vulnerability is suspected to be actively exploited and preliminary product information.
What Complaro provides: Automatic detection via CISA KEV cross-referencing, pre-filled early warning template with product and vulnerability identifiers.
Incident Notification
Within 72 hours, submit a detailed notification including: general description of the vulnerability, initial severity assessment, corrective measures taken or planned, and whether the vulnerability is known to affect other manufacturers' products.
What Complaro provides: CVSS severity scoring, affected component analysis from your SBOM, suggested corrective measures based on available patches, cross-manufacturer impact assessment.
Final Report
Within 14 days, submit a final report with: detailed vulnerability description and root cause, severity and impact assessment, complete list of affected products and versions, all corrective measures applied, and information shared with users and the public.
What Complaro provides: Full vulnerability analysis, affected version matrix, patch status tracking, user notification templates, exportable PDF report.
Why Manual ENISA Reporting Fails
24 hours is not enough time
When a zero-day drops and CISA adds it to the KEV catalog, you have 24 hours. Finding which of your products are affected, gathering component data, and drafting a report from scratch is nearly impossible under time pressure.
Data lives in too many places
Vulnerability details are in NVD. Your component list is in your SBOM. Product information is in your internal systems. Patching status is in your CI pipeline. Manual reporting means copy-pasting across a dozen sources.
Three reports, three deadlines
It is not one report. It is three reports with escalating detail requirements at 24 hours, 72 hours, and 14 days. Missing any deadline puts you in non-compliance.
Penalties are severe
Non-compliance with CRA reporting obligations can result in fines up to EUR 15 million or 2.5% of worldwide annual turnover. Products can be ordered withdrawn from the EU market.
How Complaro Automates ENISA Reporting
Continuous CISA KEV Monitoring
Complaro monitors the CISA Known Exploited Vulnerabilities catalog in real-time. When a CVE on the KEV list matches a component in any of your products' SBOMs, you're alerted immediately — often before your team even hears about the vulnerability.
Automatic Report Pre-filling
The moment an actively exploited vulnerability is detected, Complaro pulls together everything needed for the ENISA report: vulnerability ID and description, affected product names and versions, component details from your SBOM, CVSS severity score, and available patch information.
Review and Submit
Your security team reviews the pre-filled report, adds any internal context, and submits. What would take hours of scrambling is reduced to minutes of review. The 72-hour and 14-day follow-up reports are pre-populated with updated information as the situation evolves.
ENISA Reporting FAQ
When does the ENISA reporting obligation start?
September 11, 2026. From that date, manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours of becoming aware of them.
What counts as an 'actively exploited vulnerability'?
A vulnerability for which reliable evidence exists that a malicious actor has exploited it in a system without permission. The CISA Known Exploited Vulnerabilities catalog is the primary reference for actively exploited CVEs.
What happens if I miss the 24-hour deadline?
Non-compliance with CRA reporting obligations can result in fines up to EUR 15 million or 2.5% of worldwide annual turnover, whichever is higher. Market surveillance authorities can also order products withdrawn from the EU market.
Does Complaro submit reports directly to ENISA?
Complaro generates the reports in the correct format with all required data pre-filled. When ENISA's reporting platform is live, we will integrate direct submission. Until then, reports are exported for manual submission.
How does Complaro detect actively exploited vulnerabilities?
By cross-referencing your SBOM components against the CISA KEV catalog, OSV.dev active exploitation flags, and GitHub Security Advisory severity indicators. When a match is found, you are alerted and the report generation begins automatically.
Be Ready Before September 2026
Don't wait until the first actively exploited vulnerability drops to figure out your reporting process.