Incident Reporting
Track severe security incidents and meet CRA Article 14(3) ENISA deadlines.
Incident types
| Type | Description |
|---|---|
| Data Breach | Unauthorised access to or exposure of data |
| Integrity Compromise | Unauthorised modification of product code or data |
| Availability Disruption | Product or service unavailability (DoS, ransomware, outage) |
| Malicious Code Injection | Malware, backdoors, or trojans introduced into product |
| Authentication Bypass | Security control circumvention |
| Supply Chain Compromise | Build system breach or dependency hijacking |
| Other | Incidents not fitting above categories |
When ENISA reporting is required
An incident triggers ENISA reporting when either condition is met:
| Condition | Example |
|---|---|
| Suspected malicious or unlawful activity | Cyber attack, ransomware, data theft |
| Severity is Critical or High | Major service disruption, widespread user impact |
The Cause field drives this. Setting cause to "Unlawful/Malicious" always triggers ENISA deadlines.
Other cause options: Accidental, Technical Failure, Natural Event, Under Investigation, Unknown.
Creating an incident
- Go to Security Events > Report Incident
- Fill in: title, type, severity, cause, detection details, affected products
- Save
If ENISA-reportable, CRA Evidence calculates deadlines automatically from the detection timestamp.
ENISA deadlines (Track B)
CRA Article 14(3). Required for severe security incidents.
| Deadline | Timeframe | What to include |
|---|---|---|
| Early Warning | 24 hours | Basic info, affected products, suspected malicious activity, cross-border impact |
| Incident Notification | 72 hours | Updated assessment, severity, indicators of compromise, initial remediation |
| Final Report | 30 days | Full description, root cause, remediation measures, lessons learned |
Important: The final report deadline for incidents is 30 days, not 14 days. Vulnerability Track A (Art. 14(2)) uses a 14-day final report. Track B (incidents, Art. 14(3)) gives 30 days.
Recording submissions
After submitting to ENISA's portal:
- Open the incident
- Click Send Early Warning, Send Incident Notification, or Send Final Report
- Timestamp is logged for your audit trail
Deadlines are calculated from when you became aware of the incident. Late notification is better than none. Record your submission even if overdue.
Deadline indicators
| Colour | Meaning |
|---|---|
| Green | Deadline not yet reached |
| Yellow | Within 6 hours of deadline |
| Red | Deadline overdue |
Incident lifecycle
Single forward path:
Detected -> Confirmed -> Contained -> Eradicated -> Recovered -> Lessons Learned -> Closed
| Stage | Description |
|---|---|
| Detected | Initial creation and triage |
| Confirmed | Verified as real incident |
| Contained | Immediate threat neutralised |
| Eradicated | Root cause removed |
| Recovered | Normal operations restored |
| Lessons Learned | Post-incident review completed |
| Closed | Incident fully resolved |
Each status change is logged with timestamp and user.
Incidents appear in the Active tab of the Security Events Hub while open. They move to History when status reaches Recovered, Lessons Learned, or Closed.
Linking affected products
- Open the incident detail page
- Click Add Affected Products
- Select the products and versions impacted
This ensures your technical file reflects the incident history.
Dashboard alerts
Overdue ENISA notifications show as a banner on the Security Events Hub. The ENISA overdue badge on the hub header shows the count of overdue items (both vulnerabilities and incidents combined).
Export
Incident data is included in technical file exports:
- Incident timeline and status history
- ENISA notification timestamps
- Affected products
- Remediation actions
This provides auditable evidence of your incident handling per CRA Article 11.
Best practices
| Practice | Why |
|---|---|
| Define reportability criteria upfront | Consistent decisions under pressure |
| Prepare ENISA notification templates | Faster response when incidents occur |
| Practice with tabletop exercises | Know who has authority for notifications |
| Document in real-time | Live notes are more reliable than reconstructed timelines |
| Coordinate security, legal, and comms early | Avoid bottlenecks during response |
ENISA Single Reporting Platform
Launches September 2026. CRA Evidence will support direct submission when available. Until then, submit through ENISA's portal and record the submission here.
Related documentation
- Vulnerability Workflow - Vulnerability detection, triage, and remediation
- VEX Management - VEX automation and CSAF advisories
- Technical File Export - Compliance bundles
- Organisation Settings - Security contacts and notification settings
Help us improve. What was missing or unclear?