CRA Compliance Report
EU Cyber Resilience Act Article 14 — Exploit Advancement Notification
How to use this report
This report alerts you when exploits for vulnerabilities in your portfolio advance in maturity — newly added to CISA KEV, becoming weaponized, or gaining ransomware/threat-actor attribution. Use it to:
- Identify which of your products contain the affected components.
- Test those products to verify exposure.
Under EU CRA Article 14, manufacturers must notify ENISA within 24 hours of becoming aware of an actively exploited vulnerability in a product with digital elements. The 🔥 SLA-Breach Risk section flags findings carrying platform exploitation signals — potential candidates to investigate and disposition (confirm affected, or mark NOT_AFFECTED / VEX) before that 24-hour clock is treated as running.
KEV Source column shows which platform signal triggered: CISA means the CVE is in the public CISA KEV catalog, VcKEV means the CVE is in VulnCheck's KEV catalog (broader than CISA's), CISA+VcKEV means both. The 24-hour CRA notification clock anchors on the later of CISA's dateAdded (when the CISA catalog join succeeds for this row) and the platform's detected_date (when FS first observed this finding). If Notification Deadline is empty, neither timestamp was available — the row is flagged Unknown Clock and the 24-hour clock cannot be computed. Identify which of your products contain the listed components and either confirm a mitigation or file the ENISA notification.",
"newly_above": "Exploit signals for these CVEs advanced in maturity during the report window. They weren't CRA-relevant before, but a new KEV listing / weaponization / ransomware or threat-actor attribution puts them in scope now. Treat as the 'what changed today' list — identify affected products and start the triage.",
"re_emerged": "CVEs you previously marked resolved or not-affected that have gained a new exploit signal. Reverify the mitigation still holds. The previous_resolution column shows how the finding was originally closed.",
"still_in_triage": "Open triage items not yet decided. triage_age_days shows how long each has been pending. The risk: if exploit maturity advances on any of these, they jump to 🆕 or 🔥 and the 24-hour clock starts.",
"full_snapshot": "Complete inventory of CRA-relevant findings in scope. Reference list, not action items — the 🔥/🆕/🔁/⏰ sections above contain the rows that need attention this run."
} %}
{# 5 morning-queue sections. The Full Snapshot section gets a
page-break anchor in print so dense multi-section output paginates
to ~2 pages, restoring legacy layout (the @media print rule on
.cra-full-snapshot-anchor sets page-break-before: always). #}
{% for section in cra_sections %}
{% if section is mapping %}
{{ section.label }} ({{ section.count }})
{% if _section_callouts[section.key] is defined %}{{ _section_callouts[section.key] | safe }}
{% endif %} {% if section.count and section.count > 0 %}| {{ col.display }} | {% endfor %}||
|---|---|---|
| {{ cell_val }} | {% elif cell_val is none or cell_val == "None" or cell_val == "nan" or cell_val == "" %}{% else %} | {{ cell_val }} | {% endif %} {% endfor %}
Showing top {{ section.shown }} of {{ section.count }} — see CSV/XLSX for full set.
{% endif %} {% else %}No findings in this section.
{% endif %} {% endif %} {% endfor %} {# CISA-vs-CRA footnote — preserved verbatim. #}Note on SLA columns: The CRA notification clock
(cra_notification_at + 24h) is independent of CISA's US federal BOD 22-01
remediation deadline (cisa_remediation_due). The two SLAs serve different regulators.