{% if not fragment_mode %} {% include "_standalone_shell.html" %} {% include "_design_system.html" %} {% endif %}
{# ── Header block ── #}
{% include "_default_logo.html" %}

CRA Compliance Report

EU Cyber Resilience Act Article 14 — Exploit Advancement Notification
{# ── Metadata block ── #} {# ── How to use this report ── #}

How to use this report

This report alerts you when exploits for vulnerabilities in your portfolio advance in maturity — newly added to CISA KEV, becoming weaponized, or gaining ransomware/threat-actor attribution. Use it to:

  1. Identify which of your products contain the affected components.
  2. Test those products to verify exposure.

Under EU CRA Article 14, manufacturers must notify ENISA within 24 hours of becoming aware of an actively exploited vulnerability in a product with digital elements. The 🔥 SLA-Breach Risk section flags findings where that clock applies.

{# ── CRA Notification Obligation banner ── #} {% if sla_breach_count and sla_breach_count > 0 %}
⚠️ {{ sla_breach_count }} actively-exploited vulnerabilit{% if sla_breach_count == 1 %}y{% else %}ies{% endif %} detected. EU CRA Article 14 requires notification to ENISA within 24 hours of becoming aware.
{% else %}
✅ No CRA-relevant findings requiring immediate notification.
{% endif %} {# ── KPI row (action-driven design-system cards) ── #}
Period
{{ kpi_period | default('—') }}
Total Findings
{{ kpi_total | default(0) }}
🔥 OVERDUE
{{ kpi_overdue | default(0) }}
DUE_SOON
{{ kpi_due_soon | default(0) }}
Unknown Clock
{{ kpi_unknown_clock | default(0) }}
{% if has_reachability %}
Reachable
{{ kpi_reachable | default(0) }}
{% endif %}
In Triage
{{ kpi_in_triage | default(0) }}
{# ── Per-section callout texts ── #} {% set _section_callouts = { "sla_breach": "These vulnerabilities are flagged as actively exploited by the FS platform. The KEV Source column shows which platform signal triggered: CISA means the platform marked the CVE as CISA-listed, VcKEV means FS's verified-compromise signal (exploitation observed in the wild beyond what CISA tracks), CISA+VcKEV means both. The 24-hour CRA notification clock anchors on the later of CISA's dateAdded (when the CISA catalog join succeeds for this row) and the platform's detected_date (when FS first observed this finding). If Notification Deadline is empty, neither timestamp was available — the row is flagged Unknown Clock and the 24-hour clock cannot be computed. Identify which of your products contain the listed components and either confirm a mitigation or file the ENISA notification.", "newly_above": "Exploit signals for these CVEs advanced in maturity during the report window. They weren't CRA-relevant before, but a new KEV listing / weaponization / ransomware or threat-actor attribution puts them in scope now. Treat as the 'what changed today' list — identify affected products and start the triage.", "re_emerged": "CVEs you previously marked resolved or not-affected that have gained a new exploit signal. Reverify the mitigation still holds. The previous_resolution column shows how the finding was originally closed.", "still_in_triage": "Open triage items not yet decided. triage_age_days shows how long each has been pending. The risk: if exploit maturity advances on any of these, they jump to 🆕 or 🔥 and the 24-hour clock starts.", "full_snapshot": "Complete inventory of CRA-relevant findings in scope. Reference list, not action items — the 🔥/🆕/🔁/⏰ sections above contain the rows that need attention this run." } %} {# ── Five morning-queue sections ── #} {% for section in cra_sections | default([]) %}

{{ section.label }} ({{ section.count }})

{% if _section_callouts[section.key] is defined %}

{{ _section_callouts[section.key] | safe }}

{% endif %} {% if section.count > 0 %} {% for col in section.columns %}{% endfor %} {% for row in section.rows %} {% for col in section.columns %} {% set cell_val = row[col.key] %} {% if col.key == "severity" and cell_val and cell_val not in ("", "None", "nan") %} {% elif cell_val is none or cell_val == "None" or cell_val == "nan" or cell_val == "" %} {% else %} {% endif %} {% endfor %} {% endfor %}
{{ col.display }}
{{ cell_val }}{{ cell_val }}
{% if section.truncated %}

Showing top {{ section.shown }} of {{ section.count }} — see CSV/XLSX for full set.

{% endif %} {% else %}

No findings in this section.

{% endif %} {% endfor %} {# ── CISA-vs-CRA footnote ── #}

Note on SLA columns: The CRA notification clock (cra_notification_at + 24h) is independent of CISA's US federal BOD 22-01 remediation deadline (cisa_remediation_due). The two SLAs serve different regulators.

{# ── Footer ── #} {% include "_default_footer.html" %}
{% if not fragment_mode %} {% endif %}