The Cyber Resilience Act (Article 14) imposes strict obligations on manufacturers to notify ENISA of any actively exploited vulnerability within 24 hours of becoming aware of it, followed by a detailed notification within 72 hours, and to inform affected users without undue delay along with guidance on corrective measures. Article 13(6) further requires manufacturers to have a coordinated vulnerability disclosure policy in place. Incident response is where these obligations converge; without a defined, rehearsed process, organizations risk missing regulatory notification deadlines and leaving users exposed longer than necessary.
Define and document a repeatable process for responding to detected security incidents, covering severity classification, owner assignment, containment actions, and post incident review. Publish a coordinated vulnerability disclosure (CVD) policy that provides external reporters with clear guidance on how to submit security issues, expected response timelines, and conditions for responsible reporting. Establish defined criteria and timelines for notifying relevant authorities or coordinating bodies (e.g., ENISA, national CSIRTs) about actively exploited vulnerabilities and severe incidents, ensuring alignment with the notification windows mandated by Article 14.
Ensure that affected users or customers are informed of incidents and, where applicable, provided with actionable guidance on corrective measures they can take. Document and retain all incident reports, notifications, and response actions for traceability and regulatory review. Treat incident response not as a purely reactive capability but as a process that is periodically tested and improved, so that when a real incident occurs the organization can respond within the timelines the regulation demands.