Beta programme
Become a CRANIS2 beta tester. Sign up with code BETAUSER for a 90-day free trial (30 days plus 60 more) and help shape CRANIS2 before the CRA deadlines.
Join the beta
Non-Compliance Reporting Guide
What to do when you discover your product does not conform to the essential
cybersecurity requirements of the Cyber Resilience Act. This guide covers
the steps required of manufacturers, importers, and distributors.
Important:
Discovering non-compliance is not a failure — it is a normal part of
product lifecycle management. The CRA requires prompt, structured action.
The key obligations are to stop making the product available, take corrective
measures, and inform the relevant authorities.
Confirm the non-compliance
CRA Art. 13(2)
Assess whether your product genuinely fails to meet one or more essential
cybersecurity requirements set out in Annex I. Consider:
- Which specific requirement is not met?
- Is it a design flaw, implementation bug, or documentation gap?
- Does it affect products already on the market, or only pre-production units?
- What is the severity and scope of the non-compliance?
Stop making the product available
CRA Art. 13(2), Art. 18(5), Art. 19(3)
If the non-compliance presents a risk, you must not place the product on the
market (or withdraw it if already available) until it has been brought into
conformity. For software products, this may mean:
- Removing download links or disabling new installations
- Marking the affected version as deprecated
- Issuing a security advisory to existing users
Take corrective measures
CRA Art. 13(9), Art. 13(6)
Develop and deploy a fix, then verify it resolves the non-compliance:
- Develop a patch, configuration change, or updated version
- Provide the fix free of charge (Art. 13(8))
- Distribute the fix separately from feature updates (Art. 13(9))
- Verify the fix through testing and, where applicable, updated conformity assessment
- Notify all affected users of the corrective measure
Notify market surveillance authorities
CRA Art. 13(2), Art. 18(5), Art. 19(3)
Inform the market surveillance authorities of the member states where the
product has been made available. Your notification should include:
- Product identification (name, version, unique identifiers)
- Description of the non-compliance and the risk it presents
- Corrective measures taken or planned
- The affected member states and estimated number of affected users
- Contact details for the responsible person
If actively exploited — report to ENISA
CRA Art. 14
If the non-compliance involves an actively exploited vulnerability or a
severe incident, the ENISA reporting obligations under Art. 14 apply
in addition to the corrective measures above:
- 24 hours — Early warning to the designated CSIRT
- 72 hours — Notification with initial assessment
- 14 days (vulnerability) / 1 month (incident) — Final report
Check your incident response readiness →
Document everything
CRA Art. 13(10)
Retain full documentation of the non-compliance event, corrective measures,
and authority communications for at least 10 years. This forms part of your
technical documentation and compliance audit trail.
Role-specific obligations
Manufacturer
Art. 13(2) — Take all necessary corrective measures to bring the product into conformity, withdraw it, or recall it.
Art. 13(9) — Provide corrective security updates free of charge and separately from feature updates.
Art. 14 — Report to ENISA if the non-compliance involves an actively exploited vulnerability.
Importer
Art. 18(5) — Do not place or continue to make available a product you believe is non-compliant. Inform the manufacturer and market surveillance authorities.
Art. 18(7) — Report actively exploited vulnerabilities to ENISA within the same timelines as Art. 14.
Distributor
Art. 19(3) — Do not make available a product you believe is non-compliant. Inform the manufacturer or importer and market surveillance authorities.
Art. 19(4) — Report actively exploited vulnerabilities to ENISA within the same timelines as Art. 14.
Track non-compliance resolution
CRANIS2 tracks corrective actions, generates ENISA reports with AI-assisted
drafting, and maintains the full audit trail — so you can demonstrate
compliance to market surveillance authorities.
Manage compliance in CRANIS2