Vulnerability Management That Meets CRA Deadlines
Article 14 imposes continuous vulnerability management obligations – including 24-hour reporting of actively exploited vulnerabilities to ENISA. Kunnus automates detection, triage, remediation tracking, and regulatory reporting.
CRA Vulnerability Obligations in Detail
The CRA establishes the most prescriptive vulnerability management framework ever applied to product manufacturers in the EU.
Continuous Obligations (Annex I, Part II)
Identify and document vulnerabilities via SBOM, remediate without delay through free security updates, apply regular security tests, publicly disclose fixes with CVE identifiers, and maintain a CVD policy.
24-Hour Early Warning to ENISA
When an actively exploited vulnerability is discovered, manufacturers must submit an early warning to ENISA within 24 hours with basic impact information.
72-Hour Vulnerability Notification
Within 72 hours: general description, impact assessment, available corrective measures, and information on exploitation status.
14-Day Final Report
Within 14 days: detailed analysis, root cause, remediation measures taken, and residual risk assessment.
Vulnerability Lifecycle in Kunnus
From discovery to closure – every step tracked and documented.
Automated Detection
CVE correlation against NVD, OSV, and vendor feeds. CVSS scoring with contextual adjustments. Zero-day alerts and cross-product impact analysis.
Triage & Prioritization
Risk-based prioritization factoring CVSS, EPSS exploitability, product exposure, and component context. CRA SLA triggers for actively exploited vulnerabilities.
Remediation Tracking
Patch monitoring, SLA dashboards, update distribution logging, and regression tracking. Complete audit trail of all remediation actions.
Regulatory Reporting
ENISA-aligned report templates. Automated 24h/72h/14d countdown timers. Complete documentation of awareness, actions, and submissions.
Key Metrics for Auditors
Mean Time to Detect (MTTD)
Average time from CVE publication to your awareness. Demonstrates proactive monitoring capability as required by the CRA.
Mean Time to Remediate (MTTR)
Average time from awareness to patch release. Shows “without delay” remediation per Annex I.
ENISA Reporting Compliance Rate
Percentage of reportable events filed within 24h/72h/14d windows. Direct regulatory compliance evidence.
24 Hours Starts Now
When an actively exploited vulnerability hits your product, the clock starts immediately. Kunnus ensures you detect, respond, and document within every deadline.