Incident reporting
The CRA requires manufacturers to report actively exploited vulnerabilities and severe incidents to regulators on a fixed schedule. Meshanics tracks those deadlines for you and records each step as it is taken, so the timeline is evidenced rather than reconstructed after the fact.
The platform manages the clock and the record. The actual submission still happens on the regulator's own platform — the tooling here makes sure you know what is due, when, and proves what you did.
Opening an incident
An incident is opened with a kind, a title, optional details, and the affected scope. Two kinds are recognised:
- Exploited vulnerability — an actively exploited vulnerability in your product.
- Severe incident — a severe incident having an impact on the security of the product.
You can set the detection time explicitly, or let it default to now; it cannot be in the future. Every reporting deadline is computed from that single detection moment.
A finding from the vulnerability watch can be promoted into an incident, which is the clean path from "we noticed something" to "the clock is running."
The reporting clock
The regulation defines three reporting stages, all measured from detection — not from each other:
| Stage | Due from detection |
|---|---|
| Early warning | 24 hours |
| Notification | 72 hours |
| Final report | 14 days (exploited vulnerability) / 30 days (severe incident) |
The platform records each of these stages independently as you complete it. A step is marked once; because the clocks all run from detection, completing the early warning does not move the notification or final-report deadline. When the incident is fully handled you close it.
If an open incident passes a deadline without the corresponding step recorded, it is counted as overdue. That overdue count surfaces in the compliance and evidence reports, so an unmet obligation is visible rather than buried.
What is recorded
Opening an incident, marking each step, and closing it are all written to the append-only, hash-chained audit log, alongside who did it and when. The result is a tamper-evident timeline you can export and hand to a notified body or CSIRT as the annex to your submission.
What stays with you
Filing the report on the regulator's platform, and deciding what the report says, remain the manufacturer's responsibility. The platform's job is to make the deadlines impossible to lose track of and the timeline impossible to dispute after the fact.