Does the CRA mandate a specific CVD timeline?

Annex I, Part II, point (5) of Regulation (EU) 2024/2847 requires a 'coordinated vulnerability disclosure policy' but does not specify a fixed timeline. However, Recital 74 references the 90-day coordinated disclosure norm. Industry standard practice — and the timeline used by most CSIRTs including CERT/CC — is 90 days from initial report to public disclosure. CRACheck structures the CVD policy with a 90-day default that can be adjusted based on your risk assessment.

What must the CVD policy contain?

Annex I, Part II, point (5) requires the policy to 'facilitate the reporting of vulnerabilities and their components.' Combined with Annex II, point (9) (vulnerability reporting contact) and point (11) (CVD policy reference), the policy should cover: scope, reporting channel, acknowledgement timeline, triage process, fix timeline commitment, disclosure coordination, safe harbour for good-faith reporters, and communication plan.

Must I accept vulnerability reports from anyone?

Yes. Annex I, Part II, point (6) requires manufacturers to 'ensure that there is a mechanism in place to receive vulnerability notifications from users and security researchers.' The CVD policy must be open to external reporters. Restricting reports to contracted pentesters or internal teams violates the open channel requirement.

What is the relationship between CVD and Art. 14 reporting?

CVD (Annex I, Part II, point (5)) handles incoming vulnerability reports from external parties. Art. 14 handles outgoing notifications to ENISA and CSIRTs when an actively exploited vulnerability is discovered. They are complementary: a vulnerability reported through CVD may trigger Art. 14 reporting if it is found to be actively exploited.

Is this a subscription?

No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Article 16(m) of Directive (EU) 2011/83 applies. Upon licence activation, you give express consent for immediate generation of the digital content, waiving the 14-day withdrawal right. Refunds are accepted only for a reproducible technical defect.

What if the regulation changes?

If the regulation is amended during your licence validity period, you can regenerate the documentation using the updated version of the generator at no additional cost.

Annex I, Part II, point (5) of Regulation (EU) 2024/2847 requires your product to have a coordinated vulnerability disclosure policy. Point (6) requires an open mechanism to receive vulnerability notifications from users and security researchers. Recital 74 references the 90-day coordinated disclosure standard. CRACheck generates the CVD policy document as part of the 8-document package.

A CVD policy is no longer optional under the CRA. Annex I, Part II, point (5) makes it an essential cybersecurity requirement — not a best practice, not a nice-to-have, but a legal obligation documented in the technical file per Annex VII, point 2(b). The policy must facilitate the reporting of vulnerabilities. Point (6) requires a mechanism to receive reports from users and security researchers. Annex II, point (9) requires the vulnerability reporting contact to be included in user information. Point (11) requires a reference to the CVD policy. The 90-day disclosure window referenced in Recital 74 is the industry standard adopted by CERT/CC and most national CSIRTs. CRACheck generates the CVD policy structured per these requirements, integrated into the 8-document technical file. 15–25 minutes. €149.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

CVD requirements at a glance

Part II(5)

CVD policy — essential cybersecurity requirement

90 days

Standard coordinated disclosure timeline (Recital 74)

Part II(6)

Open mechanism to receive reports from anyone

How to build a CRA-compliant CVD policy

Define scope

Which products, firmware versions, APIs, and services are covered by the policy. All products with digital elements under the CRA must be in scope.

Establish the reporting channel

Per Annex I, Part II, point (6): an open mechanism for users and security researchers. Typically: security@domain.com, a security.txt file (RFC 9116), or a web form. Published in user information per Annex II, point (9).

Define response timelines

Acknowledgement (typically 48–72 hours), triage (typically 5 business days), fix target (typically 90 days), coordinated public disclosure (90 days from report or upon fix, whichever is sooner).

Include safe harbour

Good-faith security researchers acting within the policy scope should not face legal action. The EU CVD framework under NIS2 Art. 12(1) supports this. State the safe harbour terms clearly.

Connect to Art. 14 reporting

If a vulnerability reported through CVD is found to be actively exploited, the Art. 14 notification pipeline activates. Document the internal escalation path from CVD triage to Art. 14 early warning.

Run CRACheck

Input your product and policy details. CRACheck generates the CVD Policy document structured per Annex I, Part II, point (5), cross-referenced with the Notification Template, User Information, and Technical Documentation.

Three mistakes manufacturers make with CVD

❌

CLOSED CHANNEL

Restricting vulnerability reports to contracted security firms or internal teams

Annex I, Part II, point (6) requires a mechanism to receive reports "from users and security researchers." An intake process limited to paid pentesting engagements or internal bug bounties does not satisfy the open channel requirement. External researchers and end users must be able to report.

❌

NO POLICY DOCUMENT

Having a security@domain.com address but no published CVD policy

A reporting email alone does not constitute a "coordinated vulnerability disclosure policy" per Annex I, Part II, point (5). The policy must document scope, timelines, process, safe harbour, and coordination rules. Annex II, point (11) requires the user information to reference this policy document.

❌

LEGAL THREATS

Threatening legal action against good-faith security researchers who report vulnerabilities

While the CRA does not explicitly mandate safe harbour, the EU CVD framework under NIS2 and the coordinated disclosure culture referenced in Recital 74 strongly support it. Threatening researchers who report through your published channel undermines the entire CVD mechanism and creates reputational and regulatory risk.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Category per Annex III/IV. All categories require a CVD policy — the requirement is universal under Annex I, Part II.

Technical Documentation

Annex VII, point 2(b) references the CVD policy as part of the vulnerability handling process documentation.

Risk Assessment

Per Art. 13(2)–(3). The CVD policy is a risk mitigation measure for undiscovered vulnerabilities.

User Information

Per Annex II, points (9) and (11): vulnerability reporting contact and CVD policy reference.

Declaration of Conformity

Per Art. 28 and Annex V.

CVD Policy

The core deliverable for this landing. Structured per Annex I, Part II, point (5): scope, reporting channel, acknowledgement timeline, triage process, fix timeline, 90-day coordinated disclosure, safe harbour, escalation to Art. 14 reporting, communication plan.

Notification Template

Per Art. 14. Connected to the CVD policy: vulnerabilities reported through CVD that are actively exploited trigger Art. 14 notification.

Obligations Calendar

Maps CVD policy review dates and Art. 14 reporting deadlines.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 THE ALTERNATIVE

Hiring a cybersecurity consultancy to draft a CVD policy, set up the reporting channel, train the triage team, and integrate with the Art. 14 notification process.

€8,000–€20,000

4–8 weeks. Does not include the rest of the CRA documentation.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history