A CVD policy is no longer optional under the CRA. Annex I, Part II, point (5) makes it an essential cybersecurity requirement — not a best practice, not a nice-to-have, but a legal obligation documented in the technical file per Annex VII, point 2(b). The policy must facilitate the reporting of vulnerabilities. Point (6) requires a mechanism to receive reports from users and security researchers. Annex II, point (9) requires the vulnerability reporting contact to be included in user information. Point (11) requires a reference to the CVD policy. The 90-day disclosure window referenced in Recital 74 is the industry standard adopted by CERT/CC and most national CSIRTs. CRACheck generates the CVD policy structured per these requirements, integrated into the 8-document technical file. 15–25 minutes. €149.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
Annex I, Part II, point (6) requires a mechanism to receive reports "from users and security researchers." An intake process limited to paid pentesting engagements or internal bug bounties does not satisfy the open channel requirement. External researchers and end users must be able to report.
A reporting email alone does not constitute a "coordinated vulnerability disclosure policy" per Annex I, Part II, point (5). The policy must document scope, timelines, process, safe harbour, and coordination rules. Annex II, point (11) requires the user information to reference this policy document.
While the CRA does not explicitly mandate safe harbour, the EU CVD framework under NIS2 and the coordinated disclosure culture referenced in Recital 74 strongly support it. Threatening researchers who report through your published channel undermines the entire CVD mechanism and creates reputational and regulatory risk.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Category per Annex III/IV. All categories require a CVD policy — the requirement is universal under Annex I, Part II.
Annex VII, point 2(b) references the CVD policy as part of the vulnerability handling process documentation.
Per Art. 13(2)–(3). The CVD policy is a risk mitigation measure for undiscovered vulnerabilities.
Per Annex II, points (9) and (11): vulnerability reporting contact and CVD policy reference.
Per Art. 28 and Annex V.
The core deliverable for this landing. Structured per Annex I, Part II, point (5): scope, reporting channel, acknowledgement timeline, triage process, fix timeline, 90-day coordinated disclosure, safe harbour, escalation to Art. 14 reporting, communication plan.
Per Art. 14. Connected to the CVD policy: vulnerabilities reported through CVD that are actively exploited trigger Art. 14 notification.
Maps CVD policy review dates and Art. 14 reporting deadlines.
See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.
Generated from your data, in your browser. No data leaves your device.
Hiring a cybersecurity consultancy to draft a CVD policy, set up the reporting channel, train the triage team, and integrate with the Art. 14 notification process.
CRACheck generates the CVD Policy document structured per Annex I, Part II, point (5), with scope, timelines, process, safe harbour, and Art. 14 escalation. It integrates the policy into the Annex VII technical file (point 2b), cross-references it in the User Information (Annex II, points 9 and 11), and connects it to the Notification Template for Art. 14 escalation scenarios.
CRACheck does not operate your CVD process. It does not receive vulnerability reports. It does not triage, assess, or patch vulnerabilities. It does not coordinate disclosure with reporters. You must run the CVD process. CRACheck generates the policy that structures it per the CRA requirements.
The policy defines how you handle reports. CRACheck builds the policy. You operate it.
Art. 64(2).
Art. 64(3).
Art. 64(4).
| Criterion | No CVD policy | Security consultancy | Generic template | CRACheck |
|---|---|---|---|---|
| CRA Annex I Part II compliance | Non-compliant | Yes (if CRA-specific) | Partial — not CRA-mapped | Yes — point (5) + (6) |
| Annex VII integration | Missing | Separate document | Standalone | Automatic |
| Time to deliverable | — | 4–8 weeks | 1–2 weeks | 15–25 minutes |
| Cost | €0 (+ fine risk) | €8K–€20K | €1K–€3K | €149 one-time |
Even products sharing the same security@domain.com address require separate CVD policy documentation referencing their specific product identifiers and Annex VII technical files per Art. 31. Volume pricing: €99/product (10-pack) or €79/product (30-pack).
Request volume pricingCRACheck generates a structured CVD Policy document according to Annex I, Part II, point (5) of Regulation (EU) 2024/2847, based on the information you provide. The operational readiness and effectiveness of your CVD process is your responsibility as manufacturer.
We guarantee that the document structure follows Annex I, Part II of Regulation (EU) 2024/2847 and that all legal references cited are correct. We do not guarantee that a specific CVD policy will be deemed adequate by a market surveillance authority or CSIRT in a specific case.
CRACheck is not legal advice. For specific questions about CVD process design, safe harbour legal language, or CSIRT coordination, consult with a qualified cybersecurity or legal professional.