What exactly does Annex I, Part II require for vulnerability handling?

Annex I, Part II of Regulation (EU) 2024/2847 requires manufacturers to: (1) identify and document vulnerabilities and components, including SBOM, (2) address and remediate vulnerabilities without delay through security updates, (3) apply effective and regular testing and review of product security, (4) publicly disclose information about fixed vulnerabilities, (5) have a coordinated vulnerability disclosure policy, (6) facilitate information sharing about vulnerabilities, (7) provide mechanisms for securely distributing updates, and (8) ensure security updates are provided free of charge without undue delay.

When does the Art. 14 ENISA notification obligation start?

Article 14 vulnerability reporting obligations apply from 11 September 2026, per the CRA's phased implementation timeline. From that date, manufacturers must notify ENISA within 24 hours of becoming aware of an actively exploited vulnerability, with a 72-hour detailed notification and a 14-day final report. This is 15 months before full CRA enforcement.

What triggers an Art. 14 notification?

Article 14(1) is triggered when a manufacturer becomes aware of an "actively exploited vulnerability" in their product. This means a vulnerability that is being used by an attacker in the wild — not a theoretical vulnerability or a vulnerability discovered through internal testing. However, Article 14(3) also requires notification of "severe incidents having an impact on the security of the product."

Can our existing PSIRT process serve as the CRA CVD policy?

Your PSIRT process may already cover many Annex I, Part II requirements operationally. However, the CRA requires documented policies referenced in the technical documentation (Art. 31 + Annex VII). CRACheck generates a CRA-structured policy document that can formalize your existing PSIRT processes in the format the regulation requires.

Does the CVD policy need to include a bug bounty program?

No. The CRA does not mandate bug bounty programs. Annex I, Part II requires a coordinated vulnerability disclosure policy with a contact address (Art. 13(6)), response process, and disclosure framework. A bug bounty program is a voluntary addition. CRACheck generates the regulatory CVD policy without assuming a bug bounty component.

Is CRACheck a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate generation. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during your license period.

Annex I, Part II of Regulation (EU) 2024/2847 requires every manufacturer to implement a coordinated vulnerability disclosure policy. Article 13(6) requires you to have a contact address for vulnerability reports. Article 14 requires you to notify ENISA within 24 hours of becoming aware of an actively exploited vulnerability. These are not optional program enhancements — they are legal obligations with enforcement from September 2026. CRACheck generates the CVD policy document alongside the full 8-document dossier.

The CRA's vulnerability handling requirements under Annex I, Part II go beyond existing bug bounty or PSIRT practices. They mandate specific elements: a policy for identifying and documenting vulnerabilities, timely remediation through security updates, coordinated disclosure of fixed vulnerabilities, mechanisms for sharing information about vulnerabilities, and distribution of updates free of charge for the support period. Additionally, Article 14 establishes the ENISA notification timeline: 24-hour early warning, 72-hour notification, 14-day final report. CRACheck generates a structured CVD policy covering all Annex I, Part II requirements as part of the 8-document dossier. €149 per product. 15-25 minutes. Browser-side only.

Generate CVD policy + dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

24 hours

Maximum time to submit ENISA early warning after discovering an actively exploited vulnerability (Art. 14(2)(a))

Sept 2026

Art. 14 vulnerability reporting obligations apply 15 months before full CRA enforcement

€149

CVD policy plus 7 supporting documents in a single session

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Establish your vulnerability intake channel

Article 13(6) requires a contact address for reporting vulnerabilities. CRACheck structures this into a formal intake policy: dedicated email, security.txt, and/or web form.

Define response timelines

Annex I, Part II requires timely remediation. Your CVD policy must specify: acknowledgment SLA, initial triage timeline, fix development target, and coordinated disclosure date.

Structure the ENISA notification process

Article 14 defines three mandatory notifications for actively exploited vulnerabilities: (a) 24-hour early warning, (b) 72-hour detailed notification, (c) 14-day final report. CRACheck generates a pre-structured template for each.

Define update distribution

Annex I, Part II(8) requires security updates to be provided free of charge and without undue delay. Your CVD policy describes how updates reach users.

Address coordinated disclosure

Annex I, Part II(5) requires disclosure of remediated vulnerabilities, including a description and information allowing users to apply the fix. Your CVD policy defines the disclosure timeline.

Generate the full dossier

The CVD policy is one of 8 documents. It integrates with the technical documentation (Art. 31), risk assessment (Art. 13), and user information (Annex II) as part of a unified compliance package.

Operationalize before September 2026

The templates and policy are documented. Your incident response team implements the operational process behind them.

Common mistakes

❌

PROGRAM vs POLICY

"We have a bug bounty program on HackerOne — that covers CRA vulnerability disclosure requirements"

A bug bounty program is a voluntary incentive mechanism for researchers. CRA Annex I, Part II requires a documented vulnerability handling process covering identification, documentation, remediation, disclosure, and update distribution. Article 14 adds mandatory ENISA notification timelines. A bug bounty program may be one component of your CVD implementation, but it does not constitute the CRA-required policy document. CRACheck generates the regulatory policy; your bug bounty program remains an operational complement.

❌

EARLY ENFORCEMENT

"We will start building our CVD process in 2027 with the rest of CRA compliance"

Article 14 vulnerability reporting obligations apply from 11 September 2026 — 15 months before full CRA enforcement. By that date, you must be able to notify ENISA within 24 hours of becoming aware of an actively exploited vulnerability. This requires an operational vulnerability handling process and notification infrastructure. Starting in 2027 means missing the September 2026 deadline.

❌

DOCUMENTATION REQUIREMENT

"We patch critical vulnerabilities quickly — we do not need a formal policy"

Annex I, Part II requires documented processes, not just operational practice. "We patch quickly" is not a policy. A documented CVD policy specifies: intake channels, response SLAs, triage criteria, remediation timelines, disclosure procedures, and update distribution mechanisms. Market surveillance authorities request the documented policy, not a verbal description of your patching speed.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Annex III classification. Products with security functions (Important Class I/II) face heightened scrutiny on vulnerability handling.

Technical Documentation

Art. 31 + Annex VII with vulnerability handling processes integrated.

Risk Assessment

Art. 13(2)-(3) risk assessment including vulnerability exploitation scenarios.

User Information

Annex II including vulnerability notification channels for users and security update mechanism.

Declaration of Conformity

Art. 28 + Annex V covering Annex I, Part II compliance.

CVD Policy

The primary deliverable: structured coordinated vulnerability disclosure policy covering every requirement in Annex I, Part II. Includes intake channel specification, response timelines, triage criteria, remediation process, coordinated disclosure framework, and update distribution procedure.

Notification Template

Art. 14 ENISA notification templates: (a) 24-hour early warning form, (b) 72-hour vulnerability notification form, (c) 14-day final report structure. Pre-structured and ready for your PSIRT to use.

Obligations Calendar

CVD-specific dates: Art. 14 reporting from September 2026, full enforcement December 2027, support period for vulnerability handling obligations.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 CYBERSECURITY CONSULTANCY

€15,000–€35,000

6-12 weeks including stakeholder workshops and policy review cycles. €5K-€15K for CVD policy alone + €10K-€20K for supporting technical documentation.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history