The CRA's vulnerability handling requirements under Annex I, Part II go beyond existing bug bounty or PSIRT practices. They mandate specific elements: a policy for identifying and documenting vulnerabilities, timely remediation through security updates, coordinated disclosure of fixed vulnerabilities, mechanisms for sharing information about vulnerabilities, and distribution of updates free of charge for the support period. Additionally, Article 14 establishes the ENISA notification timeline: 24-hour early warning, 72-hour notification, 14-day final report. CRACheck generates a structured CVD policy covering all Annex I, Part II requirements as part of the 8-document dossier. €149 per product. 15-25 minutes. Browser-side only.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
A bug bounty program is a voluntary incentive mechanism for researchers. CRA Annex I, Part II requires a documented vulnerability handling process covering identification, documentation, remediation, disclosure, and update distribution. Article 14 adds mandatory ENISA notification timelines. A bug bounty program may be one component of your CVD implementation, but it does not constitute the CRA-required policy document. CRACheck generates the regulatory policy; your bug bounty program remains an operational complement.
Article 14 vulnerability reporting obligations apply from 11 September 2026 — 15 months before full CRA enforcement. By that date, you must be able to notify ENISA within 24 hours of becoming aware of an actively exploited vulnerability. This requires an operational vulnerability handling process and notification infrastructure. Starting in 2027 means missing the September 2026 deadline.
Annex I, Part II requires documented processes, not just operational practice. "We patch quickly" is not a policy. A documented CVD policy specifies: intake channels, response SLAs, triage criteria, remediation timelines, disclosure procedures, and update distribution mechanisms. Market surveillance authorities request the documented policy, not a verbal description of your patching speed.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Annex III classification. Products with security functions (Important Class I/II) face heightened scrutiny on vulnerability handling.
Art. 31 + Annex VII with vulnerability handling processes integrated.
Art. 13(2)-(3) risk assessment including vulnerability exploitation scenarios.
Annex II including vulnerability notification channels for users and security update mechanism.
Art. 28 + Annex V covering Annex I, Part II compliance.
The primary deliverable: structured coordinated vulnerability disclosure policy covering every requirement in Annex I, Part II. Includes intake channel specification, response timelines, triage criteria, remediation process, coordinated disclosure framework, and update distribution procedure.
Art. 14 ENISA notification templates: (a) 24-hour early warning form, (b) 72-hour vulnerability notification form, (c) 14-day final report structure. Pre-structured and ready for your PSIRT to use.
CVD-specific dates: Art. 14 reporting from September 2026, full enforcement December 2027, support period for vulnerability handling obligations.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
Generates the CVD policy document required under Annex I, Part II and the ENISA notification templates per Article 14. These are the regulatory deliverables — the documented frameworks your incident response team uses when an actively exploited vulnerability is discovered.
Does not implement your PSIRT team. Does not set up your vulnerability tracking system. Does not operate your security inbox. Does not triage vulnerability reports. Does not push security updates to users. Those are operational security functions your team manages.
CRACheck provides the policy document and notification templates. Your PSIRT team operates the process. The document describes what you do; the operations make it true.
Article 64 of Regulation (EU) 2024/2847.
Explicitly covers non-compliance with Annex I requirements (including Part II vulnerability handling) and Article 14 notification obligations.
Documentation obligations.
Misleading information.
| Criteria | Cybersecurity consultancy | Bug bounty platform | ISO 30111 implementation | CRACheck |
|---|---|---|---|---|
| Time to CVD policy | 6-12 weeks | Platform setup (no CRA policy) | 8-16 weeks | 15-25 minutes |
| Cost | €15,000-€35,000 | $10K-$30K/yr (no CRA docs) | €20,000-€40,000 | €149 |
| Covers Annex I Part II | If specified | No | Partially (ISO, not CRA) | Yes — every requirement |
| Includes ENISA Art. 14 templates | Varies | No | No | Yes — 3 notification forms |
While your organization may have a single PSIRT, each product's CRA documentation must reference its specific vulnerability handling procedures. CRACheck generates per-product documentation. Volume pricing: 10 products at €99, 30 at €79.
Request Volume PricingCRACheck generates a structured CVD policy document according to Annex I, Part II of Regulation (EU) 2024/2847, plus ENISA notification templates per Article 14, from the information you provide. The accuracy of that information is your responsibility as the manufacturer.
We guarantee that the CVD policy structure covers Annex I, Part II requirements and that the notification templates follow Article 14 specifications. We do not guarantee that a specific policy will satisfy a market surveillance authority's assessment.
CRACheck is not legal advice. For complex vulnerability disclosure scenarios (multi-vendor vulnerabilities, government-mandated disclosure), consult a qualified cybersecurity attorney.
Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.