Reg (EU) 2024/2847Generate dossier — €149
LIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

The 8 vulnerability handling requirements of Annex I, Part II of Regulation (EU) 2024/2847: what each one demands of you for the full support period

Annex I, Part II of the Cyber Resilience Act lists eight numbered vulnerability-handling requirements that manufacturers must satisfy throughout the support period. They include an SBOM covering top-level dependencies, remediation ‘without delay’, regular security testing, public disclosure of fixed vulnerabilities, a coordinated vulnerability disclosure policy, a reporting contact, secure update distribution, and free dissemination of security updates. They apply alongside Article 13(8) (support period) and Article 14 (notification of actively exploited vulnerabilities). CRACheck builds the CVD policy and the Article 14 notification templates that close the documentation half of Part II.

Generate CRA dossier — €149Free: check if CRA applies to your product

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Regulation (EU) 2024/2847 · Annex I Part II points 1-8 · SBOM (point 1) · CVD policy (point 5) · 100% browser-side

Three numbers that drive vulnerability handling

8
Numbered requirements in Annex I, Part II
5 years
Minimum support period for vuln handling — Art. 13(8)
24 hours
Early warning to ENISA + CSIRT for actively exploited — Art. 14(2)(a)

The 8 requirements, one by one

Each line below is a verbatim obligation from Annex I, Part II. The article references show what depends on it.

1
Point (1) — Identify and document vulnerabilities and components; produce an SBOM
‘Identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products.’ The SBOM is mandatory but does not need to be published (Recital 77 + Art. 13(24)).
2
Point (2) — Remediate without delay; security updates separate from functionality updates where feasible
‘In relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates.’
3
Point (3) — Regular security tests and reviews
‘Apply effective and regular tests and reviews of the security of the product with digital elements.’ No frequency is specified; risk-based interpretation is expected.
4
Point (4) — Public disclosure after fix is available
‘Once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description, information allowing users to identify the affected product, the impacts, severity, and remediation help.’ In duly justified cases the manufacturer may delay disclosure until users have had the possibility to apply the patch.
5
Point (5) — Coordinated vulnerability disclosure policy
‘Put in place and enforce a policy on coordinated vulnerability disclosure.’ Referenced by Article 13(8) as a process the manufacturer must have. Aligns with Art. 12(1) of Directive (EU) 2022/2555 on CVD.
6
Point (6) — Contact address for vulnerability reports
‘Take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements.’ This connects to the Single Point of Contact (Art. 13(17)).
7
Point (7) — Secure update distribution mechanism (automatic for security where applicable)
‘Provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner.’ Recital 56 carves out products primarily integrated as components and products for professional ICT / industrial environments.
8
Point (8) — Free security updates with advisory messages
‘Ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.’
9
Cross-cutting — Components and third-party software
Article 13(6): on identifying a vulnerability in an integrated component, including open-source, report it to the component’s manufacturer or maintainer, address and remediate it in your product, and where applicable share the relevant code or documentation in a machine-readable format.
10
Cross-cutting — Updates available for 10 years
Article 13(9): each security update made available during the support period must remain available after issuance for at least 10 years — or the remainder of the support period, whichever is longer.

Common mistakes

SBOM SCOPE

“We need a full transitive SBOM with every CVE”

Annex I, Part II, point (1) sets the floor at ‘the top-level dependencies of the products’ — not the full transitive graph. Recital 77 adds that the SBOM does not need to be public. A more comprehensive SBOM is best practice but not strictly required by the regulation.

DISCLOSURE TIMING

“We always disclose immediately when we discover a vuln”

Annex I, Part II, point (4) is explicit: public disclosure happens AFTER a security update is available, not before. In duly justified cases the manufacturer may delay further to give users time to patch. Pre-fix disclosure can amplify exploitation.

FREE-UPDATE EXCEPTION OVERREACH

“We can charge for security updates to enterprise customers”

Only in one narrow scenario: Annex I, Part II, point (8) allows divergence ‘between a manufacturer and a business user in relation to a tailor-made product’. Outside that bilateral, tailor-made setup, security updates must be free. Charging for security updates on standard products is a Tier 1 fine under Article 64(2).

Does the CRA apply to your product?

Four-question self-check. If you answer YES to all four, your product is in scope of Regulation (EU) 2024/2847.

Take the full product classification test →

Choose your licence

One-time payment. No subscription. The downloaded dossier is yours forever.

1 PRODUCT
149
/ product
  • 8-document CRA dossier (ZIP)
  • Product Classifier + Technical Documentation
  • Risk Assessment + User Information
  • 10 regenerations · 30 days
  • 1 licence = 1 product
Buy licence →
PROFESSIONAL PACK
1,199
70 generations · 1 key
For multi-product catalogues
  • 70 generations with a single key
  • 70 complete dossiers (8 documents each)
  • Switch product between generations
  • Ideal for importers with large catalogues
  • For consultants billing CRA compliance
Buy Professional Pack →

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

1

Product Classifier

Determines whether your product is Default, Important Class I, Important Class II (Annex III) or Critical (Annex IV). Documents the rationale and the applicable conformity assessment procedure under Article 32.

2

Technical Documentation

Article 31 + Annex VII dossier. Product description, design and development, vulnerability handling processes, risk assessment, list of harmonised standards applied, conformity solutions.

3

Cybersecurity Risk Assessment

Annex I, Part I analysis. Intended purpose, reasonably foreseeable use, operational environment, applicability of each essential requirement, mitigation measures.

4

User Information & Instructions

Annex II. Manufacturer details, single point of contact, intended purpose, support period end date, secure decommissioning, automatic-update opt-out instructions.

5

EU Declaration of Conformity

Article 28 + Annex V. Pre-structured with your classification, applicable conformity module, harmonised standards or certificates relied on, notified body number when applicable.

6

Coordinated Vulnerability Disclosure Policy

Annex I, Part II, point (5). Single point of contact, intake workflow, triage and remediation timeline, public disclosure rules.

7

ENISA Notification Template

Article 14 reporting. Pre-filled 24h early warning, 72h vulnerability/incident notification, 14-day final report templates.

8

Obligations Calendar

Personalised milestones: Article 14 reporting starts 11 September 2026, full application 11 December 2027, document retention 10 years, support period (Art. 13(8)) end date.

See before you buy — Download sample dossier (PDF, fictional company). Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🔍 PSIRT-AS-A-SERVICE / MANAGED CVD PROGRAMME
€30,000–€120,000/yr
Outsourced product security incident response team handling intake, triage, advisory writing, ENISA notification, secure release distribution. Recurring across the 5-year support period.
CRACHECK — SAME OUTPUT
€149
CRACheck generates the CVD policy (Part II, point 5), the SBOM-ready template (point 1), the ENISA / CSIRT notification templates (Art. 14) and the public advisory framework (point 4). Does not replace the runtime PSIRT — prepares its documentation.

Legal sources

Every article and recital cited on this page comes from the official text of Regulation (EU) 2024/2847 (Cyber Resilience Act), published in the Official Journal of the European Union on 20 November 2024 (ELI: data.europa.eu/eli/reg/2024/2847/oj).

Related: Regulation (EU) 2019/881 (Cybersecurity Act, EUCC) · Directive (EU) 2022/2555 (NIS2) · Regulation (EU) 2019/1020 (market surveillance) · Regulation (EU) 2024/1689 (AI Act).

Important notice

This is not legal advice. CRACheck is structured self-assessment software based on Regulation (EU) 2024/2847. The dossier you download is structured documentation, not a third-party audit or certification.

Class II and Critical products still need a notified body. CRACheck prepares the dossier that the notified body will examine — it does not replace the third-party conformity assessment required by Article 32(3) and Article 32(4).

Maximum liability: the amount you paid for the licence. Always verify your specific situation with your legal counsel.

Frequently asked questions

Do I have to publish my SBOM?
No. Annex I, Part II, point (1) requires the SBOM to exist and be in a commonly used machine-readable format covering top-level dependencies. Recital 77 says ‘Manufacturers should not be obliged to make the SBOM public.’ Article 13(24) lets the Commission specify SBOM format and elements by implementing act. ADCO may, under Article 13(25), request SBOMs for category-level dependency assessments — those are then anonymised and aggregated.
How is Annex I, Part II different from Article 14?
Part II describes the ongoing capability the manufacturer must operate: SBOM, CVD policy, secure update distribution, free updates, regular testing. Article 14 describes the moments at which the manufacturer must NOTIFY ENISA and the CSIRT designated as coordinator — only when a vulnerability is actively exploited or an incident is severe. They are complementary: Part II is the standing process, Article 14 is the triggered notification.
What does ‘without delay’ mean in point (2)?
The regulation does not assign a fixed number of days. ‘Without delay’ is read in the context of the risk (Annex I, Part II, point 2 opens with ‘in relation to the risks posed’). For actively exploited vulnerabilities, the Article 14(2) clock — 24h early warning, 72h notification, 14 days for the final report once a corrective measure is available — effectively sets the upper bound of ‘without delay’ for the notification phase.
Does Annex I, Part II apply during the transitional period?
From 11 December 2027 in full for new products. For products placed on the market before that date, Article 69(2) carves out the substantive obligations — but Article 69(3) makes Article 14 reporting apply to all in-scope legacy products from 11 September 2026. The standing Part II capabilities are needed to support Article 14 notifications even for legacy products.
Is this a subscription?
No. One-time payment. 30-day editing window. 10 regenerations. The PDF dossier is yours permanently.
Can I request a refund?
Under Article 16(m) of Directive (EU) 2011/83, the act of licence activation constitutes express consent for immediate digital content generation, which removes the right of withdrawal. Refunds are issued only for reproducible technical failures.
What if the regulation changes before I file my dossier?
Regenerate at no additional cost during your licence validity. Substantive amendments to Regulation (EU) 2024/2847 are tracked weekly from EUR-Lex; if a clause you cited is amended, you can regenerate the affected sections.
€149 one-time
8-document ZIP · 15–25 minutes · Browser-side

Close all 8 Annex I, Part II requirements in one dossier.

CRACheck produces the CVD policy (point 5), SBOM template (point 1), public advisory framework (point 4), and ENISA / CSIRT notification templates (Art. 14) — plus the technical-documentation entries for points 2, 3, 6, 7 and 8.

Generate dossier — €149

Related CRA guides

SBOM

CRA SBOM — mandatory software bill of materials

FULL GUIDE

CRA manufacturer obligations — complete guide

ANNEX I

CRA cybersecurity risk assessment — Annex I, Part I