Is the CVD policy the same as the Art. 14 ENISA notification?

No. The CVD policy under Article 13(6) is a standing document that describes how your organisation receives and handles vulnerability reports from external researchers. The Art. 14 notification is a specific report submitted to ENISA when you become aware of an actively exploited vulnerability. CRACheck generates both as separate documents.

Does the CVD policy need to be public?

Article 13(6) requires the policy to be in place. Best practice — and the expectation of most market surveillance authorities — is that the policy is publicly accessible so researchers can find it. CRACheck generates the policy document; you decide the publication channel.

Does ISO 29147 satisfy the CRA requirement?

ISO 29147 and ISO 30111 are relevant industry standards, but they do not map directly to Article 13(6) of Regulation (EU) 2024/2847. The CRA has specific requirements related to the technical documentation, ENISA reporting, and support period obligations that ISO standards do not cover. CRACheck structures the policy against CRA requirements.

What is the "safe harbour" for researchers?

The CRA does not explicitly create a legal safe harbour for security researchers, but Recital 75 of Regulation (EU) 2024/2847 acknowledges the importance of vulnerability research. Your CVD policy should state that you will not pursue legal action against researchers acting in good faith within the policy's scope.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

Article 13(6) of Regulation (EU) 2024/2847 requires every manufacturer to have a coordinated vulnerability disclosure policy before placing the product on the EU market. The policy must define how external security researchers report vulnerabilities, how you triage them, and when you disclose. CRACheck generates a CRA-structured CVD policy as part of the 8-document compliance package.

A coordinated vulnerability disclosure policy is not optional under the CRA — it is a manufacturer obligation under Article 13(6). The policy must be in place before the product enters the EU market. It must cover reception of vulnerability reports, triage and verification procedures, remediation timelines, and disclosure coordination with reporters. CRACheck generates a CVD Policy document structured against Art. 13(6) as one of 8 CRA compliance documents. €149 per product. 15–25 minutes. 100% browser-side.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

Art. 13(6)

Manufacturer obligation to establish and enforce a coordinated vulnerability disclosure policy

24 hours

Early warning deadline to ENISA under Art. 14 after becoming aware of an actively exploited vulnerability

14 days

Final report deadline to ENISA under Art. 14, including root cause, affected products, and remediation status

How to build your CVD policy with CRACheck

Define scope

Specify which products and product versions the CVD policy covers. CRACheck maps your product portfolio to the policy scope.

Set reception channels

Indicate how researchers can submit vulnerability reports (email, web form, PGP-encrypted channel). CRACheck structures the contact information section.

Define triage and response timelines

Specify acknowledgment time, verification window, and remediation targets. CRACheck aligns these with the Art. 14 reporting deadlines (24h, 72h, 14 days).

Establish disclosure rules

Define coordinated disclosure timelines with the reporter, public disclosure triggers, and exceptions.

Generate the CVD Policy PDF

CRACheck outputs the policy document as one of 8 PDFs. The policy integrates with the Technical Documentation and the ENISA Notification Template.

Download full package

All 8 documents in a ZIP.

Common mistakes

❌

ART. 13(6)

"We have a security.txt file, so we're covered."

A security.txt file (RFC 9116) is a contact pointer. It is not a coordinated vulnerability disclosure policy. Article 13(6) of Regulation (EU) 2024/2847 requires a documented policy covering reception, triage, remediation, and disclosure — not just a contact address.

❌

ART. 13(6)

"Our bug bounty programme replaces the CVD policy."

A bug bounty programme incentivises vulnerability discovery. A CVD policy governs how discovered vulnerabilities are handled, triaged, and disclosed. They are different instruments. The CRA requires the policy. The bug bounty is optional.

❌

ART. 13(6)

"We'll publish the CVD policy after the product ships."

Article 13(6) states that manufacturers shall put in place a coordinated vulnerability disclosure policy. This obligation applies at the time of placing the product on the market — not retroactively.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines product category under Annex III / IV.

Technical Documentation

Art. 31 + Annex VII file that references the CVD policy.

Risk Assessment

Annex I risk assessment. Part II covers vulnerability handling processes.

User Information

Annex II. Includes the contact point for vulnerability reports.

Declaration of Conformity

Art. 28 + Annex V.

CVD Policy

The primary deliverable. Structured per Art. 13(6): scope, reception channels, triage process, response timelines, remediation commitments, coordinated disclosure procedure, and safe harbour statement for good-faith researchers.

Notification Template

Art. 14 ENISA notification template. Works in tandem with the CVD policy.

Obligations Calendar

Timeline including Art. 14 activation date (11 Sept 2026).

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 SECURITY CONSULTANCY

CVD policy drafting — €3,000–€10,000

3–8 weeks

Produces one document

Does not include the other 7 CRA documents

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history