Reg (EU) 2024/2847Generate dossier — €149
LIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

Article 13(6) of Regulation (EU) 2024/2847 requires every manufacturer to have a coordinated vulnerability disclosure policy before placing the product on the EU market. The policy must define how external security researchers report vulnerabilities, how you triage them, and when you disclose. CRACheck generates a CRA-structured CVD policy as part of the 8-document compliance package.

A coordinated vulnerability disclosure policy is not optional under the CRA — it is a manufacturer obligation under Article 13(6). The policy must be in place before the product enters the EU market. It must cover reception of vulnerability reports, triage and verification procedures, remediation timelines, and disclosure coordination with reporters. CRACheck generates a CVD Policy document structured against Art. 13(6) as one of 8 CRA compliance documents. €149 per product. 15–25 minutes. 100% browser-side.

Generate CRA dossier — €149Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Regulation (EU) 2024/2847 · Art. 13(6) CVD policy · Art. 14 ENISA reporting · 8 documents · 100% browser-side

Key figures

Art. 13(6)
Manufacturer obligation to establish and enforce a coordinated vulnerability disclosure policy
24 hours
Early warning deadline to ENISA under Art. 14 after becoming aware of an actively exploited vulnerability
14 days
Final report deadline to ENISA under Art. 14, including root cause, affected products, and remediation status

How to build your CVD policy with CRACheck

1
Define scope
Specify which products and product versions the CVD policy covers. CRACheck maps your product portfolio to the policy scope.
2
Set reception channels
Indicate how researchers can submit vulnerability reports (email, web form, PGP-encrypted channel). CRACheck structures the contact information section.
3
Define triage and response timelines
Specify acknowledgment time, verification window, and remediation targets. CRACheck aligns these with the Art. 14 reporting deadlines (24h, 72h, 14 days).
4
Establish disclosure rules
Define coordinated disclosure timelines with the reporter, public disclosure triggers, and exceptions.
5
Generate the CVD Policy PDF
CRACheck outputs the policy document as one of 8 PDFs. The policy integrates with the Technical Documentation and the ENISA Notification Template.
6
Download full package
All 8 documents in a ZIP.

Common mistakes

ART. 13(6)

"We have a security.txt file, so we're covered."

A security.txt file (RFC 9116) is a contact pointer. It is not a coordinated vulnerability disclosure policy. Article 13(6) of Regulation (EU) 2024/2847 requires a documented policy covering reception, triage, remediation, and disclosure — not just a contact address.

ART. 13(6)

"Our bug bounty programme replaces the CVD policy."

A bug bounty programme incentivises vulnerability discovery. A CVD policy governs how discovered vulnerabilities are handled, triaged, and disclosed. They are different instruments. The CRA requires the policy. The bug bounty is optional.

ART. 13(6)

"We'll publish the CVD policy after the product ships."

Article 13(6) states that manufacturers shall put in place a coordinated vulnerability disclosure policy. This obligation applies at the time of placing the product on the market — not retroactively.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

1

Product Classifier

Determines product category under Annex III / IV.

2

Technical Documentation

Art. 31 + Annex VII file that references the CVD policy.

3

Risk Assessment

Annex I risk assessment. Part II covers vulnerability handling processes.

4

User Information

Annex II. Includes the contact point for vulnerability reports.

5

Declaration of Conformity

Art. 28 + Annex V.

6

CVD Policy

The primary deliverable. Structured per Art. 13(6): scope, reception channels, triage process, response timelines, remediation commitments, coordinated disclosure procedure, and safe harbour statement for good-faith researchers.

7

Notification Template

Art. 14 ENISA notification template. Works in tandem with the CVD policy.

8

Obligations Calendar

Timeline including Art. 14 activation date (11 Sept 2026).

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 SECURITY CONSULTANCY
CVD policy drafting — €3,000–€10,000
3–8 weeks
Produces one document
Does not include the other 7 CRA documents
✓ CRACHECK
€149 — CVD Policy + 7 additional documents
15–25 minutes
100% browser-side
30-day editing window. 10 regenerations

Two layers

● LAYER 1 — DOCUMENTATION · CRACHECK

Documentation layer

CRACheck generates the CVD Policy per Art. 13(6), integrated with the Technical Documentation, Risk Assessment, ENISA Notification Template, and 4 additional CRA documents.

∅ LAYER 2 — NOT INCLUDED

What CRACheck does not do

CRACheck does not operate your PSIRT. It does not receive, triage, or respond to vulnerability reports on your behalf. It does not submit Art. 14 notifications to ENISA. The CVD policy is a document — executing it requires your security team.

The policy is the framework. CRACheck builds the framework. Your team operates within it.

Enforcement regime

🔴
Art. 64(1) — Up to €15,000,000 or 2.5%

For failure to meet manufacturer obligations under Art. 13, including the CVD policy requirement in Art. 13(6).

🟠
Art. 64(2) — Up to €10,000,000 or 2%

For non-compliance with vulnerability reporting obligations under Art. 14.

🟡
Art. 64(3) — Up to €5,000,000 or 1%

For providing incomplete or misleading information about vulnerability handling.

Alternatives

Criterionsecurity.txt onlyISO 29147 templateSecurity consultancyCRACheck
CRA Art. 13(6) complianceNoPartial (ISO ≠ CRA)Yes, but slowYes, structured
Integration with CRA docsNoneNoneSeparate engagementBuilt-in (8 docs)
CostFreeFree (template only)€3K–€10K€149
Time10 min (contact only)1–2 weeks3–8 weeks15–25 min
CRACheckYesBuilt-in€14915-25 min

CVD policies for a product portfolio?

If you maintain multiple products with different scopes, each needs its own CVD policy. Pack pricing: €99/product (10), €79/product (30).

Request volume pricing
Commercial enquiries via hello@solidwaretools.com

What CRACheck guarantees and what it does not

CRACheck generates a structured CVD Policy document according to Article 13(6) of Regulation (EU) 2024/2847 based on the information you enter. The accuracy of the contact details, response timelines, and scope declarations is your responsibility as the manufacturer.

We guarantee that the document structure follows Art. 13(6) requirements and that the legal references cited are correct. We do not guarantee that the policy will satisfy a market surveillance authority in a specific inspection.

CRACheck is not legal advice. For complex vulnerability disclosure scenarios, consult a qualified legal or security advisory firm.

Frequently asked questions

Is the CVD policy the same as the Art. 14 ENISA notification?
No. The CVD policy under Article 13(6) is a standing document that describes how your organisation receives and handles vulnerability reports from external researchers. The Art. 14 notification is a specific report submitted to ENISA when you become aware of an actively exploited vulnerability. CRACheck generates both as separate documents.
Does the CVD policy need to be public?
Article 13(6) requires the policy to be in place. Best practice — and the expectation of most market surveillance authorities — is that the policy is publicly accessible so researchers can find it. CRACheck generates the policy document; you decide the publication channel.
Does ISO 29147 satisfy the CRA requirement?
ISO 29147 and ISO 30111 are relevant industry standards, but they do not map directly to Article 13(6) of Regulation (EU) 2024/2847. The CRA has specific requirements related to the technical documentation, ENISA reporting, and support period obligations that ISO standards do not cover. CRACheck structures the policy against CRA requirements.
What is the "safe harbour" for researchers?
The CRA does not explicitly create a legal safe harbour for security researchers, but Recital 75 of Regulation (EU) 2024/2847 acknowledges the importance of vulnerability research. Your CVD policy should state that you will not pursue legal action against researchers acting in good faith within the policy's scope.
Is this a subscription?
No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.
Can I request a refund?
Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.
What if the regulation changes?
If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

Official legal sources

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.

Your CVD policy is one of 8 CRA documents. Generate all of them now.

CRACheck generates the CVD policy per Art. 13(6) plus 7 additional documents. €149 per product. Browser-side.

€149 one-time
8-document ZIP · 15-25 min · Art. 13(6) CVD policy · 100% browser-side
Generate CRA documentation — €149

Related landings

[HOW TO]

how to report vulnerability to ENISA CRA Art 14 procedure
[HOW TO]

how to do cybersecurity risk assessment CRA Annex I
[HOW TO]

how to comply with CRA Cyber Resilience Act step by step
✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history