Blackfort TechnologyBlackfort Technology

Vulnerability Handling, Reporting & CVD under the CRA

Blackfort Technology · Cyber Resilience Act knowledge

Note: This article provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and is not legal advice. The applicable text of the Regulation always prevails; this article does not replace a binding assessment of your individual case. Blackfort Technology provides technical/organizational IT-security and compliance consulting, not legal services within the meaning of the German RDG.

The Cyber Resilience Act (Regulation (EU) 2024/2847) does not just require manufacturers to build their products securely once; it requires them to keep them secure throughout the entire support period. Two sets of duties interlock here: the ongoing vulnerability handling under Annex I Part II and the short-fuse reporting obligation under Art. 14. This article explains both – and sharpens the one point where most mistakes happen: the reporting cadence. It is general technical and organisational guidance, not legal advice.

The costliest misconception first: the final report has two different deadlines. For actively exploited vulnerabilities: ≤ 14 days after a fix is available. For severe incidents: within one month of the notification. Never say „14 days for both“ – that is the single most common error in practice.

Part 1 – Vulnerability handling (Annex I Part II)

Annex I Part II describes what a manufacturer must do continuously throughout the support period. It is not a document but a lived process. The core duties:

  • Identify & document. Systematically record the product's vulnerabilities and components – including a software bill of materials (SBOM) in a commonly used, machine-readable format covering at least the top-level dependencies. The CRA mandates no specific format; established formats such as CycloneDX, SPDX or SWID satisfy the requirement (this is guidance, not statutory text). More in our article on SBOM requirements under the CRA.
  • Remediate without delay. Close vulnerabilities without delay via security updates. Where feasible, separate security updates from feature updates, so a pure security fix does not have to wait on a feature release.
  • Test & review regularly. Verify the effectiveness of the security measures through regular tests and reviews.
  • Disclose publicly. Disclose fixed vulnerabilities once an update is available – with information that lets users apply the fix.
  • Enforce a CVD policy. A coordinated vulnerability disclosure (CVD) policy is mandatory – not optional. It governs how third parties can report vulnerabilities and how the manufacturer handles them.
  • Provide a contact address. Publish a reachable contact address for reporting vulnerabilities.
  • Update securely & free of charge. Distribute updates securely, make them available without delay and – for security updates – free of charge.

Why this matters now: these processes are also building blocks of the technical documentation (Annex VII). The SBOM, the CVD policy and update distribution are carried there too – build them early and you get double value later.

Part 2 – Reporting obligation (Art. 14)

Beyond ongoing handling, Art. 14 requires short-fuse reporting to the coordinating CSIRT (designated under Art. 15) and to ENISA – handled via the Single Reporting Platform (Art. 16). There are two triggers:

  1. Actively exploited vulnerabilities in a product with digital elements.
  2. Severe incidents that affect the security of the product.

The same three-stage cascade applies to both triggers – but the final report follows a different deadline depending on the trigger. That is exactly where the trap lies.

The cadence at a glance

StageActively exploited vulnerabilitySevere incident
Early warningwithin 24 hours of becoming awarewithin 24 hours of becoming aware
Notificationwithin 72 hourswithin 72 hours
Final report≤ 14 days after a fix is availablewithin one month of the notification

The 24-hour early warning and the 72-hour notification are identical for both triggers. Only the final report diverges: for a vulnerability the deadline is anchored to the availability of the fix (≤ 14 days after), for an incident to the notification itself (one month after). Confusing these two reference points means reporting at the wrong time.

From when, and for which products?

The Art. 14 reporting obligation applies from 11 September 2026. It expressly also covers products already on the market – not just new developments. The Single Reporting Platform is targeted to be operational by that date. Broader context on the deadlines is in our article on the CRA reporting obligation from September 2026.

Small enterprises: under Art. 64, microenterprises and small enterprises cannot be fined for missing the Art. 14 reporting deadlines. The substantive expectation to handle vulnerabilities responsibly is unaffected – this does not exempt anyone from vulnerability handling itself.

How handling and reporting work together

The two sets of duties are not a contradiction but two ends of the same process. Ongoing vulnerability handling (Annex I Part II) provides the detection and response capability; the reporting obligation (Art. 14) kicks in the moment a vulnerability is actively exploited or a severe incident occurs. A working CVD policy and a monitored contact address are the bridge: they ensure that a vulnerability reported from outside can quickly trigger the internal cascade. Without this foundation, the 24-hour early warning becomes practically unreachable.

„Prepare now“ – checklist

The following steps are general organisational and technical guidance, not legal advice:

  • Draft and publish a CVD policy – including a reachable, monitored contact/reporting address for vulnerabilities.
  • Build an SBOM in a commonly used, machine-readable format (at least top-level dependencies) and integrate it into the build process.
  • Separate security from feature updates where technically feasible, so security fixes can ship quickly and free of charge.
  • Define a reporting process for the Single Reporting Platform – responsibilities, escalation paths and a workflow that realistically meets the 24h/72h deadlines.
  • Document both final-report deadlines: 14 days (after a fix is available, vulnerability) and one month (after notification, incident) – as separate playbooks.
  • Rehearse the cascade. Run a tabletop exercise so that 24 hours is not the first time you practise under pressure.
  • Include existing products. The reporting obligation also covers products already shipped – check which of them are still within the support period.
  • Set the support period (at least 5 years or the expected use time) – it defines how long handling and reporting apply.

Whether and to what extent your products are affected is best clarified first with the applicability check. Only once you know which products are in scope is it worth building the processes described here.

The relevant references: vulnerability handling in Annex I Part II; the reporting obligation in Art. 14; the coordinating CSIRT in Art. 15; the Single Reporting Platform in Art. 16; the underlying manufacturer duties in Art. 13. For the exact wording, the Official Journal text always governs.

Frequently asked questions

What deadlines apply to the CRA reporting obligation?
A three-stage cascade applies: an early warning within 24 hours of becoming aware, a notification within 72 hours, and a final report. The final report has two different deadlines depending on the trigger: for actively exploited vulnerabilities ≤ 14 days after a fix is available, and for severe incidents within one month of the notification.
Is the 14-day deadline the same for vulnerabilities and incidents?
No. This is the most common mix-up. The 14-day deadline applies only to actively exploited vulnerabilities and runs from when a fix is available. For severe incidents a one-month deadline applies instead, running from the notification.
From when does the CRA reporting obligation apply – also to older products?
The Art. 14 reporting obligation applies from 11 September 2026. It expressly also covers products already on the market, not just new developments. The Single Reporting Platform is targeted to be operational by that date.
Is a CVD policy mandatory under the CRA?
Yes. Annex I Part II requires manufacturers to enforce a coordinated vulnerability disclosure (CVD) policy. This includes a reachable contact address through which third parties can report vulnerabilities. Both are mandatory, not optional.
Does the CRA mandate a specific SBOM format?
No. Annex I Part II requires an SBOM in a commonly used, machine-readable format covering at least the top-level dependencies – but names no specific format. Established formats such as CycloneDX, SPDX or SWID satisfy the requirement; this is guidance, not statutory text. The Commission may specify a format later but has not done so yet.

Let's talk about your CRA readiness

Unsure whether your products fall under the CRA reporting obligation and how to set up the 24h/72h cascade in practice? Start with the applicability check – Blackfort Technology supports you in building vulnerability handling, a CVD policy and a reporting process.

Request a first call Check eligibility
The content on this website provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and does not constitute legal advice. Blackfort Technology provides technical/organizational IT-security and compliance consulting, not legal services.