CRA Article 14 · Mandatory from 11 September 2026

Set up your vulnerability disclosure portal before the CRA deadline.

From 11 September 2026, manufacturers selling products with digital elements into the EU must handle vulnerability reports and notify authorities on fixed deadlines. Fines for non-compliance reach €15 million or 2.5% of global turnover. CVD Portal gives you a branded, audit-ready disclosure portal today.

Free CRA exposure scan

Is your domain exposed under the CRA?

Enter your domain to check whether it meets the Article 13 baseline disclosure expectation: a working security.txt and a discoverable coordinated vulnerability disclosure policy. Results in a few seconds, no signup.

Probes /.well-known/security.txt + 5 CVD policy paths. No data is shared with third parties. Up to 5 scans per hour.

What happens if you ignore it

The price of doing nothing is written into the law.

Fines

Up to €15 million or 2.5% of worldwide turnover

Breaching the essential cybersecurity obligations carries administrative fines of up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher (Art. 64).

Market access

Products can be restricted or pulled from the EU market

Market surveillance authorities can require corrective action, restrict availability, or prohibit a non-compliant product on the EU market.

Buyer pressure

Enterprise buyers ask for a published CVD process

Procurement and security teams increasingly require a documented coordinated vulnerability disclosure process before they sign.

The free plan receives and tracks reports. Article 14 filing is on Reporting. Here is what it includes.

Beyond disclosure

Disclosure is one obligation. The CRA asks manufacturers for the whole conformity journey.

Receiving and tracking vulnerability reports is free and covers your Article 14 duty. Classifying your products, assessing cybersecurity risk, meeting the Annex I requirements, and drawing up the EU Declaration of Conformity is the full self-assessment, and it runs in the same workspace on the Compliance plan.

1
Classify

Annex III / IV class and the Article 32 conformity route

2
Assess risk

STRIDE threat model with likelihood and impact scoring

3
Close the gaps

The Annex I essential requirements, tracked to remediation

4
Declare conformity

Technical file, EU Declaration of Conformity, CE marking

How it works

Live in three steps.

See the full walkthrough →
01

Create your portal

Register and get a branded disclosure portal on your own subdomain, with a CVD policy template ready to publish.

02

Customize it

Add your logo, set your acknowledgment SLA, and publish a PGP key so researchers can reach you securely.

03

Share and receive

Link your portal from security.txt and your website. Reports land in a dashboard with deadline tracking and an audit trail.

See the product

A working portal you can click through.

Researchers submit through a branded intake form with PGP support. Your team triages reports, tracks acknowledgment deadlines, and exports the evidence trail. Every report is logged from the moment it arrives. Try it on the portal of Aurelia Devices B.V., a fictional manufacturer running on CVD Portal.

CVD Portal dashboard showing the vulnerability register with CRA compliance status
THE FIVE CRA OBLIGATION AREAS

Everything the Cyber Resilience Act asks of a manufacturer

One workspace covering all five CRA obligation areas, from product classification and risk assessment through documentation, vulnerability handling, and authority reporting.

Report intake and acknowledgment are free. The self-assessment suite is on the Compliance plan.

Classification

Product Classification and Conformity Route

Answer the Annex III and IV questions for each product. The engine determines whether the product is default, important, or critical and which Article 32 conformity assessment route applies.

Annex III / IV classificationCompliance
Article 32 conformity routeCompliance
Assessment snapshots as point of recordCompliance
Risk Assessment

STRIDE Risk Assessment

A structured threat model per product with likelihood and impact scoring across 33 security objectives, feeding directly into the Annex I requirements work.

STRIDE threats with L×I scoringCompliance
33 security objectivesCompliance
Monitoring and review triggersCompliance
Annex I

Essential Requirements and Gap Analysis

Work through the 22-row Annex I essential requirements checklist. Gap analysis shows what is open and remediation guidance shows how to close it.

22-row Annex I checklistCompliance
Gap analysis and remediation guidanceCompliance
Assignment and delegation via magic linksCompliance
Documentation

Technical File and Declaration of Conformity

Draft artifacts clause by clause with AI assistance across 88 CRA clause artifacts, then generate the EU Declaration of Conformity, the Annex VII documentation index, and the Annex II user information sheet, with CE marking guidance.

AI drafting over 88 clause artifactsCompliance
EU Declaration of Conformity (Annex V)Compliance
Evidence management with AI control mappingCompliance
Vulnerability Handling

Disclosure Portal and Article 14 Reporting

A branded intake portal on your own subdomain with structured submissions, PGP, security.txt, and a full audit trail. Article 14 milestones to ENISA/CSIRT run on fixed deadlines with SRP-ready packages.

Branded portal, intake, 48h acknowledgmentFree
24h / 72h / final Article 14 reportsReporting
CSAF 2.0 export and SBOM managementReporting
Supply Chain and Scale

Partners, Trust Portal, and Integrations

Assess supply chain partners with CVD scanning, VEX, and SBOM matching. Share conformity documents with approved external viewers through a trust portal, with API access and SAML SSO.

Partner assessment (CVD scan, VEX, SBOM)Compliance
Trust portal for external viewersEnterprise
API access and SAML SSOEnterprise
COMPLIANCE CHECKLIST

Are You CRA Ready?

Loading...

Industry context

“Organisations increasingly recognise that software development nowadays requires an active, positive response to vulnerability reports, which strengthens security and is becoming a strong selling point when handled properly.”

Nuno Rodrigues Carvalho, ENISA, Head of Sector, Incident & Vulnerability Services

EU buyers and market surveillance authorities increasingly expect manufacturers to show a documented CRA position. CVD Portal gives you a structured self-assessment, the technical file to back it, and a published disclosure process.

ISO 29147EN 40000-1-3CSAF 2.0EU HostedGDPR Compliant
EU Cyber Resilience Act Timeline
Read the full timeline →
Nov 2024

CRA Published

Regulation (EU) 2024/2847 enters into force

Sept 2026

Article 14 Reporting Begins

Vulnerability reporting obligations apply to products in scope

Dec 2027

Full Conformity Deadline

Annex I essential requirements, technical documentation, and CE marking apply

Simple, transparent pricing

See full pricing →
Free
€0forever

Receive, track, and acknowledge reports

Reporting
€99/mo

Article 14 authority filing + full CVD compliance

Compliance
€299/mo

CRA self-assessment through to the EU Declaration of Conformity

Enterprise
€1,499/mo

Compliance at scale, 25 CRA product assessments included, integrations, EUDI identity

Set up your disclosure portal before September 2026

A branded, audit-ready portal for manufacturers selling products with digital elements into the EU. Free to receive and track reports. Article 14 filing is on Reporting.