Set up your vulnerability disclosure portal before the CRA deadline.
From 11 September 2026, manufacturers selling products with digital elements into the EU must handle vulnerability reports and notify authorities on fixed deadlines. Fines for non-compliance reach €15 million or 2.5% of global turnover. CVD Portal gives you a branded, audit-ready disclosure portal today.
Free CRA exposure scan
Is your domain exposed under the CRA?
Enter your domain to check whether it meets the Article 13 baseline disclosure expectation: a working security.txt and a discoverable coordinated vulnerability disclosure policy. Results in a few seconds, no signup.
Probes /.well-known/security.txt + 5 CVD policy paths. No data is shared with third parties. Up to 5 scans per hour.
The price of doing nothing is written into the law.
Up to €15 million or 2.5% of worldwide turnover
Breaching the essential cybersecurity obligations carries administrative fines of up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher (Art. 64).
Products can be restricted or pulled from the EU market
Market surveillance authorities can require corrective action, restrict availability, or prohibit a non-compliant product on the EU market.
Enterprise buyers ask for a published CVD process
Procurement and security teams increasingly require a documented coordinated vulnerability disclosure process before they sign.
The free plan receives and tracks reports. Article 14 filing is on Reporting. Here is what it includes.
Beyond disclosure
Disclosure is one obligation. The CRA asks manufacturers for the whole conformity journey.
Receiving and tracking vulnerability reports is free and covers your Article 14 duty. Classifying your products, assessing cybersecurity risk, meeting the Annex I requirements, and drawing up the EU Declaration of Conformity is the full self-assessment, and it runs in the same workspace on the Compliance plan.
Annex III / IV class and the Article 32 conformity route
STRIDE threat model with likelihood and impact scoring
The Annex I essential requirements, tracked to remediation
Technical file, EU Declaration of Conformity, CE marking
Live in three steps.
Create your portal
Register and get a branded disclosure portal on your own subdomain, with a CVD policy template ready to publish.
Customize it
Add your logo, set your acknowledgment SLA, and publish a PGP key so researchers can reach you securely.
Share and receive
Link your portal from security.txt and your website. Reports land in a dashboard with deadline tracking and an audit trail.
A working portal you can click through.
Researchers submit through a branded intake form with PGP support. Your team triages reports, tracks acknowledgment deadlines, and exports the evidence trail. Every report is logged from the moment it arrives. Try it on the portal of Aurelia Devices B.V., a fictional manufacturer running on CVD Portal.

Everything the Cyber Resilience Act asks of a manufacturer
One workspace covering all five CRA obligation areas, from product classification and risk assessment through documentation, vulnerability handling, and authority reporting.
Report intake and acknowledgment are free. The self-assessment suite is on the Compliance plan.
Product Classification and Conformity Route
Answer the Annex III and IV questions for each product. The engine determines whether the product is default, important, or critical and which Article 32 conformity assessment route applies.
STRIDE Risk Assessment
A structured threat model per product with likelihood and impact scoring across 33 security objectives, feeding directly into the Annex I requirements work.
Essential Requirements and Gap Analysis
Work through the 22-row Annex I essential requirements checklist. Gap analysis shows what is open and remediation guidance shows how to close it.
Technical File and Declaration of Conformity
Draft artifacts clause by clause with AI assistance across 88 CRA clause artifacts, then generate the EU Declaration of Conformity, the Annex VII documentation index, and the Annex II user information sheet, with CE marking guidance.
Disclosure Portal and Article 14 Reporting
A branded intake portal on your own subdomain with structured submissions, PGP, security.txt, and a full audit trail. Article 14 milestones to ENISA/CSIRT run on fixed deadlines with SRP-ready packages.
Partners, Trust Portal, and Integrations
Assess supply chain partners with CVD scanning, VEX, and SBOM matching. Share conformity documents with approved external viewers through a trust portal, with API access and SAML SSO.
Are You CRA Ready?
Industry context
“Organisations increasingly recognise that software development nowadays requires an active, positive response to vulnerability reports, which strengthens security and is becoming a strong selling point when handled properly.”
EU buyers and market surveillance authorities increasingly expect manufacturers to show a documented CRA position. CVD Portal gives you a structured self-assessment, the technical file to back it, and a published disclosure process.
CRA Published
Regulation (EU) 2024/2847 enters into force
Article 14 Reporting Begins
Vulnerability reporting obligations apply to products in scope
Full Conformity Deadline
Annex I essential requirements, technical documentation, and CE marking apply
Simple, transparent pricing
See full pricing →Receive, track, and acknowledge reports
Article 14 authority filing + full CVD compliance
CRA self-assessment through to the EU Declaration of Conformity
Compliance at scale, 25 CRA product assessments included, integrations, EUDI identity
What the New Joint CISA CVD Guidance Means for CRA Manufacturers
Five national cyber agencies published a joint guide on working with security researchers. It reads like a checklist for the CRA's vulnerability handling requirements. Here is the mapping, and what to do about each recommendation.
8 min readCRA ComplianceRunning a Bug Bounty Programme Alongside Your CVD Process
Bug bounties pay researchers for valid reports. The CRA does not require them, but it does require a coordinated vulnerability disclosure policy. Here is how the two approaches relate, what CRA Portal provides as the disclosure layer, and how AI triage keeps up when report volume grows.
8 min readCRA ComplianceAnnex II in Practice: The User Information the CRA Makes You Publish
Annex II of the Cyber Resilience Act prescribes the information and instructions every product with digital elements must ship with, from the vulnerability reporting contact to the support period end date. Here is each required item with practical examples, where the information must live, and the mistakes market surveillance will notice first.
8 min read