In a recent Help Net Security interview, Nuno Rodrigues Carvalho, Head of Sector for Incident and Vulnerability Services at ENISA, addressed three questions that matter directly to EU manufacturers: what the near-collapse of the CVE program revealed, how the Cyber Resilience Act creates new accountability, and why vulnerability disclosure has shifted from liability to competitive advantage.
This post maps his statements against what manufacturers selling products in the EU market need to understand ahead of the September 2026 enforcement deadline.
The CVE Funding Scare: What It Revealed About Infrastructure Fragility
When MITRE's contract with CISA came close to lapsing earlier this year, it exposed something that practitioners have known for some time: the global vulnerability identification ecosystem depends on a single operational backbone, with no distributed fallback if that backbone fails.
Carvalho was direct about the EU's response:
“A stronger model would preserve the integrity of the shared CVE backbone while distributing responsibilities across trusted actors that can contribute capacity, services, and operational support. From ENISA's perspective, we are ready to contribute to the programme while in parallel, continuing building a European vulnerability services capacity.”
In practice, this means ENISA is building out the European Vulnerability Database (EUVD) not as a replacement for the CVE program, but as a parallel, interoperable layer that adds resilience. For manufacturers, this has a practical implication: enrichment data for any given vulnerability may now come from multiple authoritative sources, each offering different context.
Carvalho described how practitioners should navigate this: CVE IDs provide consistency and a common reference point. Vendor advisories provide remediation guidance. National CSIRTs and ENISA provide operational context specific to EU threats and sectors. CVD Portal supports all three layers — live EUVD data for EU-first enrichment, NVD as secondary fallback, and national CSIRT routing built into the Article 14 escalation workflow.
The CRA: What Enforcement Actually Looks Like
Carvalho outlined the enforcement levers emerging through the CRA, which are more specific than many manufacturers realise:
- 24-hour early warning to the Single Reporting Platform (SRP) upon awareness of an actively exploited vulnerability
- 72-hour detailed notification covering technical scope and severity
- Follow-up final report within 14 days (vulnerabilities) or 30 days (significant incidents)
The SRP — operated by ENISA — is currently in pilot phase, with full operation expected before September 2026. These are not aspirational obligations. They are enforceable requirements, applying to products already on the EU market, on the date they take effect.
Carvalho noted that the CRA is expected to trigger “an increased attention in vulnerability management from the producer of digital products and improve current practice in regards to reporting severity and disclosure.” The enforcement mechanism is market surveillance: manufacturers who cannot demonstrate a functioning vulnerability handling process are exposed not just to fines, but to product withdrawal.
NIS2 vs. CRA: The Distinction That Matters
One of the most practically important points Carvalho made concerns NIS2, which is widely misunderstood in the context of vulnerability disclosure:
“It's worth noting there is no obligation for organization (producer or NIS2 entities). The obligation is on the CSIRT to receive information.”
NIS2 normalises coordinated vulnerability disclosure as governance practice — it requires CSIRTs to have structured processes to receive and coordinate reports. But it does not mandate that organisations submit vulnerability reports to authorities. That obligation comes from the CRA.
For manufacturers, the practical consequence is: if you manufacture a product with digital elements that is sold in the EU, the CRA is your primary obligation. NIS2 may also apply if your organisation operates critical infrastructure or essential services, but CVD policy under NIS2 is an organisational governance requirement, not a product-level reporting cascade.
Vulnerability Disclosure as a Selling Point
The most striking part of Carvalho's interview, from a market positioning perspective, was this:
“Organisations increasingly recognise that software development nowadays requires an active, positive response to vulnerability reports, which strengthens security and is becoming a strong selling point when handled properly.”
This is not framing from a marketing team. It is the stated view of the senior ENISA official responsible for European vulnerability services. The implication is significant: manufacturers who have functioning CVD infrastructure, who acknowledge researcher reports promptly, who coordinate disclosure professionally, now have a demonstrable differentiator in procurement and enterprise sales conversations.
The inverse is also true. Organisations that treat CVD as a compliance formality — a static policy page with no operational backing — will increasingly face scrutiny from buyers who have learned to ask about it.
What This Means in Practice
The picture Carvalho described is one where EU vulnerability infrastructure is maturing rapidly, regulatory accountability for manufacturers is becoming concrete, and the cultural shift from defensive to proactive disclosure is accelerating.
For manufacturers with products on the EU market, September 2026 is not a distant regulatory milestone. It is the date on which Article 14 reporting becomes enforceable against products already shipped. The infrastructure question — intake process, triage authority, report templates, SRP access, audit trail — needs to be resolved before that date, not after.
CVD Portal provides the complete Article 13 and 14 compliance stack as a service, free to get started: branded vulnerability disclosure portal, 48-hour acknowledgment tracking, CVSS triage workflow, ENISA-aligned report generation, CSAF 2.0 advisory output, and full audit trail. The goal is to make the infrastructure question a non-issue, so that manufacturers can focus on the process question — which is the one that actually matters when a researcher finds something real.