Three legal artifacts.
One deadline.
EN 18031 requires three documented artifacts before 11 September 2026. CVD Portal gives you all three out of the box — with the paper trail already running from day one.
Public Intake Channel
You must have a legally published, machine-readable way for researchers and users to reach you with vulnerability reports. The address must appear in product documentation. Without it, you have no safe harbour if a zero-day surfaces publicly before you hear about it.
Deployed the moment you sign up
No configuration required.
Branded submission portal
yourcompany.cvdportal.com/submit — live, public, and accessible without an account
Machine-readable security.txt
RFC 9116-compliant at /.well-known/security.txt — satisfies the machine-readable requirement directly
Published CVD policy
Scope, safe-harbor clause, severity SLAs, and contact details — at /security and linked from security.txt
Your one action
Add the policy URL to your product documentation or packaging.
Internal Triage Playbook
You must have documented rules for who verifies a report and who is responsible for filing the ENISA notification before the 24-hour clock expires. The standard does not require a specific format — it requires evidence that you have a process and named people.
Infrastructure active — add named contacts in under 2 minutes
Two text fields in your dashboard.
48h SLA tracking
Dashboard breach alerts fire the moment a submission goes unacknowledged past 48 hours
Coordinator assignment
Assign any team member to a submission — creates the named-responsible-person record the standard requires
One-click Article 14 notification
24h early warning, 72h full notification, and 14-day final report — pre-filled from submission data, CVSS scoring, and your SBOM
Your one action
Document your triage lead and ENISA filer in the September 2026 readiness checklist — two fields, done.
Paper Trail
You need proof that you evaluated each report and made a deliberate decision on whether it triggered the reporting clock. Records must be retained for a minimum of 10 years under CRA Article 14(8). The paper trail is what regulators examine after the fact.
Automatic — every action logged from day one
Nothing to configure.
Immutable audit log
Actor, timestamp (millisecond precision), IP address, country, and action type — append-only, no edits possible
Per-submission communication log
Every interaction with researcher, upstream maintainer, or ENISA is recorded with date, recipient, channel, and summary
ENISA export and CSAF advisory
Download your Article 14 payload (JSON) or CSAF 2.0 advisory (machine-readable) directly from the submission view
Your one action
Confirm your retention policy covers 10 years — one checkbox in the readiness checklist.
2026 is about awareness, not SBOMs.
You will not be fined for lacking an SBOM. The three artifacts above are what the law actually requires by September 2026.
The risk is subtler. If a zero-day drops for a library you use, and you have no SBOM telling you that you use it, you stay blissfully unaware. You pay no penalty for that ignorance — until a national CSIRT publicly names your product as affected.
At that point you are officially aware. The 24-hour clock starts. You have exactly 24 hours to file the Article 14 early warning — using the triage playbook and paper trail you set up above.
The SBOM does not satisfy the three required artifacts. But without it, you may never know you needed to use them.
Ready in under five minutes.
Sign up, verify your email, and your public intake channel is live. Your paper trail starts immediately. The triage playbook takes two fields to complete.
Start free — no card requiredQuestions? Talk to us · Regulatory context at /cra