Buyer's guide

What is a CRA Compliance Platform?

A CRA compliance platform handles the operational obligations that Regulation (EU) 2024/2847 places on every manufacturer of products with digital elements. This is a buyer's guide: what to look for, what to avoid, and how to know whether you actually need one.

The CRA in one paragraph

The EU Cyber Resilience Act (CRA, Regulation (EU) 2024/2847) entered into force on 10 December 2024. From 11 September 2026, manufacturers must report actively exploited vulnerabilities and significant incidents to ENISA and the relevant national CSIRT within 24 hours, follow up with a detailed report within 72 hours, and submit a final report within 14 days or one month depending on the trigger. They must also operate a coordinated vulnerability disclosure process and publish a CVD policy under Article 13. By 11 December 2027 the full conformity-assessment regime applies.

What a platform replaces

Without a platform, the manufacturer typically pieces together a hosted policy page, a shared inbox, a spreadsheet for tracking acknowledgments, manual deadline reminders, and bespoke advisory documents. Each piece carries a low operational cost individually and a high coordination cost when a real incident lands. The point of a platform is to make the obligation set boring and repeatable.

Six criteria for a real CRA compliance platform

Use these to assess any platform you are evaluating, including CVD Portal.

1

Article 13 publication and single point of contact

A published CVD policy under your own brand, plus a contact channel that researchers can actually use. The platform should provide a whitelabel email, a hosted policy page, and a structured submission form.

2

Article 14 reporting cascade

Three-stage reporting to ENISA and the relevant national CSIRT: 24h early warning, 72h detailed report, and a final report (+14 days for actively exploited vulnerabilities, +1 month for significant incidents). The platform should track these deadlines with hard timers and, ideally, automate submission to the ENISA Single Reporting Platform.

3

Audit-grade record keeping

Every intake, acknowledgment, status change, and reporting submission should be timestamped and exportable. Regulators and notified bodies will ask for this trail.

4

CSAF 2.0 advisory generation

When a remediation ships, the manufacturer is expected to publish a machine-readable advisory. CSAF 2.0 is the de facto standard. A compliant platform generates and serves these directly.

5

EU data residency

Data describing exploited vulnerabilities in EU products belongs in the EU. A compliant platform hosts customer data inside the European Union by default, without requiring extra contractual paperwork.

6

Researcher-friendly intake

Security researchers will only file reports through a portal that is straightforward to use, supports PGP encryption, and offers safe-harbor language. Hostile or opaque intake forms get bypassed in favour of public disclosure.

Frequently asked

What is a CRA compliance platform?
A CRA compliance platform is a software product that helps a manufacturer of products with digital elements meet the obligations of Regulation (EU) 2024/2847, the Cyber Resilience Act. The core obligations are Article 13 (a published CVD policy and a single point of contact for vulnerability reports), Article 14 (three-stage reporting of actively exploited vulnerabilities and significant incidents to ENISA and the relevant national CSIRT), and the publication of CSAF 2.0 security advisories when remediation ships.
When does the CRA take effect?
The CRA entered into force on 10 December 2024. The reporting obligations under Article 14 apply from 11 September 2026. The full obligation set, including conformity assessment, applies from 11 December 2027. Manufacturers should have their CVD policy and intake channel operational well before September 2026.
Who is in scope?
Any manufacturer, importer, or distributor placing a product with digital elements on the EU market. This includes hardware with software, standalone software, and remote-data-processing components that are necessary for the product to function. The scope is broad. Most B2B and consumer connected products fall under it.
Do I need a paid platform if my product is simple?
Not necessarily. The CRA does not mandate a specific vendor; it mandates a process. A platform reduces the operational cost of meeting that process and provides the audit trail. For an SME with a single product line, a free-tier platform can cover the Article 13 baseline at no cost.
What happens if I do not have a CVD policy?
From the dates above, non-compliance carries administrative fines up to €15 million or 2.5% of global annual turnover for the most serious infringements. National market surveillance authorities can also issue stop-orders preventing the product from being placed on the market.
Is CVD Portal a CRA compliance platform?
Yes. CVD Portal is built specifically around the CRA Article 13 and Article 14 obligation set, with CSAF 2.0 advisory generation, EU data residency by default, and a free tier that covers the SME manufacturer baseline.

Try a CRA-native disclosure portal

Article 13 baseline at €0/month. Article 14 reporting built in. EU data residency by default. No card required to start.

Start your free portalCompare alternatives