Article 13

Coordinated Vulnerability Disclosure Obligations for Manufacturers

Article 13 requires manufacturers of products with digital elements to establish and maintain a coordinated vulnerability disclosure (CVD) policy. This is one of the most operationally significant obligations in the CRA, affecting how you accept, process, and communicate about vulnerability reports from external security researchers.

Effective: September 2026Applies to: All manufacturers of products with digital elements sold in the EU market

Free compliance portal →

What Article 13 Requires

Article 13 of the EU Cyber Resilience Act mandates that manufacturers:

Establish a CVD policy — A publicly accessible, documented process for how security researchers and others can report vulnerabilities in your products.
Acknowledge receipt — You must acknowledge a vulnerability report within 48 hours of receiving it.
Inform the reporter — Provide the reporter with an initial assessment and expected timeline for a fix.
Coordinate disclosure — Work with the reporter before any public disclosure to agree on timing and content.
Publish advisories — Issue a security advisory when a vulnerability is fixed or when a workaround is available.

All of these obligations apply from the date you place a product on the EU market or make it available to EU consumers.

CRA reference:Article 13(1)–(6)

The 48-Hour Acknowledgment Requirement

One of the most operationally challenging requirements is the 48-hour acknowledgment window. From the moment you receive a vulnerability report through any channel — email, your submission portal, a security researcher's direct contact — you must send an acknowledgment within 48 hours.

This acknowledgment does not need to confirm the vulnerability is valid. It simply confirms receipt and signals that you are processing the report. Failure to acknowledge within 48 hours can constitute a CRA violation, even if you subsequently fix the vulnerability.

Practical implication: You need a monitored inbox, ticketing system, or dedicated vulnerability disclosure portal to ensure no report goes unacknowledged.

CRA reference:Article 13(3)

What Your CVD Policy Must Cover

Your CVD policy is the public-facing document that explains your vulnerability disclosure process. At a minimum, it must include:

Contact information: How to reach your security team (email, submission form, or both). This is typically enforced via a security.txt file at /.well-known/security.txt.
Scope: Which products and versions are covered.
Process: What happens after you receive a report — acknowledgment timeline, triage, remediation, and disclosure.
Safe harbour: A commitment not to pursue legal action against researchers who act in good faith.
Disclosure timeline: When and how you will publicly disclose the vulnerability.

The CVD policy should be publicly accessible — typically linked from your product documentation, website, or security.txt file.

CRA reference:Article 13(1), Recital 63

Coordinated Disclosure vs. Responsible Disclosure

Article 13 specifically mandates coordinated vulnerability disclosure, not simply responsible disclosure. The distinction matters:

Responsible disclosure traditionally means the researcher gives you time to fix the issue before going public, with the researcher setting the timeline.
Coordinated disclosure means both parties — you and the researcher — agree on the disclosure timeline and content. The CRA requires this mutual coordination.

In practice, this means you must actively engage with researchers, not simply receive their reports and act unilaterally. If a researcher sets a 90-day deadline for public disclosure, you need to either fix the vulnerability, provide a workaround, or negotiate an extension — not ignore the deadline.

CRA reference:Article 13(4), Recital 63

The Role of ENISA and National CSIRTs

Article 13 establishes a role for the European Union Agency for Cybersecurity (ENISA) and national Computer Security Incident Response Teams (CSIRTs) in the vulnerability disclosure process.

Manufacturers may voluntarily notify their national CSIRT of vulnerabilities discovered in their products. In some cases — particularly where vulnerabilities may affect critical infrastructure or large numbers of users — CSIRTs may act as coordinators between manufacturers and researchers.

ENISA also maintains the European Vulnerability Database (EVDB), which manufacturers should use when registering CVEs (Common Vulnerabilities and Exposures) for vulnerabilities in their products.

CRA reference:Article 13(6), Article 14(1)

CSAF Advisories

When you publish a security advisory under Article 13, the CRA recommends (and market practice is moving toward requiring) that you publish it in CSAF 2.0 format (Common Security Advisory Framework).

CSAF is a machine-readable JSON format that enables automated vulnerability management tools to ingest your advisories. Publishing CSAF advisories alongside human-readable advisories is increasingly expected by enterprise customers and conformity assessment bodies.

CVD Portal can automatically generate CSAF 2.0 advisories from your vulnerability tracking data.

CRA reference:Article 13(5), Annex I Part II(2)

How This Differs from ISO/IEC 29147

If your organisation already follows ISO/IEC 29147 (Vulnerability Disclosure) and ISO/IEC 30111 (Vulnerability Handling Processes), you are well-positioned for Article 13 compliance. The CRA's CVD requirements largely align with these international standards.

The CRA adds statutory timelines (48-hour acknowledgment) that ISO 29147 only recommends.
The CRA ties non-compliance to market access — non-compliant products can be withdrawn from the EU market.
The CRA introduces ENISA reporting for severe vulnerabilities (see Article 14).

Following ISO 29147 can serve as evidence of conformity with Article 13, but the statutory requirements still apply.

CRA reference:Article 13, Recital 63

CVD Portal helps you comply with Article 13 automatically.

Public submission portal, 48-hour acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever.

Start your free portal

Frequently asked

Does Article 13 apply to open-source software?+

Open-source software that is not commercialised (i.e. not monetised directly or indirectly) is generally outside the CRA's scope. However, open-source components that are integrated into commercial products are subject to the CRA through the manufacturer of the end product. Open-source stewards who supply components commercially should review the CRA's specific provisions for open-source.

What qualifies as a 'product with digital elements'?+

Any hardware or software product that can connect to a network (directly or indirectly) and is placed on the EU market. This includes IoT devices, consumer electronics, industrial control systems, routers, smart appliances, and software products. Pure SaaS and cloud services are excluded, though hybrid products (hardware with cloud connectivity) are included.

Can I use a third-party bug bounty platform to meet Article 13?+

Yes, a bug bounty platform can serve as your vulnerability disclosure channel, but you still need a publicly accessible CVD policy explaining the process. The 48-hour acknowledgment requirement applies regardless of the platform used. Ensure the platform provides audit trail records to demonstrate compliance.

What is the penalty for not having a CVD policy?+

Non-compliance with Article 13 can result in fines of up to €15 million or 2.5% of global annual turnover (whichever is higher), plus market withdrawal orders for non-compliant products. National market surveillance authorities are responsible for enforcement.

Do I need a separate CVD policy for each product?+

No — a single, company-level CVD policy covering all your products is acceptable, provided it clearly describes how to report vulnerabilities in each product (or references product-specific contact points). Many manufacturers use a single policy with product-specific scope sections.